FBI Warns Airlines of Cybersecurity Threat from Hacker Group

The United States Federal Bureau of Investigation (FBI) has issued an urgent warning to airlines about an imminent cyber threat posed by the hacker group known as Scattered Spider, nearly a year after the global IT outage caused a an air traffic meltdown. According to the agency, the group has recently been observed targeting the airline industry directly.

The attackers rely on social engineering tactics, often impersonating employees or contractors to trick IT help desks into granting access to internal systems. Their strategy involves bypassing multi-factor authentication (MFA) by persuading support teams to add unauthorized devices to compromised accounts, the FBI explained.

Scattered Spider, made up of English-speaking teenagers and young adults, is known for its use of phishing schemes and manipulative techniques, sometimes involving violent threats toward call center staff. The group has previously attacked companies in the travel and hospitality sector, including a 2023 attack on MGM Resorts International, and is suspected to have also targeted Caesars Entertainment.

The FBI emphasized that the threat extends beyond airlines to include technology providers and contractors—any party within the broader aviation ecosystem. Once inside, hackers typically steal sensitive data and deploy ransomware as part of their extortion campaigns. The agency stated it is actively collaborating with the aviation industry and encouraged early incident reporting to facilitate intelligence sharing and prevent further breaches.

Although the FBI has not disclosed the names of the airlines targeted, recent cybersecurity incidents have been reported at WestJet and Hawaiian Airlines. A source cited by Axios suggested that Scattered Spider may have been responsible for the WestJet breach, though the airline has not confirmed any involvement.

Cybersecurity experts, such as Paul Walsh, CEO of MetaCert, described these as classic phishing attacks that exploit social—not technical—vulnerabilities. Walsh criticized the cybersecurity industry's lack of innovation, noting that 90% of cyberattacks today stem from phishing. Companies like Sabre said they maintain a proactive threat management program, guided by Google Cloud Mandiant and CISA, and are taking extra precautions in light of the growing threat.