Just a few weeks after warning about Scattered Spider’s tactics shifting toward the insurance industry, the same experts now say the aviation industry is now on the ransomware crew’s radar.
Charles Carmakal, CTO at Google-owned Mandiant, issued the warning over the weekend, two weeks after he told The Register that the criminal group’s efforts had shifted from retail to insurance.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” said Carmakal via LinkedIn.
“We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for subsequent social engineering attacks.”
Backing up Carmakal’s claims was Sam Rubin, SVP of consulting and threat intelligence at Palo Alto Networks’ cybersecurity arm, Unit 42.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,” he said, also via LinkedIn.
“Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”
Rubin referred defenders to Unit 42’s guidance sheet on Scattered Spider’s latest tradecraft, in which experts noted that the group’s favored industries “can shift on a whim.”
“Defenders in every vertical should bolster their cyber defenses against these attacks,” the guidance went on to say.
Likewise, Carmakal said Scattered Spider tends to focus on a specific industry, or small number of industries at a time, before looking elsewhere.
The warning comes hot on the heels of Hawaiian Airlines disclosing a “cybersecurity incident” to US regulators on Thursday, and Canada’s WestJet doing the same a week prior. Hawaiian’s brief statement confirmed that “certain technology systems” were affected by the attack but all flights, of which 150 run per day, were operating as scheduled. WestJet’s most recent update on June 18 stated it was still working to understand whether any data was compromised and trying to resolve the case.
The airline raids follow those on insurance companies Aflac, Erie Indemnity, and Philadelphia Insurance Companies. All three continue to host banners on their website home pages directing users to more information about the respective attacks.
Erie’s notice states that it is working toward resuming full business operations, although there is no evidence that ransomware or attackers are lurking on its systems.
Likewise, Philadelphia admits “some services may be limited” although neither ransomware nor encryption was ever involved – “this was not a ransomware event,” it said. The insurer also said it continues to service claims, new accounts, renewals, and update current policies.
Aflac said its business “remains operational” though it confirmed that some data may be compromised, including information related to claims and health, Social Security numbers, and other personal information.
The affected individuals could include customers, beneficiaries, employees, agents, and other individuals in its US business.
Aflac said: “While the investigation remains in its early stages, in the spirit of transparency and care for our customers, we are sharing that our preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network.”
“We regret that this incident occurred. We will be working to keep our stakeholders informed as we learn more and continue investigating the incident,” it added.
All three attacks were detected within a few days of one another, and while Scattered Spider has not been formally attributed to any of them, the warnings from experts suggest there could indeed be a link.
Aflac’s note on the use of social engineering is also consistent with the rumors of Scattered Spider’s involvement. The loosely connected group of predominantly Western, English-speaking cybercriminals are renowned for their skills in the area.
Cybersecurity experts who have listened in on their calls, deceiving helpdesk staff into handing over details that can be used to take over genuine accounts, said the group’s members are “really good.”
Before aviation and insurance, Scattered Spider is thought to be behind the attacks that rocked some of the UK’s biggest retailers, M&S, Co-op, and Harrods, and before retail it was finance.
However, like the more recent incidents, experts have not formally attributed those responsible to Scattered Spider, although the tradecraft is said to be similar. ®