Scattered Spider's latest victim? Qantas confirms encounter with mysterious "cyber criminal"
Airline contacted by shadowy threat actor following incident feared to have exposed millions of people's data.
Qantas has confirmed it is in contact with a "potential cyber criminal" after disclosing that it was the victim of a major cyberattack
Last week on Monday June 30, the airline suffered a "cyber incident" in one of its contact centres in which customer data was compromised.
Although it's not known exactly how much data was accessed, it's been claimed that as many as six million people were impacted (although we have been unable to confirm this).
The airline has now "contained" the breach, which experts have linked to the notorious hacking group Scattered Spider.
"The incident occurred when a cybercriminal targeted a call centre and gained access to a third-party customer servicing platform," Qantas wrote.
"A potential cyber criminal has made contact, and we are currently working to validate this. As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the details of the contact."
What was the impact of the Qantas attack?
Qantas confirmed that data accessed includes names, email addresses, phone numbers, dates of birth and frequent flyer numbers.
"We continue to work with specialist cyber security experts, including to forensically analyse the impacted system," it said.
Qantas also insisted there "has been no further threat activity in the system" and said "the system remains secure".
"No credit card details, personal financial information or passport details were stored in the system and therefore have not been accessed," it confirmed.
"There is no evidence that any personal data stolen from Qantas has been released, but with the support of specialist cyber security experts, we continue to actively monitor."
READ MORE: Cartier and North Face cyberattacks: Retailers hit as threat actors "smell blood in the water"
Scattered Spider spins its web
Although it's not known whether Scattered Spider is responsible for the Qantas attacks, it has been linked to previous incidents involving the aviation sector.
Toby Lewis, global head of threat analysis at Darktrace, said: "Qantas’ cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet and Marks & Spencer – likely through compromising a third-party SaaS platform.
"The attack follows their typical playbook: steal legitimate login credentials to walk into systems where critical security protections often aren't enabled by default, while operating from Western countries to appear as legitimate users and bypass standard security filters."
Sam Rubin, SVP of Consulting and Threat Intelligence at Unit 42 by Palo Alto, also wrote: "Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry. Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests."
READ MORE: Scattered Spider breaks America: High Street hackers sink fangs into US retailers
Additionally, the FBI also issued an extraordinary warning to aviation companies and said it "recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector".
It said Scattered Spider is known for its mastery of social engineering techniques, impersonating employees or contractors to deceive IT help desks into granting access. It is adept at bypassing multi-factor authentication (MFA) and seeks to trick human staff into adding unauthorised devices to compromised accounts.
"They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk," the FBI wrote on LinkedIn.
"Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware."
Peak season for ransomware
The summer holidays are an obvious time for ransomware gangs to target airlines because there is a chance they will break with established industry protocol and simply pay up to avoid disruption.
Jon Abbott, CEO , ThreatAware, said: "This cyber incident just shows that, in peak travel season, as many airlines are running at high demand and full capacity, cybercriminals are ready to strike.
"It follows a spate of attacks on other US and Canadian airlines, an industry which handles vast amounts of sensitive passenger and operational data and has a complex ecosystem of third party providers - all of which makes it susceptible to attacks from cybercriminals seeking to exploit any points of vulnerability.
This comes down to the fundamentals of security from visibility of all endpoints, great cyber hygiene and robust user validation. This is a sector where trust, safety and operational uptime are everything."
READ MORE: Glazenost: Krispy Kreme opens up to reveal the unsugared truth about a major cyberattack
Haris Pylarinos, Founder and CEO of Hack The Box, explicitly named Scattered Spider as a suspect and said: "The targeting of airlines and the transport sector in by criminal group Scattered Spider should be a timely reminder for the UK aviation industry.
"The group is known for its use of social engineering to bypass even the strongest technical defences, causing significant financial and reputational damage to the UK’s retail sector in recent months. Their focus is not just on breaking systems but on manipulating people, often targeting help desks and call centres to gain access.
"The aviation sector, with its complex network of third-party suppliers and contractors, presents an attractive target. If just one weak link is compromised, the ripple effects could be massive.
"Proactive security requires organisations to go beyond basic awareness. Security teams must be trained to recognise the tactics attackers use. It is not just about having the right tools, it is about building the right skills to detect and respond before attackers can infiltrate critical systems."
Do you have a story or insights to share? Get in touch and let us know.
