Hackers Trick Hawaiian Airlines – FBI on the Case

1752596620448

Overview

Between 23–27 June 2025, Hawaiian Airlines reported a cybersecurity incident now attributed to Scattered Spider, a sophisticated threat group known for social engineering, MFA bypass, and extortion-driven data theft. The U.S. Federal Bureau of Investigation (FBI) is investigating the event, which allegedly affected the airline’s IT systems. While flight operations were not disrupted, the breach has raised sector-wide concerns.

The attack is part of a broader campaign targeting airlines and their IT providers, as confirmed by an FBI bulletin issued the same week. Other known victims in this wave include WestJet and Qantas, suggesting a coordinated offensive against the aviation sector.

What Happened?

On 23 June 2025, Hawaiian Airlines detected a cybersecurity incident involving its internal IT systems. The company’s disclosure to the U.S. Securities and Exchange Commission (SEC) indicated the event had been under investigation for several days before being made public. Hawaiian Airlines confirmed the incident via its website on 26 June and filed an official SEC notice on 27 June.

The cyberattack is believed to involve Scattered Spider (also known as UNC3944, Starfraud, or Octo Tempest), a group linked to previous high-profile attacks against MGM Resorts and Caesars Entertainment. Their known tactics include:

  • Impersonating internal users or contractors to deceive help desks
  • Convincing support staff to reset MFA or register new devices
  • Using stolen credentials to gain deep network access
  • Exfiltrating sensitive data for ransom or extortion threats

Hawaiian Airlines confirmed that no flight or reservation systems were disrupted, but has not yet stated whether customer or corporate data was compromised. The FBI’s alert confirms that aviation operators and third-party service providers are now actively targeted, particularly those with large IT help desk footprints or federated identity systems.

Why This Matters for Aviation

The Hawaiian Airlines breach is not an isolated incident. It marks a sector-wide targeting escalation by a group with a proven record of bypassing strong technical controls through human exploitation.

Even with multi-factor authentication in place, attackers succeeded by tricking internal support structures — exposing a blind spot that many aviation operators and IT providers share.

This incident shows:

  • Sophisticated actors are adapting to aviation environments
  • Vendor and help desk ecosystems are weak points in identity protection
  • Early detection, staff training, and hardened MFA workflows are now mission-critical

Recommended Actions 

A. Harden Identity and Help Desk Protections  

  • Review and enforce strict MFA modification procedures
    Require out-of-band confirmation (e.g., via call-back or secondary approval) for MFA resets or device changes.
  • Implement identity verification scripts for help desk staff
    Include mandatory steps to detect impersonation attempts, especially for requests involving privileged accounts.
  • Limit help desk override capabilities
    Use tiered support access where only senior staff can escalate or modify MFA settings.

B. Employee and Contractor Awareness  

  • Run urgent social engineering awareness campaigns
    Focus on impersonation tactics, urgent request patterns, and caller ID spoofing scenarios.
  • Train IT and SOC teams on Scattered Spider TTPs
    Provide playbooks for responding to similar intrusion attempts, with known indicators of compromise and behavior patterns.

C. Incident Preparedness  

  • Update incident response plans to address social engineering and extortion tactics
    Include coordinated communication plans for media, customers, and regulators in case of prolonged access or data leak threats.
  • Engage third-party service providers for vulnerability and identity review
    Ensure vendors follow equivalent standards and can respond to similar attack patterns.

In Summary    

The Scattered Spider attack on Hawaiian Airlines is a warning to all aviation organisations: cyber resilience must extend beyond technical controls to include human-layer defences and vendor governance.

Aviation stakeholders must:

  • Harden help desk protocols and identity workflows
  • Assume that MFA can be bypassed via social engineering
  • Conduct targeted simulations, awareness sessions, and third-party audits
  • Align incident detection and response capabilities with real-world threat actor tactics

Scattered Spider’s expansion into aviation represents a new risk tier for civil aviation security. Ensuring readiness is no longer optional — it is a regulatory and operational imperative.

Share this Notice:

Related Posts

About Part-IS.eu

Part-IS.eu is a website operated by RainingBits LTD. This is not an official EU Commission or Government resource. The europa.eu webpage concerning Part-IS can be found here. Nothing found in this portal constitutes legal advice.

Part-IS
© Copyright 2025 NERD.aero by RainingBits LTD

Download our Free Gap Analysis Checklist

  • Easy to track Regulation references
  • Start your implementation journey
  • See where you are wil Part-IS compliance
  • Still have questions? We are always here for you!
Receive it in your inbox!