A cyber security incident at Australian airline Qantas originating through the compromise of a third-party contact centre is being tentatively linked to an ongoing campaign of cyber attacks orchestrated by the hacking collective known as Scattered Spider, which previously targeted British high street retailers in April and May.
On Friday 27 June, analysts at Google Cloud’s Mandiant threat hunting unit said they were investigating more than one Scattered Spider cyber attack involving the aviation sector, as news spread of a cyber attack at US airline Hawaiian, and Canadian operator WestJet worked to contain another incident.
Scattered Spider is known to favour a sector-by-sector approach to its targeting, focusing on one vertical at a time before moving on. Its current spate of activity centred first the UK and US retail sectors, followed by insurance companies, before moving on to aviation, so more attacks on the sector were anticipated.
The Qantas breach, which was first detected on Monday 30 June, saw the cyber criminals gain access to a customer service platform at the victimised contact centre, from where they were able to exfiltrate data on approximately six million people.
According to the Aussie flag-carrier, the data include names, email addresses, phone numbers, birth dates and frequent flyer numbers, but not credit card details, financial information or passport details.
Is Scattered Spider involved?
Coming just days after Mandiant warned of cyber attacks on airlines by the Scattered Spider collective, the Qantas incident is naturally being linked to the gang.
However, Charles Carmakal, Mandiant Consulting chief technology officer, who issued last week’s warning, said that it would be unwise to make a firm attribution at this stage.
“While Scattered Spider has a history of targeting global organisations including those in Australia, it’s too early to tell if they’ve expanded their current targeting to Australian airline organisations,” Carmakal told Computer Weekly via email today.
“Various threat actors use telephone-based social engineering to compromise organisations, including a financially motivated threat actor we call UNC6040. Organisations that proactively train their help desk staff on robust identity verification processes and implement phishing-resistant MFA are best equipped to thwart these types of attacks. Global airline organisations should be on high alert of social engineering attacks and increase the identity verification rigour of their help desks.”
Toby Lewis, global head of threat analysis at Darktrace, said: “Qantas’ cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet and Marks & Spencer – likely through compromising a third-party SaaS platform.
“The attack follows their typical playbook: steal legitimate login credentials to walk into systems where critical security protections often aren’t enabled by default, while operating from Western countries to appear as legitimate users and bypass standard security filters.”
Contact centres and helpdesks are often targets
The targeting of a contact centre supplier to Qantas also aligns with the group’s established modus operandi – Scattered Spider members have long targeted contact centres and IT helpdesks and its attacks on Las Vegas casinos in 2023 both originated through IT services provided to the victims by Okta.
Whether internally or externally run, it is on shoring up these parts of their operations that organisations in the aviation sector should direct their focus. Helpdesk and customer service workers are highly valuable targets because they have elevated access to systems to perform actions such as credential resets or enrolling a new MFA authentication device.
According to Palo Alto Networks’ Unit 42, Scattered Spider targets helpdesk agents using a mix of open source intel and previously compromised data. Its members conduct highly convincing and persistent attacks on these agents that are focused on wearing them down and ultimately giving in to their demands.
Organisations should consider implementing enhanced process to check and validate the authenticity of password reset requests. For example, this could require a double-verification process where no single person is able to initiate a password reset on their own. Some security-conscious organisations even ask their employees to appear on webcam with a government ID to verify their legitimacy.
The Qantas breach further highlights the need for organisations of all types to continue to focus their cyber resilience efforts on their third-party supplier ecosystem. The aviation sector is heavily reliant on such providers for many parts of their operations, and many of these providers work with a great many airlines, making them even more likely targets.
From a security perspective, integrating third-parties into business operations can be a long and often fraught purpose, but it is important to get it right, establishing minimum security standards, ensuring both parties know which is responsible for what, implementing system segmentation and strict access controls, and maintaining constant active auditing of third-party activities.
If supported by enforced MFA, paranoid levels of credential hygiene, frequent endpoint integrity checks, and content-aware data loss prevention (DLP), it is possible to establish a model where supply chain security gaps become less of a problem.
Peak travel time
Scattered Spider’s new focus on airlines, coming at the start of the peak summer travel season for the Northern Hemisphere, means the effect of the Qantas cyber incident is likely to be magnified, not just in terms of its impact on the victim and its customers, but in terms of how widely it is discussed, and in terms of publicity for the cyber criminals.
Cyber criminal motivations vary, but in Scattered Spider’s case the gang, largely composed of loosely affiliated English-speaking hackers, is as much concerned about infamy and notoriety as it is about financial gain. As such, its members will often seek to maximise the impact of their attacks by timing them to key dates in their victims’ calendars.
In the case of the gang’s current crime spree, this is perhaps best evidenced by the timing of the Marks & Spencer (M&S) incident, which came right before the Easter holidays in the UK, when the chain’s food halls would have been packed with shoppers buying treats and picnic food for the hoped-for warm weather.
However, recent history is littered with examples of cyber attacks timed to occur right before holiday periods when IT security staff may be off work or not paying attention. Famously, the 2021 REvil ransomware attack on Kaseya and its downstream customers unfolded right before the 4 July holiday weekend.
Attacks often take place on ordinary Friday afternoons for similar reasons, and the fact the Qantas breach was discovered on a Monday suggests – but is not definitive proof – that this may have been the case here.
Next steps for Qantas passengers
By the sensitive nature of the data they must hold on those who travel on their services, airlines present a target too tempting to resist for cyber criminals, so cyber attacks against them are nothing new, and nor is the exploitation of data stolen from them, as passengers caught up in previous breaches at British Airways and EasyJet in the UK found to their cost.
Satnam Narang, senior staff research engineer at Tenable, said the scope of the breach may yet evolve. “Because this breach just occurred, we don’t have the full extent of all of the data that may have been exposed as a result. What we do know is that so far, it hasn’t been shopped for sale by any threat actors,” he said.
“For users whose personal information may have been exposed, the biggest risk is follow-on social engineering attacks targeted against them. If passwords end up becoming part of the stolen data, then credential stuffing attacks, where attackers attempt to reuse stolen credentials on other sites, are likely to follow.
“Without confirmation of password exposure, users don’t need to rush to change their passwords yet. However, users should ensure they use strong and unique passwords on each site, but most importantly, be sure that MFA is enabled on sensitive accounts to prevent credential stuffing attacks from being successful,” he said.
Lewis at Darktrace said that if the cyber criminals behind the Qantas attack can successfully monetise the stolen data on the dark web, follow-on attacks were highly likely.
“Expect the stolen customer data – names, emails, birthdates, frequent flyer numbers – to fuel convincing phishing campaigns targeting loyalty programs and tricking customers with fake payment requests using real booking details,” said Lewis.
NetSPI EMEA services director Sam Kirkmanm added: “For customers, the primary risk lies not in payment data theft but in the potential for targeted social engineering. It’s vital to be wary of unsolicited messages or calls claiming to be from Qantas – especially those referencing personal details. Now is also a sensible time to review what information is stored with other airlines and remove anything unnecessary. This simple step can help limit the fallout from future incidents.”
What next?
To its credit, Qantas has responded quickly and with commendable openness to the incident. It has put in place additional security measures to safeguard its systems – the nature of which must be undisclosed for now – and has strengthened system monitoring and detection processes on third-party platforms.
It is also working with Australia’s National Cyber Security Coordinator, the Australian Cyber Security Centre (ACSC), and third-party cyber forensics.
Passengers can also access a dedicated support line and website for more information, but it is important to note that there has been no impact on flight operations or safety, and anybody booked to fly with Qantas in the coming weeks should not need to take any action.
With the immediate impact of the incident contained, Qantas and the victimised third-party supplier will move into an investigation and remediation phase. At this time, it may emerge that the attackers penetrated deeper into the organisations’ systems than was first thought, or were able to access even more sensitive data, but equally this may prove not to be so.
Further communications on the matter are likely in the coming days and weeks, but absent leaks or statements from gang representatives, firm attribution to Scattered Spider may never be made.
