The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.

Hawaiian Airlines disclosed a cybersecurity incident Friday affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.

Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.

Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.

“Given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems,” Carmakal stated.

The FBI released a statement on X Friday saying the bureau is “actively working with aviation and industry partners to address this activity and assist victims.”

The bureau also warned that Scatted Spider targets “large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”

The Hawaiian Airlines incident follows a similar attack earlier this month on WestJet, Canada’s second-largest airline. The Calgary-based carrier experienced intermittent disruptions to its website and mobile application, with systems largely restored after five days.

Cybersecurity experts note that Scattered Spider has maintained consistent tactics across different industry targets. The group typically employs sophisticated social engineering attacks and targets multi-factor authentication systems through fraudulent reset requests.

Sam Rubin, senior vice president of consulting and threat intelligence at Palo Alto Networks’ Unit 42, emphasized that organizations should maintain “high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”

The group’s methodical approach to targeting specific industries has previously included campaigns against major retail chains and insurance companies, including attacks on Aflac and other prominent insurers.

The coordinated nature of these attacks across multiple airlines suggests a strategic shift by Scattered Spider toward critical infrastructure sectors.

The Cybersecurity and Infrastructure Security Agency has yet to comment on the incidents.

Update: June 27, 8:48 p.m.: This story has been updated to reflect comment from the FBI.