The Federal Bureau of Investigation has issued a stark warning about the Scattered Spider threat group, a notorious cybercriminal organization now expanding its attacks to the transportation sector. This development follows a series of high-profile ransomware incidents targeting the retail industry, including a costly attack on Marks & Spencer in the U.K., which reportedly resulted in losses exceeding $600 million. As of June 30, 2025, the FBI has confirmed that Scattered Spider is now setting its sights on the airline industry, posing a significant threat to both direct operations and the broader supply chain.
The FBI’s alert, initially reported on June 28 and now updated with further analysis, underscores the urgency of the situation. According to a statement provided by the FBI, the group is employing social engineering techniques, impersonating employees or contractors to deceive IT help desks into granting unauthorized access. This method allows the group to bypass multi-factor authentication (MFA) systems, a critical security measure commonly referred to as 2FA.
Scattered Spider: A Persistent Threat
Ransomware analysts at Halcyon had previously indicated that Scattered Spider was targeting sectors such as Food, Manufacturing, and Transportation, particularly Aviation, within the United States. The FBI has now corroborated these claims, emphasizing the group’s expansion into new territories. The agency is actively collaborating with aviation and industry partners to mitigate these threats and has urged organizations to report any suspicious activities to their local FBI offices.
Scattered Spider has been on the FBI’s radar for several years. A joint advisory with the Cybersecurity and Infrastructure Security Agency in 2023 highlighted the group’s activities against commercial facilities. This history of persistent threats has made Scattered Spider a key focus for cybersecurity professionals.
Understanding Scattered Spider’s Tactics
The Reliaquest Threat Research Team has conducted an in-depth analysis of Scattered Spider, revealing that 81% of the group’s domains impersonate technology vendors. Their targets often include system administrators and executives, individuals with high-value credentials. The group leverages phishing frameworks like Evilginx and employs sophisticated social engineering methods, including video calls, to gain initial access to targets across technology, finance, and retail sectors.
“Through strategic alliances with major ransomware operators ALPHV, RansomHub, and DragonForce, Scattered Spider has gained access to essential tools,” the Reliaquest report states. The group has also collaborated with Russia-aligned threat actors, enhancing their ability to conduct highly polished impersonation attacks.
Scattered Spider’s operations are characterized by their recruitment of social engineers with specific qualifications, such as fluency in English and the ability to work during Western business hours. These engineers are provided with detailed scripts and real-time guidance to effectively impersonate employees and bypass security protocols.
Expanding Targets: Insurance Industry at Risk
While the FBI’s latest warning focuses on the transportation sector, Scattered Spider has also begun targeting the insurance industry. John Hultquist, chief analyst with the Google Threat Intelligence Group, has confirmed multiple intrusions in the U.S. insurance sector that bear the hallmarks of Scattered Spider activity.
Jon Abbott, CEO at ThreatAware, warned that the rising tide of attacks on U.S. insurers is a serious threat that should not be underestimated. He emphasized that this development serves as a warning for other industries to remain vigilant, as Scattered Spider’s tactics could easily be adapted to target other sectors.
“This group relies on social engineering rather than technical exploits,” said Richard Orange, vice president at Abnormal AI. “They bypass traditional security controls by manipulating people, such as posing as IT staff or trusted partners.”
Looking Ahead: The Future of Cybersecurity Threats
The implications of Scattered Spider’s activities are far-reaching. The group’s ability to exploit supply chains and move laterally within organizations poses a significant risk to businesses across various sectors. As cybersecurity experts anticipate the adoption of AI-powered attack methodologies by Scattered Spider, the need for robust security measures becomes even more critical.
Organizations are advised to adhere strictly to established security protocols and remain vigilant against any unauthorized requests for MFA device additions. As the FBI continues to work with industry partners to address these threats, the importance of proactive cybersecurity measures cannot be overstated.
The evolving nature of cyber threats demands constant vigilance and adaptation. As Scattered Spider continues to expand its reach, businesses must stay informed and prepared to counteract these sophisticated attacks.
