Scattered Spider Takes Off
7–1–2025 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, July 1, 2025, and July seems to have really snuck up on us. We’re headed into the Indepndence Day holiday this Friday here in the US, and then on to full-swing of the summer vacation season, especially in Europe. Congrats to those of you with exciting PTO plans!
One group that’s not taking any time off, however, is Scattered Spider, so let’s jump right in.
Scattered Spider Takes Off
Here’s the second week in a row on this threat actor group, and we’re still talking about them for a few reasons:
There’s some good follow-up / fall out from last week’s activities against the insurance industry;
They’ve apparently pivoted forward to target the airline industry, with at least two different carriers falling victim already; and
There’s some good discussion worth having around attribution and what that does for our defenses, if anything.
To the first point, we’re already seeing the class action law suits coming out, filed in District Court against Aflac. Obviously, this sort of litigiousness is something that makes companies gun-shy when it comes to disclosures, and really reduces our chances of learning more about the TTPs from the threat actors, and thus protecting others.
In fact, the reporting here illustrates this very challenge, when “In an email Thursday to the Ledger-Enquirer, Aflac spokesman Jon Sullivan said, ‘While we are unable to comment on litigation, Aflac’s priority is to support our customers as we respond to this incident.’”
"Asked for an update on the number of customers with exposed data, Sullivan said, ‘We are in the early stages of the investigation and not able to determine yet the number of people impacted.’”
And - with that case filing - it’s about all we’re going to learn about Aflac’s incident for the foreseeable future.
But that’s not a problem for Scattered Spider, as they’ve already pivoted forward.
Bleeping Computer, and many others, are now reporting that Scattered Spider has shifted focus to aviation & transportation firms, having hit Canada’s WestJet and Hawaiian Airlines, newly merged with Seattle’s flagship carrier, Alaska Airlines.
PaloAlto’s Unit42 has updated their threat alerts on “Muddled Libra” - aka Scattered Spider - and notes ‘Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.’”
Google’s Mandiant unit “said in an emailed statement that the company is ‘aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.”’
Even the FBI is pushing out alerts, including a long tweet with some details on their TTPs.
PaloAlto’s got lots of advice on how to defend against this threat - linked to here - but want to call attention to this paragraph:
“Muddled Libra doesn’t bring anything new to the table except for the uncanny knack of stringing together weaknesses to disastrous effect. Defenders must combine cutting-edge technology, comprehensive security hygiene and external threats and internal events monitoring. The high-stakes risk of operational disruption and loss of sensitive data is a strong incentive for modernizing information security programs.”
I also saw some good analysis from the Risky Business team, that noted:
“The term Scattered Spider is very generously used to describe individuals who learned the same hacking techniques from an underground Discord and Telegram community known as The Com.
There are hundreds of these individuals who are organized in their own smaller cliques, sometimes jump between them, and even merc out their hacking services on specific intrusions to other groups.
It's a stupid name, but it can't be helped since it's difficult tracking such a flowy and mercurial bunch of people.”
And therein lies one of the core flaws around the ideas of attribution. Is it the original members? Is it copy cats? Is it the next generation? What does it matter in terms of defending. Leave the attribution to the intel and law enforcement functions who are looking to make arrests and focus your energy on plugging holes, building awareness, training people, and consistent best practices.
Fundraising
From a fundraising perspective another light week to close out Q2 and H1, but would note that we’re still seeing some very strong numbers, closing the quarter at just over $196B, almost exactly the same as Q1’s $200B and putting us close to the half a trillion mark halfway through the year, which is a silly amount of money.
All of the macro challenges remain around a cold IPO market, volatility in the political realm - in the US and abroad - and a challenge environment around both interest rates and inflation.
And yet, dry powder commitments continue, as do investments by PE firms. The wheel doesn’t stop, and it doesn’t look like the music is any time soon, either, so let’s all stay focused on what we’re here to do.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.ledger-enquirer.com/news/business/article309467520.html
https://www.axios.com/2025/06/27/aviation-transportation-sector-cyberattacks-scattered-spider
https://x.com/FBI/status/1938746767031574565
https://unit42.paloaltonetworks.com/muddled-libra/
https://news.risky.biz/risky-bulletin-scattered-spider-goes-after-aviation-sector/