Experts point finger at international collective over Qantas hack

Qantas said in a statement on Wednesday that it had detected “unusual activity” on a third-party customer service platform on Monday. The platform holds the details of 6 million Qantas customers, and while the airline is working to find out how many customers are impacted, it’s already aware that some personal details have been compromised.

“Initial reports on Qantas’ cyber breach show many hallmarks of the Scattered Spider ransomware group, which claimed responsibility for attacks against America’s Hawaiian Airlines and Canada’s Westjet last week, and the crippling attack against Marks & Spencer in the UK in April,” Tony Jarvis, Field CISO and VP APJ at Darktrace, told Cyber Daily.

“Scattered Spider are thought to be native English speakers who don’t just exploit technical vulnerabilities but manipulate people, especially IT help desks, through phishing, Multi Factor Authentication (MFA) bombing, and SIM swapping to gain access.”

“The unfortunate thing is that this sort of third-party attack is not unique. It is just one more example of why cybersecurity is a fundamental business priority across the entire supply chain – especially when defending against highly targeted tactics that bypass traditional security measures,” Jarvis said.

“How significant the impact will be to Qantas’ operations – across both digital and physical channels – and the damage to its brand and reputation remains to be seen.”

Given the FBI’s recent warning of Scattered Spider activity targeting airlines, Elliot Dellys, CEO of Australian cyber security firm Phronesis Security, said that it would not be surprising if the collective were behind the Qantas data breach.

VIEW ALL

“Scattered Spider (also known as UNC3944) is a fascinating threat actor of growing concern. Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom,” Dellys said.

“While Qantas have made a public statement that login information, credit card details, personal financial information and passport details have not been disclosed, there remains a significant risk of ongoing targeted phishing attacks and identity fraud for users that may have personal information exposed.

“If this incident is the result of a third-party compromise, it adds to an increasing list of major Australian organisations that have done their utmost to secure data, just to have it exposed via a third party.

“It is also a timely reminder for organisations that effective cyber security is about far more than just having the latest tech. Breaches are frequently the result of inadequate third-party risk management, human error, or well-intended people doing the wrong thing.”

Qantas says it is investigating the incident, and that it has put “additional security measures in place to further restrict access and strengthen system monitoring and detection”.