Introduction
On July 2, 2025, Qantas, Australia’s flagship airline, disclosed a cyberattack that compromised the personal information of up to six million customers, first detected on June 30, 2025. Touted as one of the most significant data breaches in Australia’s recent history, the attack is suspected to be the work of the notorious Scattered Spider cybercriminal group. According to the information currently available, the hackers targeted a third-party customer service platform used by Qantas’s contact centre – specifically, a Manila-based call centre that handles reservations.
Qantas confirmed that critical information such as credit card details, financial data, passport details, and frequent flyer account passwords was not stored on the compromised platform and therefore remained secure. Qantas took immediate action by taking the affected systems offline, notifying key authorities, establishing a dedicated support line to assist affected customers, and their CEO delivered one of the clearest, action-oriented, on-time yet humble media briefings in recent times, a master class in how CEOs should communicate breaches news effectively.
The Threat Actor
The suspected attacker, Scattered Spider – also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra – profiled on the CISA.gov website, is most recently known to have been behind the breach at retail giant Marks & Spencer. They are known to exploit vulnerabilities in third-party customer service platforms through sophisticated social engineering tactics. The reliance of any organization, in this case the airline industry, on third-party vendors, especially call centres, makes them attractive targets – not only because they handle vast amounts of sensitive data, but also because they provide easier access to the airline. The FBI’s warning on June 27, 2025, highlighted Scattered Spider’s expansion into the airline sector, with recent attacks on Hawaiian Airlines and WestJet showing similar patterns.
After gaining initial access, Scattered Spider is known to perform discovery to identify critical assets, leveraging techniques like searching SharePoint sites (T1213.002), credential storage (T1552.001), VMware vCenter infrastructure (T1018), backups, and VPN setup instructions (TA0007). They enumerate Active Directory to map the network and identify high-value targets. They use AWS Systems Manager Inventory (T1538) to discover additional targets for lateral movement (TA0008).
Their lateral movement involves leveraging preexisting and actor-created Amazon EC2 instances (T1021.007, T1578.002) and deploying remote monitoring and management (RMM) tools such as Fleetdeck.io, Level.io, ScreenConnect, Splashtop, and Tailscale for persistence and movement (T1219). A unique tactic is joining incident remediation and response calls, as well as teleconferences, to identify security team tactics and develop new intrusion avenues. They also create new identities in the environment – often backed by fake social media profiles – to maintain access and evade detection.
A Continuing Threat
After notoriety in retail and airlines, Scattered Spider are expected to attack other industries and business sectors that use third parties as part of their digital supply chain, and it is time to be breach ready.
Xshield, ColorTokens Enterprise Microsegmentation Platform, is designed to protect against sophisticated cyber threats such as Scattered Spider by preventing lateral movement and isolating network segments during cyberattacks. Even if attackers gain initial access through phishing or social engineering, they’re confined to one part of the network and can’t easily move laterally to others. ColorTokens Xshield’s seamless containment capability is crucial for stopping attackers like Scattered Spider, known for their lateral movement and data theft. Through microsegmentation, identity-based access control, and integration with existing security investments like EDR, SIEM, firewalls, etc., Xshield becomes a critical component for breach readiness by:
- Preventing Lateral Movement: By dividing the network into small, isolated segments, Xshield ensures that even if Scattered Spider gains initial access (e.g., through phishing), they will remain confined to the compromised microsegment. This prevents them from traversing the network to find high-value assets such as user repositories, backups, or virtual machines.
- Identity-Based Segmentation: Xshield’s identity-based controls, enhanced by PureID, ensure that access is controlled based on user identities. For Scattered Spider – who often use stolen credentials to move laterally – this adds an extra layer of security. Even if credentials are compromised, attackers must authenticate based on their identity, which may involve additional verification steps, reducing the risk of privilege escalation.
- Immediate Risk Reduction: Xshield’s ability to reduce risk in days, not months, is crucial for containing fast-moving threats. This aligns with ColorTokens’ promise of “Immediate Security and Continuous Improvements,” ensuring organizations can quickly adapt to emerging threats like Scattered Spider.
- Integrating with EDR: Xshield integrates with EDR solutions like CrowdStrike, enhancing its ability to detect and respond to threats at the endpoint level. This is critical for stopping Scattered Spider, who often deploys malware like AveMaria/WarZone or Raccoon Stealer to steal credentials.
It is probably a late realization, but both airlines and retail could have been more resilient if they had adopted a be breach ready posture.
You never know if you are the next target for such cyber attackers. Reach out to us, and we’ll help you become breach ready. We know it’s urgent for you.