FBI Airline Warning: Why Every Industry Needs Lightning-Fast Cyber Response

FBI Airline Warning: Why Every Industry Needs Lightning-Fast Cyber Response

Ben Young
Ben Young
veeam

The FBI’s recently warned about Scattered Spider targeting airlines, specifically highlighting how these cybercriminals use sophisticated social engineering techniques to impersonate employees and contractors, often bypassing multi-factor authentication by convincing help desks to add unauthorised MFA devices to compromised accounts. What’s particularly significant is that the FBI is actively working with aviation and industry partners to address this activity, emphasising that early reporting allows them to engage promptly and share intelligence across the industry to prevent further compromise.

This collaborative approach has become even more critical following major incidents at Qantas (6 million customers’ personal information potentially affected) and Hawaiian Airlines.

The FBI’s warning extends beyond airlines themselves—they specifically note that anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk, as Scattered Spider targets large corporations and their third-party IT providers.

Which by the way was the case for the Qantas attack, it was a compromise of their call centre in a statement they wrote “The incident occurred when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform”

There are lessons to be had here and it spans wider than the aviation industry. It’s applicable to us all, particularly when it comes to the importance of being prepared, incident sharing and raising cybersecurity awareness to the board level.

A worrying trend we at Veeam are seeing seeing in addition to methods of initial access and social engineering is that some ransomware groups now have average dwell times of less than 24 hours between initial compromise and attack deployment. This data by the way is in our Veeam Ransomware Trends report 2025.

When these groups can deploy attacks within hours of gaining access, organisations across all sectors need response capabilities that can be activated in minutes, not days. Let that sink in.

Modern Cyber Risk

Our 2025 Ransomware Trends research reveals a few developments within cyber and althought law enforcement pressure has disrupted major groups like LockBit, BlackCat, and Black Basta, cyber groups continue to adapt by

  • Accelerating attack timelines > Attacks can now occur within hours rather than days
  • Shifting to data exfiltration > Prioritising data theft over traditional encryption methods, but still in a lot of cases it is both (double extortion)
  • Diversifying targets > Expanding beyond certain more “public” sectors such as govt or health to reduce scrutiny, the FBI warning is an interesting development here though of a more targeted attack against a specific sector

Third-party or vendor remains a weakness. The Qantas attack through a contact centre provider shows how even well-defended organisations remain exposed through their vendor network.

Social engineering effectiveness continues to drive successful breaches, our Coveware teams and Ransomware Trends report both highlight this as a prolific initial access vector. Groups like Scattered Spider are very effective at convincing people like help desk personnel to bypass security controls.

Speed Requires Preparation

The compressed attack timelines demand organisations to rethink incident response. When cybercriminals can deploy attacks within hours of initial access, response plans must be:

Immediately actionable ⏰ Teams need pre-approved authority to take systems offline without waiting for management approval chains with good isolation technology. Our research shows that 89% of organisations have their backup repositories targeted during attacks, making rapid isolation and containment procedures essential.

Universally understood 💡 Everyone in the organisation must know when to call an incident and how to trigger response protocols. This includes clear escalation criteria, communication paths and methods, and decision-making authority - critically, at all hours. What happens if your CISO is on a plance and not contactable for several hours?

Regularly practiced 📚 We found that 69% of victims believed they were prepared before being attacked, but the confidence dropped by more than 20% post-attack. Regular tabletop exercises and realistic scenario testing reveal gaps but critically ensures that the process is embedded in the organisational DNA!

Expert support 🤓 Organisations working with professional incident response teams such as Coveware are 156% less likely to pay ransoms (from data within our Ransomware Trends report) compared to those handling incidents internally. Having established relationships with incident response specialists before attacks occur significantly improves outcomes. Additionally, lean on your other vendors such as security, data protection, know who to contact and have those relationships in place and leverage their expertise when the chips are down.

What about The Board?

Cyber incidents typically quickly escalate beyond IT departments requiring immediate executive oversight. organisations that successfully manage these situations prepare for the critical questions boards inevitably ask:

  • How did this happen? Understanding attack vectors and prevention failures
  • What’s the scope of damage? Assessing impact on operations, data, and stakeholders
  • How do we recover quickly? Having tested response plans and backup strategies
  • How do we prevent recurrence? Long-term resilience improvements and investment priorities

The most resilient organisations demonstrate several key characteristics:

Comprehensive backup strategies Using immutable repositories and sandbox restoration environments. Traditional backup approaches fail when cybercriminals specifically target recovery capabilities. Often your last resort during an incident.

Cross-functional collaboration Between IT operations and security teams, with shared responsibility frameworks and clear communication protocols during these events.

Investment in both prevention and recovery Our research shows that 94% of organisations increased recovery budgets for 2025, while 95% increased prevention spending, a step in the right direction - be sure to keep this balanced between security and data protection.

Rounding this out

Hot take 🔥 Cybercriminals will target whatever offers the best combination of value and accessibility.

If not clear already cyber groups have a willingness to expand operations across all industry. Overall, ransomware payments are decreasing, creating “economic pressure” on their ecosystem that drives these criminals to cast wider nets, change tactics.

Organisations must treat cyber resilience as a core business capability, make it form their DNA, this includes everyone in the organisation not just those in a technical role. Importantly, all with appropriate board oversight, regular investment, and good practice and planning.

What is a solid foundation?

  • Assuming attacks will occur and preparing accordingly
  • Building response capabilities that can be activated within minutes
  • Establishing clear authority and communication protocols for crisis situations
  • Regular testing of all response procedures under realistic conditions
  • Maintaining stakeholder trust through transparent communication and demonstrated preparedness

The bottom line… When cybercriminals can compromise and deploy attacks within hours, organisational preparedness measured in days or weeks becomes irrelevant.

#ransomware #business