SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic airport illustration airplanes retail store digital padlocks shields cybersecurity
#
UC
#
MFA
#
Phishing

Aviation & retail urged to boost defences after Qantas cyber hit

Wed, 2nd Jul 2025
Author image
By Sean Mitchell, Publisher

New guidance has been issued on combating aggressive cyber threats as the aviation and retail sectors face a marked increase in ransomware attacks, including a recent incident involving Australian airline Qantas. While experts note patterns consistent with the Scattered Spider (UNC3944) group—a collective known for high-profile intrusions—official attribution remains unconfirmed for the latest wave of attacks.

Google Threat Intelligence Group (GTIG) and Mandiant, a leading cybersecurity consultancy, have published updated recommendations to help organisations defend against the methods favoured by Scattered Spider. The move comes amid a growing risk landscape, with retail victims appearing on data leak sites now accounting for 11% of cases in 2025, up from 8.5% in 2024 and 6% in previous years. This trend serves as a stark reminder of the heightened urgency for businesses to shore up their defences.

John Hultquist, Chief Analyst at Google Threat Intelligence Group, highlighted the challenges associated with identifying the perpetrators. "The group known as Scattered Spider is somewhat amorphous. Actors pass in and out and the associations aren't extremely firm. That can make it hard to do attribution and it can make it hard to completely put a stop to their activity. Historically these actors have gone after sectors in waves and the trend in UK retail shouldn't be ignored. There's an opportunity for the sector to take proactive action, especially against the preferred tactics of these actors, like social engineering," Hultquist said.

Charles Carmakal, CTO at Mandiant Consulting, added that the re-emergence of UNC3944, also known as Scattered Spider, demands vigilance. "UNC3944 is known for conducting disruptive intrusion operations and stands out as one of the most pervasive and aggressive threat actors impacting organisations across Europe and the United States. What makes UNC3944 particularly effective is the group's fluid structure and collaboration with several established ransomware and multifaceted extortion groups. Mandiant Consulting observed a notable decrease in the volume of activity after the arrests of alleged UNC3944 associates, but it's critical for organisations to understand that UNC3944 is active again and demands serious attention," Carmakal explained.

The latest cyber incident to catch global attention involved Qantas, which reported a security breach through a third-party platform used by its contact centre. According to Tony Jarvis, Field CISO and VP APJ at Darktrace, the attack bears similarities to previous operations attributed to Scattered Spider, including those affecting Hawaiian Airlines and Westjet last week, as well as a disruptive assault on UK retailer Marks & Spencer earlier in the year.

"Scattered Spider are thought to be native English speakers who don't just exploit technical vulnerabilities but manipulate people, especially IT help desks, through phishing, Multi Factor Authentication (MFA) bombing, and SIM swapping to gain access. Qantas said it detected unusual activity via a third-party platform used by a company contact centre on Monday. The company said it had taken immediate steps to contain the system, but we have seen how quickly these incidents can escalate," Jarvis stated. He noted the incident underscores how attacks against third parties can expose even some of the largest organisations in the world, highlighting the importance of comprehensive cybersecurity across the entire supply chain.

Jordan Avnaim, Chief Information Security Officer at Entrust, emphasised that evolving threats require more than traditional defences. "Social engineering attacks are evolving rapidly – fuelled by current events, AI-generated deepfakes, and increasingly convincing impersonation tactics. In addition, supply chain attacks are a common tactic for cybercriminals, who exploit contractors and third-party vendors as a path to gain access to larger objectives or high-value organisational targets. As we head into the busy summer travel period, it's not surprising that threat actors have shifted focus towards the travel and aviation industry, where they can potentially create havoc by disrupting operational continuity and creating customer distrust," said Avnaim.

Security experts urge organisations to prioritise investment in employee education, establish Zero Trust security frameworks, and adopt advanced authentication measures that are resilient to modern social engineering. As the frequency and sophistication of attacks continue to rise, they warn that cybersecurity must remain a core issue in board-level discussions, with a focus on both prevention and rapid response readiness.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use
Cyber-extortion incidents surge as criminals target small firms
Teleport wins AWS award for securing high-growth infrastructure
Finance teams brace for rising AI risks, fatigue & compliance in 2026

Top stories

DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Asahi delays results as ransomware attack disrupts operations