Scattered Spider Tactics Include Data Theft, Extortion: CrowdStrike

Threat researchers from CrowdStrike are pointing to the hacker group’s focus on more than just traditional ransomware attacks — as experts have separately linked the group to a data theft attack against Australian airline Qantas.

The notorious threat group Scattered Spider has indeed been known to focus on more than just traditional ransomware attacks in the past — with data theft and extortion attacks constituting a lesser-known part of its repertoire, according to threat researchers at CrowdStrike.

The advisory from CrowdStrike’s Counter Adversary Operations unit Wednesday comes as other experts have separately linked the Scattered Spider hacker group to a data theft attack against Australian airline Qantas.

The hacker group tracked as Scattered Spider has previously been blamed for high-profile ransomware attacks including the hugely disruptive 2023 attacks against casino operators MGM and Caesars Entertainment.

Recently, researchers have connected Scattered Spider to a series of attacks against three British retailers — Marks & Spencer, the Co-op and Harrods — as well as insurers such as Aflac.

Scattered Spider then reportedly moved on to targeting airlines, with the group blamed for incidents including attacks against Hawaiian Airlines and WestJet.

On Wednesday morning, Australian airline Qantas confirmed that “a cyber incident has occurred in one of its contact centres impacting customer data,” affecting a platform containing the records of 6 million customers.

“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” the airline said in a statement posted online. “An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

CRN has reached out to Qantas for comment.

Security experts including Abnormal AI CIO Mike Britton have suggested the Qantas attack is “likely” to turn out to be linked to Scattered Spider.

In their advisory on the CrowdStrike blog Wednesday, threat researchers from the cybersecurity vendor noted that Scattered Spider does continue to hold ransomware deployment as the “primary goal” of their activities.

However, “if an incident is contained prior to ransomware deployment, the adversary often threatens to publicly leak stolen data and demands a ransom,” CrowdStrike researchers wrote in the advisory.

The hacker group is also not above “stealing sensitive data before deploying ransomware for double extortion,” the researchers noted.

CrowdStrike – which coined the name Scattered Spider for tracking the group – has been publishing research on the cybercrime group since 2022.

CrowdStrike researchers on Wednesday also added further confirmation that Scattered Spider has “recently broadened its target scope to include the aviation sector, in addition to its established focus on the insurance and retail industries, as observed by CrowdStrike Services.”

“Throughout Q2 2025, SCATTERED SPIDER's activities have primarily centered on U.S.-based insurance and retail entities, along with U.K.-based retail entities,” the CrowdStrike researchers wrote. “However, incidents in late June 2025, specifically targeting U.S.-based airlines, demonstrated tactics, techniques, and procedures (TTPs) consistent with the adversary's previous operations.”