Background:
On Friday, 30th June 2025, Qantas confirmed a cyber incident affecting one of its offshore third-party contact centres. Approximately six million customer records were accessed, exposing personal information including names, contact details (email and phone number), Date of Birth and frequent flyer numbers. No financial or authentication credentials (such as passwords or card data) were determined to be accessed at this time.
The intrusion vector appears to have been a “vishing attack” – vishing is a form of social engineering where a threat actor impersonates an internal stakeholder over the phone to manipulate a service desk / front line agent into resetting MFA or granting access to internal systems. Indicators suggest the threat actor group known as Scattered Spider (also known as UNC3944, Octo Tempest, and Scatter Swine) were involved.
This group is known for its agile, social engineering heavy tactics and a focus on high-value sectors. Their shift toward aviation marks a concerning escalation in tactics and targeting having previously targeted financial and insurance sectors.
Are you seeing any indicators of increased threat activity linked to Scattered Spider (UNC3944)?
Over the past quarter, there has been observed an increase in chatter and technical indicators tied to Scattered Spider’s tradecraft such as:
•Increased scanning activity targeting helpdesk systems, ticketing portals, and MFA endpoints. (i.e. cloud based / internet exposed ITSM tooling)
•Attempts to enumerate staff directories and simulate internal IT calls to third-party vendors or customer service providers
•Reports from global threat intel providers suggest heightened activity in APAC, particularly focused on logistics, transportation, and aviation.
Although no confirmed compromises have occurred within New Zealand aviation clients as of this writing, indicators suggest active reconnaissance may be underway noting our geographic closeness to Australia and markets serviced by its corporate sector such as Qantas in the aviation space (Domestic, trans-Tasman and global).
Are there particular threat actors or tactics you’re advising your clients to prepare for?
We recommend preparing and having controls / awareness in place for the following:
•MFA Fatigue attacks: Attackers flood a target with push notifications hoping they’ll accept one out of frustration or by mistake
•Voice based phishing (vishing): targeting contact centres, helpdesks, and third-party vendors – especially outsourced/offshore operations
•Initial access brokers (IABs): working with ransomware affiliates to deliver social engineering campaigns at scale
•Impersonation of internal staff or trusted suppliers: including the use of spoofed email domains and VoIP number masking – never explicitly trust an email sender or caller ID – especially where the request relates to access, credential changes or out of the ordinary access requests.
What Sectors are Scattered Spider currently targeting?
Based on global telemetry and reporting (Sentinel One, Google Mandiant, Palo Alto Networks Unit 42, and Microsoft), the group has shifted its targeting from insurance and retail to transportation and infrastructure in the last 2 months.
Key sectors currently under threat:
•Airlines and Aviation (Qantas, Hawaiian Airlines, WestJet – all attacked within the last 60 days)
•Logistics and Freight
•Telecommunications
•Energy and Utilities
•High-value public sector targets with complex vendor ecosystems
New Zealand’s small but strategically important aviation and port infrastructure makes it a plausible target for attackers looking for high-impact and value outcomes via supply chain or offshore partner exposure.
Do you have any recommendations, threat intelligence, or situational awareness updates that may assist us in adjusting our monitoring or controls?
Based on the current threat landscape, we recommend the following actions:
•Enforce MFA: MFA should be used for staff with access systems that contain sensitive information pertaining to your organisation and your clients
•Audit helpdesk access and reset practices; Ensure staff cannot bypass MFA without strong identity verification (i.e. callback verification to a known number for that person, peer identity verification in person where staff are in various sites, review where the user is attempting to connect from, utilisation of trusted devices and geo-location policies)
•Log and alert on unusual MFA resets, device registrations, and identity provider changes (such as moving from a company issued device for MFA to a new device or number where SMS based MFA or similar is in use)
•Review third-party access rights. Conduct risk-based reviews of third-party providers and vendor systems with a focus where third parties provide front line call centre services. Environment segmentation where possible, audit logging, MFA, minimum viable access
•Conduct vishing simulation training for helpdesk staff use real world scenarios to determine and measure effectiveness of controls and procedures
•Develop a rapid response plan to escalate suspected social engineering events quickly – don’t treat them as isolated helpdesk anomalies – if it smells it’s always better to err on the side of caution than the alternative.
•Make sure your Third-Party Due Diligence, relevant risk assessments and escalation paths are current and maintained regularly
Detection Priorities
•Alerts on high volumes of failed MFA attempts
•Watchlists for new device enrolments from unusual Ips / countries
•Monitoring of identity provider admin changes
•Anomaly detection on offshore or vendor staff accessing customer systems outside of normal operating hours/practices
Conclusion
The Qantas breach represents a continued evolution and maturity in attacker tradecraft within the cyber landscape, exploiting human vulnerabilities rather than software flaws such as zero days / CVEs.
New Zealand organisations, especially those relying on third-party offshore vendors should treat this incident as a warning to prioritise review helpdesk protocols, enforce modern authentication controls, and raise awareness of social engineering risks.
Scattered Spider is not an opportunistic threat actor- they are strategic, maturing at a rate of knots, persistent, and collaborative.
They will continue to target high-trust environments unless controls are uplifted, and detection expanded beyond endpoint telemetry to include people and process-based signals.
Questions, Queries, Support?
If you have any further questions or queries pertaining to this advisory, or would like to discuss what Advantage can do to help you secure and test your environments and controls – please don’t hesitate to contact us via your account manager, phone or our website www.advantage.nz
References
•Qantas confirms cyber-attack exposed records of up to 6 million customers – The Guardian
•Scattered Spider cybercrime group behind Qantas breach – Financial Times
•Scattered Spider pivots to airlines – CSO Online
•Who are Scattered Spider? – ABC News AU
•Australian Cyber Security Centre (ACSC) – Threat Advisories
•CERT NZ – Quarterly Threat Insights
Definitions
- Vishing (Voice Phishing) – Voice phishing – Wikipedia
- MFA – Multi-factor authentication – Wikipedia
- VOIP – Voice over IP – Wikipedia
- Email sender spoofing – Email spoofing – Wikipedia
- CVE – Common Vulnerabilities and Exposures – Wikipedia
