CISO Talk by James Azar
CyberHub Podcast
Hawaiian Airlines Hacked by Scattered Spider Aviation Campaign, Ahold Delhaize Breach Impacts 2.2 million People, Over 1,200 Citrix Servers Unpatched
0:00
-18:09

Hawaiian Airlines Hacked by Scattered Spider Aviation Campaign, Ahold Delhaize Breach Impacts 2.2 million People, Over 1,200 Citrix Servers Unpatched

Canada Bans Hikvision on National Security Grounds, and NATO Agrees to Historic 5% GDP Defense Spending with 1.5% Dedicated to Cybersecurity

Good Morning Security Gang!

Welcome back to another packed Monday episode of the CyberHub podcast, broadcasting live from the bunker on the last day of June 2025! Your host and CISO James Azar returns with his signature double espresso, ready to dive into a show packed with critical cybersecurity intelligence as we prepare to kick off July and celebrate the Fourth of July - which he promises will be "star spangled awesome."

Today's episode covers a dangerous escalation as Scattered Spider shifts from retail to aviation targets with Hawaiian Airlines in their crosshairs, a massive 2.2 million record breach at Dutch grocery giant Ahold, and alarming news that over 1,200 Citrix servers remain unpatched against CitrixBleed 2. From geopolitical developments including Canada's Hikvision ban and NATO's new 5% GDP defense spending mandate to critical leadership changes at CISA and NSA, this episode delivers essential threat intelligence that security professionals need to act on immediately.

Scattered Spider Takes Flight: Hawaiian Airlines Under Attack

Hawaiian Airlines disclosed a cybersecurity incident over the weekend that has been attributed to the notorious Scattered Spider group, marking a dangerous escalation from retail to aviation sector targeting. While the attack didn't impact aviation operations, it did compromise IT systems, prompting alerts from the FBI, Google's Mandiant, and Palo Alto Networks. The FBI warned that the cybercrime group has extended its targeting to the airline sector and urged the industry to report any indications of attacks immediately to enable prompt FBI engagement and intelligence sharing.

"I say suicide mission potentially because when you go after retail, there's one aspect to it. When you attack Marks and Spencers or co-op, there's a different than going after airlines, which is a main mode of transportation, which has significant national security implications." - James Azar On Scattered Spider's escalation to airline targeting

Charles Carmackle, CTO of Mandiant Consulting, confirmed that Mandiant is aware of multiple incidents in the airline and transportation sector resembling Scattered Spider operations. The group's core tactics remain consistent, requiring organizations to train help desk staff for robust identity verification and deploy phishing-resistant MFA (app-based rather than SMS).

Hawaiian Airlines, a subsidiary of Alaska Air Group, filed with the SEC stating they identified the cybersecurity incident affecting certain IT systems and took immediate steps to safeguard operations. Axios sources indicate that another recent airline attack on WestJet is likely the work of the same group, suggesting a coordinated campaign against the aviation industry.

United Natural Foods: Week-Long Cyber Incident Impacts Quarterly Income

United Natural Foods provided a stark example of cyber incident business impact, reporting that a June 5th cyber attack will affect their quarterly income projections. The company filed an SEC update on Thursday explaining that the attack forced them to take systems offline that manage fulfillment and distribution of company orders. After ten days, they safely restored core systems used by customers and suppliers for electronic ordering and invoicing, enabling business operations to normalize. Importantly, the company stated they don't anticipate sending notifications to individual consumers because the incident didn't involve a breach of PII or PHI "as those terms are defined by law." The attack hasn't been claimed by any cybercriminal organization, but the company confirmed it will impact net income projections for Q4 fiscal 2025 compared to internal projections prior to the incident. Despite having cyber insurance coverage, the company expects costs to be paid out in the next fiscal year, though they believe the attack won't impact their ability to achieve longer-term strategic and financial objectives.

Dutch Grocery Giant Ahold: 2.2 Million Records Compromised

Dutch grocery giant Ahold disclosed that 2.2 million people were affected by a ransomware attack previously covered in November 2024, according to a filing with the Maine Attorney General's office. The attack was claimed by the Inc Ransom ransomware group, with compromised information varying by individual but potentially including names, contact information, dates of birth, social security numbers, passport numbers, driver's license numbers, financial account information, health information, and employment-related details.

The Tor-based leak website made available roughly 800 gigabytes of allegedly stolen data from Ahold, indicating the company did not pay the ransom. The criminals claim to have stolen 6 terabytes of files total and have posted passport pictures and other employee information online, clearly demonstrating the scope of personally identifiable information exposed in the breach.

Canada Bans Hikvision: National Security Crackdown Continues

The Canadian government ordered Chinese video surveillance device maker Hikvision to cease all operations in the country on national security grounds. Minister of Industry Melanie Joly announced that Hikvision's Canadian branch is no longer allowed to conduct business after a national security review determined the company's operations would harm national security. The government is prohibiting the purchase and use of Hikvision products in government departments, agencies, and crown operations, while conducting a review of existing properties to ensure legacy Hikvision products are removed.

Hikvision Canada responded by calling the decision "unfounded allegations of national security" and claiming it appears "driven by our parent company's country of origin reflecting broader geopolitical tensions and an unjustified bias against China." Hikvision joins Huawei, ZTE, Hightower, Pacifica Networks, Dahua, China Mobile, China Telecom, and China Unicom on Canada's covered list as companies posing "unacceptable risk to national security."

Germany Strengthens Cyber Ties with Israel Through Five-Point Program

Germany is strengthening its cybersecurity capabilities through enhanced cooperation with Israel as cyber threats continue to grow. Interior Minister Alexander Dubrindt paid an official visit to Israel over the weekend, announcing a new cooperation framework during a meeting at the site of a ballistic missile attack in Bat Yam, north of Tel Aviv. Dubrindt presented a new five-point "cyber dome" program prepared by Germany for implementation.

The program aims to significantly enhance Germany's internal and external cyber defense capabilities and develop strategic partnership between Germany and Israel. The five main points include: institutional cooperation between Germany and Israel in cybersecurity, creating a cyber research center for constant cooperation, modernizing civil protection systems and developing rapid alert platforms against threats, deepening exchange and cooperation between intelligence and law enforcement agencies, and expanding anti-drone defense capabilities within Germany.

Germany Orders Apple and Google to Remove DeepSeek Over EU Privacy Violations

German data regulators on Friday ordered Apple and Google to remove DeepSeek from their app stores over non-compliance with EU privacy and digital services rules. The Berlin Commissioner for Data Protection and Freedom of Information classified the Chinese application as "illegal content," stating that Chinese authorities have far-reaching rights to access personal data while DeepSeek users don't have enforceable rights or effective legal remedies available in China like those guaranteed in the EU.

The Berlin regulator acted after DeepSeek's parent company, Hangzhou DeepSeek Artificial Intelligence, ignored a request to stop data transfers to China or self-remove the app from platforms. This marks another significant regulatory action against Chinese technology companies in European markets.

NATO Agrees to 5% GDP Defense Spending with 1.5% for Cyber

NATO members reached an agreement this week to increase defense spending to 5% of GDP within a decade, with 3.5% going toward core defense and the remaining 1.5% of GDP on indirect defense spending including cybersecurity capabilities. The expanded definition of defense spending now includes investment in energy and supply chain resilience, logistics infrastructure, and innovation. This represents a significant shift for NATO, which originally focused on keeping Russia out of Europe but is now addressing China as another threat to NATO members.

The 5% spending target emphasizes strengthening manufacturing and cooperation between NATO nations to essentially isolate China, focusing not just on traditional military assets but also on supply chain resilience, logistics infrastructure, and innovation capabilities.

CitrixBleed 2: Over 1,200 Servers Still Unpatched

Despite widespread warnings about CitrixBleed 2, over 1,200 appliances remain exposed online and unpatched against the critical vulnerability CVE-2025-57777. This represents a significant ongoing risk to organizations worldwide, as these exposed systems continue to provide potential entry points for threat actors. The persistence of unpatched systems demonstrates the ongoing challenge of vulnerability management and the need for organizations to prioritize critical security updates immediately.

Russia Throttles Cloudflare Access in Tech Isolation Campaign

On June 9th, Russian ISPs began aggressively throttling access to websites and services protected by Cloudflare, making sites effectively inaccessible from the country. The throttling reportedly allows users to download only the first 16 kilobytes of any web asset before breaking, effectively rendering most Cloudflare-backed sites unusable for Russian citizens. Cloudflare stated they have not received formal communication about this action from the Russian state but consider it part of the country's broader strategy to oust Western tech firms from their domestic market. This represents another escalation in Russia's technological isolation from Western services and infrastructure.

CISA and NSA Leadership Changes

Several major leadership announcements occurred at CISA and NSA this week. Cassie Antlis has been named the new executive director of CISA, filling in for Bridget Bean who served as assistant director for nearly three years before taking the executive director role in August 2024. Bean announced her retirement two weeks ago. Sean Planky continues to hold a key cyber role at CISA, though his nomination has been blocked by Senator Ron Wyden over the publishing of a Salt Typhoon report.

"Wyden's idea is if you don't release the report from an agency you're not yet in charge of, I won't allow you to become the leader of that report. Great logic. These are the people we elect, America. These are the people we elect." - James Azar on Senator Ron Wyden blocking Sean Planky's CISA nomination

Additionally, Patrick Ware has been named to the top civilian role at Cyber Command as executive director. Ware has been a senior executive at NSA involved in offensive and defensive missions for 34 years and now serves as Cyber Command's highest-ranking civilian, replacing Morgan Adamski who announced his departure last week after 17 years at NSA.

Action Items for Security Teams

  • CitrixBleed 2 urgent patching: Immediately verify all NetScaler systems are updated to address CVE-2025-57777 - over 1,200 systems remain vulnerable

  • Scattered Spider airline TTPs: Brief help desk staff on robust identity verification procedures and deploy phishing-resistant MFA immediately

  • MFA deployment review: Replace SMS-based MFA with app-based or hardware token solutions across all critical systems

  • Chinese technology audit: Inventory all Hikvision, Huawei, ZTE, and other Chinese technology products for potential replacement

  • DeepSeek app removal: Remove DeepSeek applications from all corporate devices and app stores immediately

  • Incident response financial planning: Develop clear business impact communication strategies for executive and board briefings

  • Supply chain resilience assessment: Review dependencies on Chinese technology vendors and develop diversification strategies

  • Aviation sector monitoring: Implement enhanced monitoring for organizations in transportation and critical infrastructure sectors

  • Cloudflare backup planning: Develop contingency plans for potential ISP-level blocking of Western technology services

  • Help desk security training: Update social engineering awareness training with latest Scattered Spider tactics and techniques

  • PII classification review: Evaluate current data classification policies against evolving regulatory requirements

  • Cyber insurance coverage verification: Ensure coverage adequately addresses business interruption and incident response costs

  • NATO compliance planning: For relevant organizations, begin aligning cybersecurity investments with expanded defense spending frameworks

  • Leadership transition planning: Prepare for potential changes in government cybersecurity leadership and policy directions

James Azar's CISO Take

My analysis this episode focused heavily on what I see as a dangerous escalation by Scattered Spider - and frankly, I think they're making a strategic mistake. When you go after retail like Marks and Spencer or co-op, that's one thing. But attacking airlines? That's a main mode of transportation with significant national security implications. I called it a potential "suicide mission" because I guarantee you the FBI is super motivated to bring these guys down right now. They're testing boundaries they shouldn't be testing, and law enforcement response is going to reflect that reality.

What really struck me about the United Natural Foods incident is how perfectly it illustrates what we as CISOs need to communicate to our executives and boards. This isn't just about technical controls - this is about quarterly income projections and real business impact. When I see a company taking ten days to restore systems and explicitly stating it will impact their Q4 projections, that's the kind of case study I use in board presentations. That's the reality we live in - cyber incidents directly translate to financial statements, and our leadership needs to understand that connection.

On the regulatory front, my frustration continues to grow with current PII definitions. Looking at the Ahold breach, I'm questioning whether employment details really constitute notifiable PII - what are threat actors going to do with the fact that someone got written up for taking too long of a break? But passport photos? That's clearly PII. We need to be more realistic about what actually creates risk versus what's historically been in phone books.

The political dysfunction around cybersecurity leadership appointments absolutely infuriates me. Senator Wyden blocking Sean Planky's nomination because he won't release a report from an agency he's not yet in charge of? "Great logic. These are the people we elect, America." It's this kind of political gamesmanship that weakens our national cybersecurity posture when we need strong leadership most. On the geopolitical front, I'm fully supportive of Western nations taking decisive action against Chinese technology companies. Every country that bans DeepSeek helps build political capital for others to do the same - I predict we could see DeepSeek disappear from the entire western hemisphere within six to ninety days if there's appetite for it.

The NATO framework expanding defense spending to include cybersecurity and supply chain resilience shows how integrated these concerns have become with national defense. But while we're focused on these strategic issues, I'm still seeing over 1,200 Citrix servers unpatched against CitrixBleed 2 - that's the immediate operational reality we can't ignore while we debate larger policy questions.

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

✅ Story Links:

https://www.securityweek.com/hawaiian-airlines-hacked-as-aviation-sector-warned-of-scattered-spider-attacks/

https://therecord.media/united-natural-foods-cyber-incident-q4-impact

https://www.securityweek.com/ahold-delhaize-data-breach-impacts-2-2-million-people/

https://www.securityweek.com/canada-gives-hikvision-the-boot-on-national-security-grounds/

https://zamin.uz/en/world/153439-germany-and-israel-have-launched-a-new-strategic-direction-in-cybersecurity.html

https://www.bankinfosecurity.com/berlin-regulator-orders-apple-google-to-remove-deepseek-a-28851

https://therecord.media/nato-agreement-5percent-gdp-defense-spending-cyber

https://www.bleepingcomputer.com/news/security/over-1-200-citrix-servers-unpatched-against-critical-auth-bypass-flaw/

https://www.bleepingcomputer.com/news/technology/russias-throttling-of-cloudflare-makes-sites-inaccessible/

https://www.securityweek.com/casie-antalis-named-executive-director-of-cisa/

https://www.securityweek.com/patrick-ware-named-executive-director-of-us-cyber-command/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

👉Listen here: https://linktr.ee/cyberhubpodcast

Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

Discussion about this episode

User's avatar