The Google Threat Intelligence Group (GTIG) on June 16 said that it’s now aware of “multiple” intrusions into the insurance industry in the U.S. that bear all the hallmarks of the Scattered Spider ransomware group.The news represented a shift from Scattered Spider’s recent focus on retail operations, most notably attacks on Marks & Spencer in the UK and Victoria’s Secret in the United States.“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” said John Hultquist, chief analyst at the GTIG.GTIG did not offer any more information when asked June 17 which companies were targeted by Scattered Spider.All that’s known so far is that Erie Insurance reported on June 7 that it experienced a cyberattack.In its last update on June 14, Erie said its teams were working alongside leading cybersecurity experts and continue to work around the clock to restore access for customers, agents and employees.“We’re confident in our actions, but this work is complex and takes time. We appreciate your patience and understanding,” said the Erie statement.Along with the Erie incident, SC Media reported June 17 that major Swedish commercial vehicle manufacturer Scania had its corporate insurance arm, Scania Financial Services, allegedly compromised by a threat actor going under the alias “hensi” in an attack that resulted in 34,000 confidential files being stolen.As of Tuesday afternoon, neither the Erie or Scania case were connected to Scattered Spider.Nic Adams, co-founder and CEO at 0rcus, explained that Scattered Spider — also tracked as UNC3944 — is a highly adaptive and financially motivated threat actor that has historically focused on big-game targets across various sectors such as retail, telecoms, hospitality, such as MGM Resorts and Caesars Entertainment. Adams said recent pivots to insurance represents a logical progression given the sector’s valuable data holdings and often distributed, human-intensive operations.“Google’s warning is indicative of multiple intrusions into the U.S. insurance industry bearing Scattered Spider’s hallmarks,” said Adams. “The group is known for its ‘sector-at-a-time’ focus, proving it’s likely a concerted campaign rather than isolated incidents. Primary objectives appear to be ransomware deployment and data theft for extortion, using their sophisticated social engineering capabilities.”Adams added that insurance companies possess an extremely attractive combination of factors for financially motivated attackers:
PII and PHI: Insurers hold enormous amounts of sensitive personal identifiable information (PII), protected health information (PHI), financial data, other confidential policyholder details. Data is highly valuable on the dark web for identity theft, fraud, extortion.
Complex digital footprint: Interconnected digital environments, including legacy systems, cloud migrations, extensive third-party vendor ecosystems (brokers, adjusters, reinsurers, software providers), and distributed service centers. Such a complexity creates numerous potential entry points and blind spots.
Reliance on customer/partner interaction: These companies operate a high volume of interactions with customers and partners via call centers, online portals, varied communication channels increases the surface area for social engineering and phishing.
Operational sensitivity: Like healthcare and telecoms, networks at insurance operations are highly critical. Downtime because of ransomware can severely disrupt claims processing, customer service, policy management, directly impacting revenue and reputation, increasing the likelihood of a ransom payment.
Fletcher Davis, senior security research manager at BeyondTrust, added that insurance companies are attractive targets for Scattered Spider because they often have large help desk and outsourced IT functions that are susceptible to social engineering attacks, which align directly with Scattered Spider’s competencies and playbooks.“The global and complex structure of many of these insurance firms makes comprehensive security and detection of malicious activity significantly difficult as well,” said Davis.
