Scattered Spider moves on from retail, sinks its fangs into insurance
"The industry should be on high alert, especially for social engineering schemes which target their help desks and call centres."
Scattered Spider is a shadowy hacking group linked to attacks on high-profile retail targets including M&S.
Now the arachnoid threat actors have reportedly turned their attention to insurance after causing panic on the high street.
"Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry," chief analyst John Hultquist said.
"Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes, which target their help desks and call centres."
Scattered Spider is believed to be a English-speaking group based in the UK and US, with some of its members rumoured to be precocious teenagers. It is renowned for its social engineering skills, with its native language fluency enabling it to trick individual staff members into handing over information.
After gaining initial access, it deploys ransomware variants such as Qilin, RansomHub and DragonForce.
Has Scattered Spider been caught targeting insurance firms?
This month, two major insurance firms have been involved in cybersecurity incidents, although it's unclear whether Scattered Spider was involved or not.
Erie Insurance, which is headquartered in Philadelphia, has suffered an outage lasting more than a week, which started on Saturday, June 7, when its security team observed "unusual network activity".
"We took immediate action to respond to the situation to safeguard our systems and data," it wrote. "Since Saturday, we have continued to take protective action for the security of our systems.
"During this outage, Erie Insurance will not contact customers by phone or email to request payments. As always, do not click on any links from unknown sources or share your personal information via phone or email."
READ MORE: Cops seize Archetyp, arrest bosses of "longest-standing" dark web drug marketplace
Customers are still able to make claims by phone, and the insurer is working with both law enforcement and cybersecurity professionals to "gain a full understanding of this event."
Philadelphia Insurance Companies also suffered an incident which was claimed to involve ransomware.
It was hit on June 9, when the insurers security teams first noticed suspicious activity.
'We subsequently determined there was unauthorized access to our systems," wrote its parent company, Tokio Marine North America Inc. "We immediately activated our incident response protocols and proactively disconnected affected systems to contain the threat, resulting in a network outage."
Why are insurers a target for hackers?
For ransomware gangs, insurance companies are attractive due to the huge amount of information they store about customers and their claims.
Richard Orange, VP EMEA at Abnormal AI, explained: "Insurance companies hold highly sensitive data, so it’s no surprise they’re in the crosshairs of Scattered Spider who aim to exploit personal or financial information for monetary gain or disruption.
"This group relies on social engineering rather than technical exploits, and bypasses traditional security controls by manipulating people, such as posing as IT staff or trusted partners.
READ MORE: "An AI obedience problem": World's first LLM Scope Violation attack tricks Microsoft Copilot into handing over data
"While breaches may seem isolated at first, attackers often move laterally, harvesting credentials to deceive other departments, customers, and partners. This increases the risk of Ransomware, Vendor Impersonation and Fraudulent Communications, which can lead to financial fraud or data theft.
Insurance providers and their partners must treat identity systems and help desk procedures as critical assets. They should implement phishing-resistant MFA and strengthen verification processes. This, alongside training staff to rigorously challenge even familiar requests, is essential to defend against evolving social engineering threats."
Defanging Scattered Spider
So how should insurers respond?
Jon Abbott, CEO of ThreatAware, said: "The rising tide of attacks on US insurers is a serious threat the sector must address - and a warning for other industries to stay vigilant.
"These attackers tend to target one sector at a time, and no industry is immune. Previous successes in retail and entertainment, against the likes of M&S, Caesars and MGM, highlights one critical truth: cyber hygiene matters more than the tools already deployed and working.
"They don’t rely on advanced exploits, but instead use fast moving social engineering tactics to bypass weak helpdesk protocols and identity checks.
READ MORE: Revenge of the text message: A new era for SMS in the age of personalised communication
"Defence must start with the fundamentals. Accurate asset inventories, tamper-proof identity verification and hardened service desk processes are all essential. Security teams must also monitor for behavioural anomalies, like unexpected access requests or administrative changes, rather than just relying on traditional malware detection.
"Most importantly, insurers need to cultivate a culture of security awareness across all teams.
"Visibility, processes and people – not just tech - are the real lines of defence against Scattered Spider."
Do you have a story or insights to share? Get in touch and let us know.
