After spending a chunk of the early part of the year attacking the UK retail sector, there were warnings from the cybersecurity world that the Scattered Spider hacking group would be looking overseas and possibly at new industries. That premonition has come to pass as the Google Threat Intelligence Group is now reporting “multiple intrusions” at US-based insurance firms, which in some cases has caused outages and business disruptions.
The pattern tracks known habits of the group, which has previously hyper-focused on certain industries or regions for weeks before abandoning them and moving on to some other concentration. The group is presently attacking with a combination of RansomHub, Qilin, and DragonForce ransomware and most frequently attempts to break into systems by calling help desks and leveraging their native English-speaking ability to convince someone to reset an employee password.
Philadelphia Insurance Companies, Erie Insurance among those with outages
Scattered Spider is the threat group that rose to infamy in 2023 with a spree of similar ransomware attacks that largely began with phone calls to help desks, the most headline-grabbing of those incidents being multi-day outages at MGM casino-hotel properties and resorts throughout the US. The group was thought to have been subdued after a string of arrests of key players in 2024, which revealed that it was largely composed of US and UK-based members ranging from their late teens to early 20s in age. But the group has now roared back to life, after some initial denials that they were involved with the attacks on UK retailers earlier this year.
There were warnings roughly a month ago that Scattered Spider would switch focus to retailers in the US, though it appears not much came of that campaign. It is unclear if that was bad intelligence or if the US retailers were sufficiently prepared; industry groups rallied to warn members and provide assistance after news of the UK attacks broke. The focus of the group’s latest spree has instead become US insurance companies, with at least two reporting compromise and subsequent business disruption or outages.
Philadelphia Insurance Companies issued a statement on June 9 indicating that its IT team investigated a report of suspicious activity on its network and discovered unauthorized access, and disconnected affected systems while a forensic investigation commences. The statement is displayed when accessing the company website, and was last updated on June 19. The site remains out of service as of June 21. And a filing with the U.S. Securities and Exchange Commission (SEC) indicates that Erie Insurance detected similar activity on June 7 and engaged in a proactive response to secure systems and data, though the company’s website and online presence has remained functional.
Hacking group’s new “fluid” formation may have bolstered its membership
While there has been some general trend in the ransomware world back toward attacking smaller and more poorly-defended targets for smaller payouts, a May report from Mandiant indicates that Scattered Spider are still “big game hunters” that tend to focus on larger organizations with coffers and cyber insurance likely to cover a big ransom payment. That tracks with its April and May hits on the UK retailers, who are among the biggest in the business regionally: Harrods, the Co-Op Group, and Marks & Spencer. The insurance companies might seem to be of more modest stature, but Philadelphia Insurance Companies is a top 10 national provider for small businesses and Erie Insurance is a Fortune 500 company that has some six million active policies according to its website.
The group’s structure is now believed to be more fluid than in days past, with fewer permanent members and more cyber criminals that sometimes come and go from other groups to participate in one-off attacks. It still seems to be able to field sufficient native English speakers with inside knowledge of IT help desks to pull off its social engineering approaches, however, and is also still believed to have advanced ability to pull off SIM swap attacks to intercept 2FA methods.
One small positive to the whole situation is that, aside from switching up its ransomware providers, the group has not changed its core tactics much from when it first emerged in 2023. That means that there is already a robust playbook for defending against their approaches. Recommendations from the Google researchers include segregating network identities, establishing identity controls that proactively verify the requester’s identity before password reset requests are approved, and advising employees manning help desks at currently targeted industries (such as the insurance companies at present) to expect scam calls from native US or UK English speakers who may be aggressive about pushing for password resets or other questionable actions. In the wake of the initial retail attacks, the UK’s NCSC also recommended monitoring for employee logins from unusual sources such as residential VPNs.
Fletcher Davis, Senior Security Research Manager at BeyondTrust, warns that the threat actors may fish this lucrative pond for some time if they keep racking up breaches: “Insurance companies are attractive targets for Scattered Spider because they handle vast amounts of sensitive customer data, including personal information, financial records, and health data, which can be targeted for data theft and extortion. Insurance companies often have large help desk and outsourced IT functions that are susceptible to social engineering attacks, which align directly with Scattered Spider’s competencies and playbooks. The global and complex structure of many of these insurance firms makes comprehensive security and detection of malicious activity significantly difficult as well.”
Dave Gerry, CEO at Bugcrowd, adds: “Scattered Spider’s shift to targeting the insurance industry, as noted by Google’s Threat Intelligence Group, raises serious cybersecurity concerns. They’ve been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link. Recent incidents, like the breach at Erie Insurance, highlight the urgency for enhanced defenses and robust incident response plans across the insurance sector. It’s crucial for companies to bolster their defenses against evolving threats like these and realize that employees continue to be increasingly targeted.”
