Scattered Spider hackers targeting insurance industry following retail hits, Google warns

A group of hackers behind a recent string of attacks on retail stores in the U.K. and U.S. has shifted its focus to insurance firms in recent days, according to cybersecurity researchers.

Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.”

“Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” said John Hultquist, chief analyst at the company.

Charles Carmakal, the chief technology officer of Mandiant, which is also owned by Google, added in comments to Recorded Future News that there is more than one U.S.-based insurance company that has been attacked and noted that the targeting of the insurance industry began around a week and a half ago. 

Google declined to offer specifics about the victims but several insurance companies have reported attacks over the last week. Erie Insurance released a statement Tuesday about a recent cybersecurity issue that it reported to regulators at the Securities Exchange Commission (SEC) last week. 

Although the company did not attribute the hack to a specific group, it told Recorded Future News in a statement on Tuesday that it is still dealing with network outages caused by “proactive measures” Erie Insurance officials had to take. The company, which is a major provider of homeowner, automobile and commercial insurance, said it now has control of its system and has seen “no evidence of ransomware.” 

Philadelphia Insurance Companies was also hit with a cyber incident that began on June 9. The company is now facing a network outage that has affected its phone and email systems, as well as its online applications. The company replaced its website with a notice that said they are working with law enforcement to recover from the cyberattack.

Like Erie, Philadelphia Insurance Companies did not provide details about the hackers behind the incident.

A major Swedish insurance firm was also allegedly attacked by cybercriminals this week who took down the company’s website.  

BeyondTrust’s Fletcher Davis said insurance companies are attractive targets for Scattered Spider because they typically handle vast amounts of sensitive customer data, including personal information, financial records and health data, which can be targeted for data theft and extortion. 

Scattered Spider moves from retail

Google officials attributed the insurance company campaign to a threat actor they call UNC3944, which they said overlaps with Scattered Spider but has “more narrowly defined” boundaries.

The Scattered Spider cybercriminal operation has caused angst across the cybersecurity industry over the past month for its alleged attacks on the retail industry in the U.S. and U.K.

The group, an offshoot of the larger cybercrime community known as The Com, is best known for leveraging its English-speaking members to conduct attacks where they impersonate members of a company’s IT department. 

BeyondTrust’s Davis noted that Insurance companies often have large help desk and outsourced IT functions that are susceptible to social engineering attacks, which align directly with Scattered Spider’s competencies and playbooks. 

“The global and complex structure of many of these insurance firms makes comprehensive security and detection of malicious activity significantly difficult as well,” he said. 

Scattered Spider has used the tactic in high-profile attacks on casino giants MGM Resorts and Caesars Entertainment — eventually using their access to steal data or deploy ransomware. Despite a series of arrests and convictions, the group resurfaced with the attacks on the retail industry.

The incidents prompted the FBI to deliver cyber-intelligence briefings to major retailers over the last month after reports that Scattered Spider had shifted their focus from attacks on outlets in the U.K. to U.S.-based companies. U.K. retailers like Marks & Spencer, the Co-op and luxury retailer Harrods were attacked as well as stores like Victoria’s Secret, North Face, Cartier, Adidas, Dior, and Tiffany.

Last week, Google published a report about the same group tricking companies into giving them widespread access to a popular Salesforce tool, allowing them to steal sensitive data and move through other parts of the organizations.