Scattered Spider Hackers Shift Focus to U.S. Insurance Firms: Expert Analysis

Scattered Spider Threat Looms Over Insurance Industry

Google’s Threat Intelligence Group has identified multiple cybersecurity breaches in American insurance companies, all consistent with Scattered Spider’s signature tactics. Previously targeting UK and U.S. retailers—including prominent names like Marks & Spencer, Harrods, and Co-op—this hacker collective is now pivoting to a new vertical insurance.

What Is Scattered Spider?

Scattered Spider—also known by aliases like UNC3944, 0ktapus, Scatter Swine, Starfraud, and Muddled Libra—is a decentralized hacking coalition specializing in ransomware, social engineering, and SIM-swapping attacks. Their campaigns often begin with deceptive communications—calls, SMS or email—targeted at help desks or call centers to bypass multi-factor authentication and gain unauthorized access.

Recent Intrusions Impacting Major Insurers

Several high-profile U.S. insurance organizations, including Erie Insurance and Philadelphia Insurance Companies, have reported network outages and suspicious activity dating from early to mid-June. Both incidents involved emergency shutdowns of internal systems, telephony infrastructure, and customer portals.

• Erie Insurance detected abnormal network behavior on June 7, disrupting services and initiating a forensic investigation in partnership with law enforcement.
• Philadelphia Insurance Companies (PHLY) reported unauthorized access around June 9, isolating systems to contain the breach while working with external cybersecurity experts.

Attack Methods: A Sophisticated Social Engineering Campaign

Scattered Spider employs a highly coordinated and deceptive set of cyberattack strategies, primarily centered around advanced social engineering. One of their most common tactics is help-desk impersonation, where attackers fabricate convincing stories to manipulate support staff into resetting login credentials, granting unauthorized access. They also exploit MFA fatigue—also known as MFA bombing—by continuously sending multi-factor authentication requests until users inadvertently approve access out of frustration or confusion. In addition, SIM swapping and phishing are used to hijack mobile numbers or steal login credentials, enabling intrusions into cloud platforms and endpoint devices. Once deep access is achieved, the group often proceeds to deploy powerful ransomware strains like DragonForce, RansomHub, and Qilin, encrypting critical data and demanding ransom for its release. These methods highlight Scattered Spider’s expertise in blending psychological manipulation with technical precision.

Why the Insurance Sector Is at Risk

• Sector-by-Sector Strategy: Scattered Spider typically targets one industry intensely before moving on.
• Human Vulnerabilities: Insurance firms rely heavily on call centers and legacy identity systems—prime targets for social engineering .
• Rich Data & Customer Trust: Access to sensitive financial and personal data makes insurers lucrative for cybercriminals.

Proactive Defense Strategies

To strengthen cyber resilience, Google and Mandiant recommend that insurance firms should:

• Implement Zero‑Trust Identity Controls: Segregate user identities, enforce strong password policies, and integrate phishing-resistant MFA.
• Enhance Helpdesk Authentication: Use challenge-response scripts, photo verification, or voice recognition before resetting passwords.
• Train Staff in Social Engineering Awareness: Educate on tactics like MFA bombing and pretexted calls.
• Monitor for Anomalous Access: Flag logins from unusual locations or residential IPs—especially post-reset.
• Conduct Regular Forensic Readiness: Maintain log review, incident playbooks, and partnerships with third-party cybersecurity firms.