Scattered Spider now has a long history of focusing on particular industries and regions for weeks at a time before pivoting somewhere else, and the Google Threat Intelligence Group is warning that their attention has now shifted to US insurance companies.
The group is most recently known for a string of attacks against major UK retailers that disrupted their online operations, but became a leading threat in 2023 with a longer spree that famously included hobbling computer-based systems and even elevators at MGM’s casinos. The group is using different types of ransomware these days, but its core tactics remain the same.
Scattered Spider regroups after 2024 arrest wave
After Scattered Spider established itself as one of the major threats of 2023, it saw a law enforcement backlash in 2024 that led to arrests of members throughout the US and UK. One of the group’s unique qualities, the fact that so many of its members were residents of these countries and native English speakers, seems to persist today even though the composition has changed somewhat.
In addition to attacking IT help desks via social engineering calls, the other thing that has not changed about the group is its patterns and preferences. It stalks particular industries and/or regions for weeks, and unlike some other ransomware gangs it has not yet transitioned away from focusing on the biggest companies (and the biggest paydays) it can shoot for. Thus far the group has gone after at least two fairly big insurance companies. One of the victims is Erie Insurance, a Fortune 500 company that claims to have some six million active policies. The other is Philadelphia Insurance Companies, one of the biggest providers of insurance to small businesses nationally.
After key members were lost to arrests in the latter half of 2024, the group seems to have transitioned to a more fluid model in which a broad assortment of cyber criminals come and go and meet up in designated chat channels to organize what are sometimes just single attacks. They will nearly always open an attack by approaching a help desk by phone claiming to be an employee that needs a password reset, and may also deploy their expertise in SIM swapping to capture target phone numbers and intercept 2FA codes.
Insurance companies are surprisingly lucrative hacking targets
So why pivot to insurance companies? As the two known targets thus far demonstrate, they can hold financial and personal information for millions of people and organizations. Studies have found that on average insurance companies can be expected to outsource around 25% to 30% of their IT functions, with help desks often being a big portion of that, but it is also not uncommon to see these companies outsource up to 90% of IT work and have very little in the way of in-house teams.
The impact of this current campaign is still unclear. The two insurance companies are thus far the only ones to make public notification of a breach. Erie Insurance has yet to report serious damages or disruption, but Philadelphia Insurance Companies has been suffering an extended website outage as a result that began on June 9 and has extended to at least June 22.
US insurance companies should make their help desks aware of the threat and put extra security measures in place when possible, such as more regular monitoring of employee logins from unusual places (Scattered Spider appears to be fond of using residential VPNs, as just one example) and putting added access controls in place between network segments.
