Cybersecurity experts and Google’s Threat Intelligence Group (GTIG) issued urgent warnings to the US insurance industry regarding a surge of cyberattacks believed to be orchestrated by the hacker collective known as Scattered Spider. This group, also tracked as UNC3944, 0ktapus, Muddled Libra, and other aliases, is infamous for sophisticated social engineering campaigns that have previously targeted sectors such as retail, casinos, telecommunications, and financial services in both the US and UK.
Tactics and Techniques
• Sector-by-Sector Targeting: Scattered Spider is known for focusing intensely on one industry at a time. After a spree of attacks on major retailers in the UK and US, the group has pivoted to targeting US insurance companies.
• Social Engineering: The group specializes in deceiving call center and IT help desk staff, often impersonating employees to bypass security controls such as multi-factor authentication (MFA).
• Initial Access Methods: Common techniques include phishing, SIM-swapping, and MFA bombing (overwhelming users with authentication requests to trick them into granting access).
• Ransomware Deployment: Once inside a network, Scattered Spider has deployed ransomware strains like DragonForce, RansomHub, and Qilin, aiming to extort organizations and disrupt operations.
Confirmed and Suspected Victims
• Philadelphia Insurance Companies (PHLY): Suffered a major ransomware event starting June 9, which crippled internal systems, email, telephony, and customer-facing platforms. The company disconnected compromised infrastructure and is undergoing a staged recovery.
• Erie Insurance: Detected suspicious activity on June 7 and initiated incident response protocols. The company’s digital operations remain severely impacted, with customer portals offline and communications disrupted. Erie is working with law enforcement and cybersecurity experts. A class-action lawsuit has been filed, alleging failure to protect customer data.
