Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry

Scattered Spider, the loose-knit cybercrime collective that recently ran roughshod over U.K.- and U.S.-based retailers, has pivoted once again, setting its sites on insurance companies, according to Google Threat Intelligence Group.

Google previously warned that the financially motivated threat group, which it tracks as UNC3944, was pivoting to U.S. retailers following a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. Multiple U.S.-based insurance companies have been impacted by attacks that share common circumstances and characteristics of known Scattered Spider activities, security specialists said Monday.

“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, said in an email Monday.

“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” Hultquist added.

If the pattern of recent Scattered Spider activities holds, reports of cyberattacks causing or leading to operational disruptions across the insurance sector would emerge in short order.

At least one insurance company has already come forward, indicating it discovered it was impacted by a cyberattack earlier this month.

Erie Insurance, a Fortune 500 company based in Pennsylvania, said it identified unusual activity on its network on June 7. “Upon learning of this activity, the company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems,” the company said in a June 11 regulatory filing.

Erie Insurance has not described the nature of the attack or named the group claiming responsibility. The company’s systems remain offline, preventing customers from accessing their online accounts or processing other requests. 

Erie Insurance did not respond to a request for comment. A status page on the company’s site, which remains partially accessible, advises customers not to click on any links from unknown sources or share personal information via phone or email.

“We are working with law enforcement and are conducting a comprehensive forensic analysis with the assistance of leading cybersecurity experts to gain a full understanding of this event,” the company said in its most recent update on June 11. “The investigation into this event is ongoing.”

While the attack hasn’t been formally attributed to Scattered Spider, the timing and circumstances of the incident suggest the prolific threat group might be involved. 

Mandiant Consulting CTO Charles Carmakal said Scattered Spider’s attacks targeting the insurance sector started about a week and a half ago.