Threat group linked to UK, US retail attacks now targeting insurance industry

Hackers linked to a recent string of attacks on U.K. and U.S. retailers are now targeting the insurance industry, according to Google researchers. 

The attackers, suspected to be part of the collective known as Scattered Spider, have been targeting the retail industry since April and pivoted toward the insurance industry earlier this month, according to Google. Researchers say there are already multiple confirmed incidents at insurance companies. 

“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at Google Threat Intelligence Group, said in a statement. “We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

There has been a “wave of targeting” over the past one and a half weeks, according to Hultquist. 

Scattered Spider has a history of targeting specific industries in clusters; researchers previously linked it to attacks on MGM Resorts and other casino companies. The threat collective is known to utilize sophisticated social-engineering techniques designed to trick IT help desks and others into bypassing multifactor authentication or otherwise handing over credentials. 

Mandiant in early May released a hardening guide for security teams focused on Scattered Spider’s techniques. 

Google’s disclosure that the group is targeting insurers comes as Erie Insurance investigates a suspected cyberattack that it discovered on June 7.

The company said it detected unusual activity and was working with law enforcement and forensic security teams to figure out the cause of a “network outage” linked to an information-security incident. 

In a filing with the Securities and Exchange Commission, the company said it was investigating the full scope and impact of the incident. Neither Erie nor any researcher has blamed the incident on a threat actor yet.

The Erie, Pa.-based insurance company operates in 12 states and has more than 7 million active car, home and business policies.

The company warned customers that it would not contact them by phone or email to request payments and urged them not to click on links from unknown sources or share personal information with anyone by phone or email.