The threat actor known as Scattered Spider appears to have shifted its focus from the retail sector to insurance companies, according to a warning from Google’s Threat Intelligence Group.
Scattered Spider, tracked by Google and Mandiant as UNC3944, has been around for several years. Its activities have apparently been paused at times, particularly following law enforcement actions, but the hackers are now once again highly active.
The threat group is known for the use of sophisticated social engineering tactics, and its current focus appears to be on ransomware and data theft extortion.
After the recent attacks targeting major UK retailers Co-op, Harrods and M&S were linked to Scattered Spider — and a potentially affiliated ransomware group named DragonForce — Google warned that the hackers had turned their attention to retailers in the United States.
Now, roughly one month later, the tech giant has issued a fresh warning after its Threat Intelligence Group became aware of multiple attacks against the US insurance industry that appear to have been carried out by Scattered Spider.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” said John Hultquist, chief analyst at Google Threat Intelligence Group.
Google has not shared additional details on these new attacks, but pointed to guidance it published last month to help organizations defend against Scattered Spider attacks.
It’s unclear which companies have been targeted by Scattered Spider in the latest campaign.
One of them could be Erie Insurance, a Pennsylvania-based insurance company that detected a cybersecurity breach on June 7. Erie has been sharing updates about the impact of the incident, but it’s still unclear who was behind the attack.
SecurityWeek has reached out to Erie Insurance for comment and will update this article if the company responds.
Alleged Scattered Spider sim-swapper arrested in Spain