Cyber Threat Landscape Shifts: Increased Targeting of U.S. Insurance Sector by Cyber Adversaries

Threat intelligence experts are alerting organizations in the U.S. insurance sector about a recent wave of cyberattacks attributed to a group known for its strategic targeting. The malicious actors, identified as Scattered Spider, have shifted their focus from previous targets in retail industries in the U.K. to insurance companies within the United States.

John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), reported to industry sources that multiple intrusions have been documented, echoing patterns typically associated with Scattered Spider’s operations. Hultquist emphasized the importance of heightened vigilance within the insurance sector due to this concentrated approach taken by the group.

Research from GTIG outlines that organizations must particularly fortify their defenses against potential social engineering attempts aimed at help desk and call center staff. Scattered Spider is recognized for its application of intricate social engineering methodologies designed to circumvent established security measures.

The group, also referred to as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra, has been linked to significant breaches involving sophisticated techniques such as phishing, SIM swapping, and MFA fatigue or bombing to gain unauthorized access. In subsequent phases of their attacks, these threat actors have been known to deploy various ransomware strains, including RansomHub, Qilin, and DragonForce.

To counter threats from groups like Scattered Spider, it is imperative for organizations to achieve comprehensive visibility across their entire infrastructure, including identity systems and critical management services. GTIG champions proactive strategies such as the segregation of identities, implementation of rigorous authentication protocols, and stringent identity controls for password resets and MFA registration.

Given the reliance on social engineering, staff education regarding impersonation tactics over diverse communication platforms—such as SMS, phone calls, and messaging applications—can bolster defenses. Employees should be trained to recognize potentially aggressive attempts to elicit compliance.

The National Cyber Security Centre (NCSC) has previously shared insights following intrusions at high-profile retailers in the U.K. that were linked to Scattered Spider. They recommend activating multi-factor authentication, monitoring for unauthorized logins, and scrutinizing the legitimacy of access to privileged accounts.

Additionally, organizations are urged to reassess their helpdesk service protocols for authenticating credentials during resets, particularly for individuals with elevated access rights. Recognizing atypical login sources, such as connections from residential ranges via VPN, may further aid in early detection of potential attacks.