Full Report
The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG). "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst
Analysis Summary
# Threat Actor: Scattered Spider (UNC3944)
## Attribution & Identity
* **Primary Name:** Scattered Spider
* **Aliases/Associated Groups:** UNC3944. Believed to have forged an alliance with the **DragonForce** ransomware cartel, following DragonForce's supposed takeover of RansomHub infrastructure.
* **Characteristics:** Described as an "amorphous collective," suspected to operate in or have ties to Western countries, often described as "native English speakers," possessing cultural fluency that enhances social engineering effectiveness.
## Activity Summary
* **Recent Focus:** Targeting major **U.S. insurance companies**, following previous campaigns against various U.K. and U.S. retailers.
* **Operating Model:** Increasingly targeting **Managed Service Providers (MSPs)** and **IT contractors** to gain access to multiple downstream customer organizations simultaneously.
* **Discovery Source:** Google Threat Intelligence Group (GTIG) is aware of multiple intrusions bearing the hallmarks of Scattered Spider activity in the U.S. insurance sector.
## Tactics, Techniques & Procedures
* **Primary Method:** Use of advanced **social engineering tactics** and **cunning psychological tactics**.
* **Specific Techniques:**
* Impersonating employees.
* Deceiving IT support teams (specializing in targeting help desks and call centers).
* Bypassing **Multi-Factor Authentication (MFA)** via social engineering.
* Focus on exploiting organizations susceptible to social engineering.
* The actor's typical activity focuses on gaining initial access rather than direct deployment of ransomware (often leveraging relationships with ransomware groups like DragonForce).
## Targeting
* **Sectors:** Insurance industry (current focus); previously targeted retailers.
* **Geography:** U.S. (current focus); previously targeted the U.K. and U.S.
* **Victims:** Large enterprise organizations, especially those with large help desks and outsourced IT functions.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly detailed in the provided text, but their operations are now linked to the **DragonForce** ransomware cartel.
* **Infrastructure (C2, domains, IPs):** No specific URLs or IPs were provided in the summary text.
## Implications
* The shift in focus to the insurance industry suggests proactive sector-based targeting ("Given this actor's history of focusing on a sector at a time").
* The reliance on social engineering for MFA bypass poses a significant security challenge, especially for organizations with large, potentially vulnerable help desk/call center infrastructure.
* Alliances with known ransomware groups (DragonForce) imply high monetization potential following successful initial access.
## Mitigations
* Enhance authentication mechanisms.
* Enforce rigorous identity controls.
* Implement access restrictions and boundaries to prevent privilege escalation and lateral movement.
* **Crucially:** Train help desk personnel to positively and rigorously verify employee identity before approving account resets or complex actions.