Full Report
Multiple U.S.-based companies in the insurance sector have already been hit over the past week and a half, according to Mandiant. The post Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider (UNC3944)
## Attribution & Identity
* Identified threat actor: Scattered Spider.
* Government/Vendor Tracking Name: UNC3944 (tracked by Google Threat Intelligence Group).
* Nature: Financially motivated cybercrime collective.
## Activity Summary
Scattered Spider recently conducted an attack spree targeting the retail sector in the U.K. and the U.S., including retailers and grocery stores, often involving ransomware and extortion. The group has recently pivoted its focus to the insurance industry in the U.S.
Specific activity noted:
* Multiple U.S. insurance companies have been recently hit (within the past week and a half) with intrusions bearing the hallmarks of Scattered Spider activity.
* Erie Insurance (a Fortune 500 company based in Pennsylvania) discovered unusual network activity on June 7, leading to operational disruptions and systems remaining offline as of June 11. While not formally attributed in the article, the timing strongly suggests involvement.
## Tactics, Techniques & Procedures
The primary TTP explicitly highlighted for targeting the insurance sector is:
- Social engineering schemes directly targeting help desks and call centers.
- The group is historically associated with ransomware and extortion attacks.
## Targeting
* Sectors: Insurance industry (recent pivot), Retail sector, and Grocery stores (historical emphasis).
* Geography: U.K. and U.S.
* Victims: Multiple unnamed U.S. insurance companies; Erie Insurance (Pennsylvania, USA).
## Tools & Infrastructure
- Malware families used: Associated with ransomware and extortion attacks (specific malware families were not detailed in this text).
- Infrastructure (C2, domains, IPs): Not mentioned in the provided text.
## Implications
The shift to the insurance sector suggests that Scattered Spider follows a pattern of focusing intensely on one sector at a time. The insurance industry, particularly organizations relying heavily on help desks and call centers, should be on high alert for imminent or ongoing attacks that could lead to significant operational disruptions.
## Mitigations
- The insurance industry should be on high alert for social engineering schemes targeting their help desks and call centers.
- Customers of affected entities (like Erie Insurance) are advised not to click on links from unknown sources or share personal information via phone or email.
- Organizations experiencing potential compromise should activate incident response protocols, engage security experts for forensic analysis, and involve law enforcement, as exemplified by Erie Insurance.