Full Report
Threat intelligence researchers are warning of hackers breaching multiple U.S. companies in the insurance industry using all the tactics observed with Scattered Spider activity. [...]
Analysis Summary
# Threat Actor: SCATTERED SPIDER (also mentioned in context of DragonForce ransomware)
## Attribution & Identity
The threat actor is explicitly identified as **SCATTERED SPIDER**. They are associated with the deployment of **DragonForce ransomware** in the final stages of their attacks.
## Activity Summary
SCATTERED SPIDER has recently shifted focus to targeting **U.S. insurance companies**. Historically, they have been linked to successful breaches against UK retailers, including **Marks & Spencer**, **Co-op**, and **Harrods** earlier this year. These attacks were characterized by the use of specific social engineering tactics followed by the deployment of DragonForce ransomware.
## Tactics, Techniques & Procedures
- **Social Engineering:** Uses impersonation attempts via various channels (SMS, phone calls, messaging platforms).
- **Aggressive Language:** Employs aggressive language during social engineering efforts to coerce targets into compliance.
- **Credential Handling:** Targets helpdesk services to authenticate and potentially reset credentials, particularly for privileged accounts.
- **Ransomware Deployment:** Deploys **DragonForce ransomware** as the final payload in their operations.
- **Login Monitoring Trigger:** Attacks may involve logins from unusual sources, such as VPN services using residential IP ranges.
## Targeting
- Sectors: U.S. Insurance Companies (recent focus); UK Retailers (historical focus).
- Geography: United States (current focus); United Kingdom (historical targets mentioned).
- Victims: Marks & Spencer, Co-op, Harrods.
## Tools & Infrastructure
- Malware families used: **DragonForce ransomware**.
- Infrastructure (C2, domains, IPs - defang URLs): No specific C2 infrastructure (URLs or IPs) detailed in the summary provided, but the targeting of residential VPN ranges suggests exploitation of remote access or compromised credentials.
## Implications
SCATTERED SPIDER poses a significant threat due to their proficiency in blending sophisticated social engineering with devastating ransomware payloads (DragonForce). The shift toward the insurance sector in the U.S. suggests a move toward potentially higher-value financial targets. Their ability to compromise well-known retailers suggests effective breach execution capabilities.
## Mitigations
- Activate Two-Factor/Multi-Factor Authentication (MFA).
- Monitor for unauthorized logins.
- Verify the legitimacy of access to high-privilege accounts (Domain Admin, Enterprise Admin, Cloud Admin).
- Review helpdesk service procedures to strictly authenticate credentials before performing resets, especially for privileged employees.
- Implement monitoring to identify logins originating from unusual sources, such as VPN services using residential IP address ranges.