Full Report
Multiple U.S.-based companies in the insurance sector have already been hit over the past week and a half, according to Mandiant. The post Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider (UNC3944)
## Attribution & Identity
- **Attribution:** A financially motivated, loose-knit cybercrime collective.
- **Aliases/Associated Groups:** Tracked by Google Threat Intelligence Group as UNC3944.
## Activity Summary
Scattered Spider recently conducted a "roughshod" attack spree against U.K.- and U.S.-based retailers and grocery stores, involving ransomware and extortion. They are now observed pivoting and targeting the U.S. insurance industry, with multiple intrusions noted over the past week and a half. Erie Insurance, a Fortune 500 company, is confirmed as one of the recent victims, experiencing unusual activity on June 7 that resulted in widespread system outages.
## Tactics, Techniques & Procedures
- Pivot behavior: Shifting focus sector-by-sector (Retail $\rightarrow$ Insurance).
- Social engineering schemes targeting IT help desks and call centers are a key tactic.
- Attacks are leading to operational disruptions.
- **Specific Mentioned Incident TTP (Erie Insurance):** Discovery of "unusual activity on its network" leading to incident response and system takedowns.
## Targeting
- **Sectors:** Retailers, Grocery Stores, and currently the Insurance Industry (U.S.-based companies).
- **Geography:** U.K. and U.S.
- **Victims:** Multiple unspecified U.S. insurance companies; specifically named victim is Erie Insurance (Pennsylvania).
## Tools & Infrastructure
- **Malware families used:** Ransomware and extortion tools were used in previous retail operations.
- **Infrastructure (C2, domains, IPs):** None specified in the provided text.
## Implications
Scattered Spider maintains an aggressive, high-tempo operational tempo, demonstrating the ability to quickly pivot across critical sectors once initial objectives in one sector are met. The shift to the insurance sector poses significant risk due to potential operational disruption and reliance on call centers/helpdesks for initial access. Organizations in this sector should prepare for immediate, targeted social engineering attacks.
## Mitigations
- Insurance industry organizations should be on high alert.
- Implement heightened vigilance against social engineering schemes targeting help desks and call centers.
- Customers of targeted entities (like Erie Insurance) are advised not to click on any links from unknown sources or share personal information via phone or email.