Full Report
Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.”
Analysis Summary
# Threat Actor: Scattered Spider (UNC3944)
## Attribution & Identity
Actor identified by Google’s Threat Intelligence Group as **UNC3944**, which they state overlaps with **Scattered Spider** but has “more narrowly defined” boundaries. The group is an offshoot of the larger cybercrime community known as **The Com**. It is noted for leveraging English-speaking members.
## Activity Summary
Scattered Spider has recently shifted focus from the retail industry (U.K. and U.S.) to the **insurance industry** approximately a week and a half prior to the report.
**Recent Campaign (Insurance Industry):**
* Targeting multiple U.S.-based insurance companies, beginning about a week and a half ago.
* Caused network outages at **Erie Insurance** (which reported no evidence of ransomware) and **Philadelphia Insurance Companies** (affecting phone, email, and online applications).
* An unnamed major Swedish insurance firm was also allegedly attacked, resulting in a website takedown.
**Historical Campaigns:**
* Attacks on the **retail industry** in the U.S. and U.K., including victims like Marks & Spencer, the Co-op, Harrods, Victoria’s Secret, North Face, Cartier, Adidas, Dior, and Tiffany.
* High-profile attacks against casino giants **MGM Resorts** and **Caesars Entertainment**, sometimes leading to data theft or ransomware deployment.
## Tactics, Techniques & Procedures
- **Social Engineering of IT/Help Desks:** Impersonating company IT department members to gain initial access, particularly targeting help desks and call centers.
- **Exploitation of Salesforce Tools:** Tricking companies into granting widespread access to a popular Salesforce tool to steal data and pivot laterally.
- **Data Theft and Extortion:** Leveraging access to steal sensitive customer data.
- [No specific MITRE ATT&CK IDs were provided in the source material.]
## Targeting
- Sectors: **Insurance** (current focus), **Retail**, **Casinos/Hospitality**.
- Geography: **U.K.** and **U.S.** (primary focus areas mentioned), with reported activity in **Sweden**.
- Victims: Erie Insurance, Philadelphia Insurance Companies, unnamed insurance firms in the U.S. and Sweden; historically MGM Resorts and Caesars Entertainment.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed, though past actions implied ransomware deployment.
- Infrastructure (C2, domains, IPs): Specific infrastructure details were not provided in the summary.
## Implications
The shift to the insurance industry poses a high-risk alert because these firms manage vast amounts of sensitive customer data (personal, financial, health), making them prime targets for data theft and extortion. The actor's established competency in social engineering aligns perfectly with the structure of large insurance firms, which often rely on complex, outsourced IT functions and help desks, making detection difficult.
## Mitigations
- Heightened alert for **social engineering schemes** targeting help desks and call centers within the insurance industry.
- Implementing strong security controls and detection mechanisms across complex/global IT structures.