Insurance companies are warned to be on their guard against a spreading campaign of network intrusions orchestrated by the Scattered Spider cyber crime collective after evidence emerged that the teenaged hacking gang has hit multiple insurance companies in the United States amid a months-long resurgence in its activity, according to the Google Threat Intelligence Group.
A few weeks ago GTIG was first to warn that a spring offensive by Scattered Spider, which initially targeted UK based retailers Marks & Spencer and Co-op, had spread to retailers in the US and elsewhere – with globally recognised brands such as Adidas, Cartier, Dior, North Face, Tiffany and Victoria’s Secret all implicated in the gang’s renewed crime spree. However it now appears that the hackers have changed their targeting to some degree.
“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” said John Hultquist, GTIG chief analyst.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centres.”
New targets
Addressing the question of why Scattered Spider might be switching up its campaign, Kasey Best, director of threat intelligence at Silent Push, a threat hunting specialist, told Computer Weekly: “While I can’t speak to recent attribution at this time, I can say this: Scattered Spider doesn’t care what industry their targets operate in beyond the simple calculation of ‘can they pay?’ and ‘can we get in?’.
“Recent shifts in the retail sector that have increased the perceived ‘heat’ and ‘awareness’ of the group – and thus, expanded training as well as defensive spending in the sector – may be informing the calculus to switch to one that is less prepared,” he said.
Richard Orange, EMEA vice president of behavioural analysis specialist Abnormal AI, said that given the amount of sensitive data held by insurance companies, it was little surprise that they should find themselves on the receiving end of cyber attacks by groups such as Scattered Spider.
But Jon Abbott, CEO of ThreatAware, a security management platform, additionally pointed out that no industries were truly immune: “Previous successes in retail and entertainment, against the likes of M&S, Caesars and MGM, highlights one critical truth: cyber hygiene matters more than the tools already deployed and working.”
Advice for defenders
Abbott continued: “They [Scattered Spider] don’t rely on advanced exploits but instead use fast moving social engineering tactics to bypass weak helpdesk protocols and identity checks.
“Defence must start with the fundamentals. Accurate asset inventories, tamper-proof identity verification and hardened service desk processes are all essential. Security teams must also monitor for behavioural anomalies, like unexpected access requests or administrative changes, rather than just relying on traditional malware detection.”
Orange at Abnormal AI added: “Insurance providers and their partners must treat identity systems and help desk procedures as critical assets. They should implement phishing-resistant MFA and strengthen verification processes. This, alongside training staff to rigorously challenge even familiar requests, is essential to defend against evolving social engineering threats.”
Most importantly, said Abbott, insurers should strive to cultivate an appropriate security awareness culture at all levels of the business, and across all teams – particularly those likely to face potential social engineering attacks, such as call centres.
Google reiterated its previous advice on hardening networks to resist Scattered Spider intrusions, which was last updated in May.
