A wave of cyberattacks targeting U.S. insurance companies is raising alarm among cybersecurity experts, who say the intrusions bear the hallmarks of a threat actor known as Scattered Spider. This loosely connected group of hackers has been behind several high-profile breaches in recent years, using advanced social engineering techniques to infiltrate well-defended organizations.
Researchers from Google’s Threat Intelligence Group (GTIG) say they have identified multiple recent intrusions in the United States that align closely with the tactics used by Scattered Spider. The group has previously been active in the retail sector, first in the United Kingdom and later in the United States, indicating a sector-focused approach to its campaigns.
Two Major U.S. Insurance Firms Compromised
The latest warning comes as two U.S. insurance providers disclosed incidents involving unauthorized access and significant operational disruptions.
Philadelphia Insurance Companies (PHLY) revealed that it detected suspicious activity on June 9 and responded by disconnecting affected systems to contain the threat. The company’s website still displays an outage notification, indicating that recovery efforts are ongoing.
Similarly, Erie Insurance experienced a disruption that began on June 7. In a filing with the U.S. Securities and Exchange Commission (SEC), the company described the incident as stemming from “unusual network activity” that prompted swift defensive actions to protect systems and data.
Scattered Spider: A Persistent and Evolving Threat
Scattered Spider is known under multiple aliases, including 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra. The group is notable for its use of advanced social engineering tactics—such as phishing, SIM-swapping, and multi-factor authentication (MFA) fatigue attacks—to gain initial access to target environments.
Once inside, attackers have been observed deploying ransomware variants such as DragonForce, Qilin, and RansomHub to encrypt systems and demand ransom payments. These attacks can cause prolonged disruptions and significant financial losses for affected organizations.
Tactics Centered on Social Engineering
Scattered Spider’s success is often attributed to its exploitation of human vulnerabilities. The group typically targets help desk and call center staff, impersonating legitimate users in order to bypass security checks. These impersonation attempts can occur through multiple communication channels, including SMS, phone calls, and messaging platforms.
Experts note that attackers sometimes employ aggressive or urgent language to pressure employees into resetting passwords or granting access to sensitive systems. These socially engineered tactics bypass traditional security defenses and exploit organizational trust.
U.K. Retail Attacks Reveal a Pattern
The current wave of U.S. attacks mirrors earlier incidents in the United Kingdom, where retailers including Marks & Spencer, Harrods, and Co-op were breached earlier this year. In those cases, attackers used similar social engineering strategies, ultimately deploying DragonForce ransomware during the final stages of the intrusion.
Following those incidents, the U.K.’s National Cyber Security Centre (NCSC) issued a set of recommendations for improving resilience against such threats. These included:
- Enabling two-factor or multi-factor authentication (MFA) across all systems
- Monitoring for unauthorized logins, particularly for Domain Admin, Enterprise Admin, and Cloud Admin accounts
- Reviewing how help desks authenticate users before allowing password resets
- Flagging logins from unusual sources, such as VPNs operating from residential IP address ranges
These measures were designed to strengthen organizational defenses against the tactics used by groups like Scattered Spider.
Recommended Defensive Measures for U.S. Companies
In light of the recent breaches, GTIG is urging organizations—particularly in the insurance industry—to improve their security posture. Recommended strategies include:
- Gaining complete visibility across IT infrastructure, identity systems, and administrative platforms
- Segregating identities and implementing strong authentication criteria
- Establishing robust controls for password resets and MFA registrations
- Training employees and internal security teams to recognize impersonation attempts and social engineering tactics
- Auditing help desk procedures to prevent unauthorized access by impersonators
- Monitoring login behavior for unusual or suspicious activity, such as access from high-risk IP addresses
These steps are considered critical in defending against a group known for targeting human error as much as technical vulnerabilities.
Escalating Threat Calls for Industry-Wide Readiness
The insurance industry holds vast amounts of sensitive data, making it an appealing target for cybercriminals. As Scattered Spider and similar groups increase their focus on this sector, experts say other companies should anticipate more attacks and take proactive steps to defend against them.
Because the group’s methods rely heavily on tricking personnel into granting access, cybersecurity is no longer just about firewalls and antivirus software—it’s also about awareness, training, and procedural vigilance.
