Scattered Spider Targets Insurance Industry: A Critical Threat to Financial Security

The notorious cybercriminal group Scattered Spider has shifted its focus from retail attacks to aggressively targeting the U.S. insurance industry. Google Threat Intelligence Group confirmed multiple intrusions bearing the hallmarks of Scattered Spider activity, marking a dangerous new chapter in the group’s evolution. This development represents a critical threat to the financial sector and the millions of Americans who rely on insurance services.

 Description of Scattered Spider

Scattered Spider, also known as UNC3944, Starfraud, Octo Tempest, and Muddled Libra, is a financially motivated cybercriminal collective primarily composed of young adults aged 19-22 from the United States and United Kingdom. Operating since 2022, this group has gained infamy for their sophisticated social engineering tactics and ability to navigate complex cloud environments. The group is part of a larger hacking community known as “The Community” and has demonstrated an alarming pattern of focusing on one industry sector at a time before pivoting to new targets.

Recent attacks have been linked to the DragonForce ransomware cartel, with whom Scattered Spider appears to have formed an alliance. The group’s English-speaking members possess cultural fluency that makes their impersonation attacks exceptionally convincing to Western targets.

(UNC3944 Global Targeting Map – Source: Google)

 Severity of the Threat

The severity of Scattered Spider’s threat to the insurance industry cannot be overstated. The group has already compromised multiple U.S. insurance companies, with attacks beginning approximately 10 days ago according to Mandiant Consulting. Their track record includes devastating breaches against major corporations including MGM Resorts (resulting in over $100 million in losses), Caesars Entertainment, and prominent UK retailers like Marks & Spencer and Harrods.

The insurance industry presents an attractive target due to the vast amounts of sensitive personal and financial data these companies handle, including Social Security numbers, driver’s license information, and comprehensive financial records. A successful breach can impact millions of policyholders and create cascading effects throughout the financial ecosystem.

 How Scattered Spider Exploits Organizations

Scattered Spider’s primary attack vector relies on sophisticated social engineering techniques that bypass traditional security measures. Their methodology includes:

Initial Access: The group begins with highly targeted phishing campaigns, creating victim-specific domains such as “victimname-sso.com” or “victimname-servicedesk.com.” They employ vishing (voice phishing), smishing (SMS phishing), and SIM swapping attacks to obtain initial credentials.

Help Desk Exploitation: Attackers impersonate employees and contact IT help desks or call centers, using psychological manipulation and aggressive tactics to pressure staff into resetting passwords or MFA tokens. Their native English-speaking abilities and cultural knowledge make these impersonations extremely convincing.

MFA Bypass: The group has mastered techniques to circumvent multi-factor authentication, including MFA bombing (repeatedly sending authentication prompts until users accidentally approve access) and registering their own MFA devices on compromised accounts.

Persistence and Lateral Movement: Once inside networks, Scattered Spider uses legitimate remote access tools like TeamViewer, Splashtop, and FleetDeck to maintain persistence while avoiding detection. They leverage “living off the land” techniques, utilizing built-in system tools and legitimate software to move laterally through networks.

Cloud Environment Exploitation: The group demonstrates sophisticated understanding of cloud platforms including Microsoft Azure, Google Workspace, and AWS, allowing them to access and manipulate cloud-based resources and data.

(UNC3944 Attack Lifecycle – Source: Google)

 Who is at Risk

The insurance industry faces immediate and elevated risk, with Google’s threat intelligence indicating that multiple companies have already been compromised. Organizations particularly vulnerable include:

• Large insurance companies with extensive help desk operations
• Companies using outsourced IT support services
• Organizations with distributed service centers and cloud-based infrastructure
• Managed service providers serving insurance companies
• Any financial services organization with significant customer data holdings

Erie Insurance has confirmed a cybersecurity incident detected on June 7, 2025, resulting in ongoing system outages that prevent customers from accessing online accounts. Philadelphia Insurance Companies also reported unauthorized network access on June 9, 2025. While neither company has officially attributed these attacks to Scattered Spider, the timing and characteristics align with the group’s known methods.

 Remediation and Protection Strategies

Based on Google’s comprehensive hardening guidance from frontline incident response experience, organizations must implement a multi-layered defense strategy organized around five critical pillars:

Identity Security

• Positive Identity Verification: Train help desk personnel to positively identify employees before modifying security information using on-camera verification, ID verification, and challenge-response questions. Avoid reliance on publicly available personal data for verification as Scattered Spider often possesses this information. Implement out-of-band verification for high-risk changes requiring callback to registered numbers.
• Strong Authentication: Remove SMS, phone calls, and email as authentication controls. Utilize phishing-resistant MFA with number matching and geo-verification. Transition to passwordless authentication where possible and leverage FIDO2 security keys for privileged roles. Enforce multi-context criteria validating identity, device, and location attributes.
• MFA Registration Controls: Restrict MFA registration to trusted IP locations and compliant devices. Review authentication methods and disallow unnecessary or duplicative methods. Alert when the same MFA method is registered across multiple accounts, indicating potential attacker-controlled devices.
• Administrative Role Hardening: Decouple identity stores from infrastructure platforms and create local administrator accounts with long, complex passwords not stored in password management solutions. Implement just-in-time controls for privileged access and enforce least-privilege principles.

Endpoint Protection

• Device Compliance: Enforce posture checks for devices including host-based certificate validation, approved OS versions, and active EDR agent installation. Monitor for rogue bastion hosts and restrict device domain joining capabilities.
• Lateral Movement Prevention: Limit local account remote authentication capabilities, disable administrative shares, and enforce local firewall rules blocking inbound SMB, RDP, WinRM, PowerShell, and WMI.
• Application and Resource Security
• VPN Hardening: Disable end-user ability to modify VPN configurations and implement always-on VPN for managed devices. Ensure appropriate logging for configuration changes.
• Privileged Access Management: Isolate PAM systems on dedicated, segmented infrastructure. Reduce PAM access scope, enforce role-based controls, and follow just-in-time access principles.
• Infrastructure Isolation: Unbind virtualization platform authentication from centralized identity providers. Isolate backup infrastructure with unique credentials and immutable backup solutions. Segment administrative access to endpoint security tooling.

Network Infrastructure

• Access Restrictions: Leverage vulnerability scanning for external exposure identification. Enforce phishing-resistant MFA for publicly accessible applications. Block TOR exit nodes and VPS IP ranges for sensitive applications.
• Trusted Service Infrastructure: Restrict access to management platforms to internal network segments or privileged access workstations. Create detections for direct TSI access and implement egress restrictions from servers.
• Advanced Monitoring and Detection
• Reconnaissance Detection: Implement alerting for known reconnaissance tools like ADRecon and SharpHound. Monitor for documents containing shared credentials and implement automated domain registration monitoring for organizational name mimicry.
• MFA and Authentication Monitoring: Monitor MFA device registrations, authentication anomalies from infrequent locations, and attempts to modify authentication methods. For Microsoft environments, monitor Trusted Named Locations and Conditional Access Policy changes.
• Communication Platform Security: Restrict external domains in collaboration tools, baseline trusted domains, and alert on suspicious contact attempts. Train employees to recognize impersonation via platforms like Microsoft Teams.
• Social Engineering Awareness: Educate users about SMS phishing claiming compliance issues, fake SSO password reset requests, phone calls requesting password/MFA resets, and MFA fatigue attacks. Train recognition of doxxing threats and aggressive compliance tactics.

 How CinchOps Can Help

In the face of evolving threats like Scattered Spider, CinchOps provides comprehensive cybersecurity solutions designed to protect your organization from sophisticated social engineering and ransomware attacks.

Our managed IT support and cybersecurity services include:

• 24/7 threat monitoring and incident response to detect and neutralize attacks before they cause damage
• Implementation of phishing-resistant multi-factor authentication systems that cannot be bypassed through social engineering
• Comprehensive employee security awareness training programs that prepare your staff to recognize and respond to social engineering attempts
• Advanced endpoint detection and response solutions that identify suspicious activity and unauthorized access attempts
• Regular security assessments and penetration testing to identify vulnerabilities before attackers can exploit them
• Backup and disaster recovery solutions to ensure business continuity even in the event of a successful attack
• Help desk security protocols and training to prevent unauthorized access through customer service channels
• Cloud security configuration and monitoring to protect your cloud-based assets and data

With over three decades of experience in delivering complex IT systems and cybersecurity solutions, CinchOps understands the unique challenges facing small and medium-sized businesses in today’s threat environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Huntress 2025 Cyber Threat Report: What West Houston Businesses Need to Know
For Additional Information on this topic: Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

FREE CYBERSECURITY ASSESSMENT