The threat actor known as Scattered Spider appears to have shifted its focus from the retail sector to insurance companies, according to a warning from Google’s Threat Intelligence Group.
Scattered Spider, tracked by Google and Mandiant as UNC3944, has been around for several years. Its activities have apparently been paused at times, particularly following law enforcement actions, but the hackers are now once again highly active.
The threat group is known for the use of sophisticated social engineering tactics, and its current focus appears to be on ransomware and data theft extortion.
After the recent attacks targeting major UK retailers Co-op, Harrods and M&S were linked to Scattered Spider — and a potentially affiliated ransomware group named DragonForce — Google warned that the hackers had turned their attention to retailers in the United States.
Now, roughly one month later, the tech giant has issued a fresh warning after its Threat Intelligence Group became aware of multiple attacks against the US insurance industry that appear to have been carried out by Scattered Spider.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” said John Hultquist, chief analyst at Google Threat Intelligence Group.
Google has not shared additional details on these new attacks, but pointed to guidance it published last month to help organizations defend against Scattered Spider attacks.
It’s unclear which companies have been targeted by Scattered Spider in the latest campaign.
One of them could be Erie Insurance, a Pennsylvania-based insurance company that detected a cybersecurity breach on June 7. Erie has been sharing updates about the impact of the incident, but it’s still unclear who was behind the attack.
SecurityWeek has reached out to Erie Insurance for comment and will update this article if the company responds.
UPDATE: Responding to SecurityWeek’s inquiry, Erie has not said whether it was the target of a Scattered Spider attack, but pointed out in an updated statement issued on Tuesday that it has “seen no evidence of ransomware and there is no indication of ongoing threat actor activity”.
Related: Anubis Ransomware Packs a Wiper to Permanently Delete Files
Related: Sensitive Information Stolen in Sensata Ransomware Attack
Related: FBI Aware of 900 Organizations Hit by Play Ransomware
Related: Cyber Insights 2025: Cyberinsurance – The Debate Continues
