Scattered Spider Tactics Now Seen in U.S. Insurance Breaches, Experts Warn
Cyber threat actors using methods consistent with the Scattered Spider playbook have shifted their focus to U.S. insurance companies, according to researchers at Google Threat Intelligence Group (GTIG).
John Hultquist, GTIG’s Chief Analyst, confirmed the trend to BleepingComputer:
“We are now seeing incidents in the insurance industry… these bear all the hallmarks of Scattered Spider activity.”
Previously, the group caused major disruptions across the UK retail sector, with confirmed attacks on Marks & Spencer, Co-op, and Harrods. It then pivoted to U.S. retail. Now, insurance providers appear to be next on the list, prompting calls for immediate defensive action.
A Calculated, Sector-Based Campaign
Scattered Spider—also known as 0ktapus, UNC3944, Muddled Libra, and Starfraud—has developed a reputation for sector-specific, high-impact campaigns. Once it compromises one organization, it often uses that access to pivot into supply chains or partners, amplifying the damage.
Known for exploiting social engineering techniques, the group often initiates attacks through phishing emails, SIM-swapping, MFA fatigue (also called MFA bombing), and vishing-style impersonation attacks that target help desks and call centers.
Later in the attack chain, they’ve deployed ransomware variants like DragonForce, RansomHub, and Qilin, depending on the affiliate or the victim profile.
GTIG and NCSC: Defense Tips for Insurers and Enterprises
GTIG is urging insurance companies to immediately review identity access controls, help desk protocols, and monitoring capabilities.
Key recommendations include:
- Segregation of identities with strong multi-factor authentication (MFA)
- Rigorous identity verification during password resets and MFA changes
- Continuous monitoring for unauthorized logins, especially from VPNs or residential IP ranges
- Help desk training to detect impersonation, aggressive language, or urgent social engineering tactics
- Employee awareness about multi-channel phishing attempts—voice, SMS, messaging apps
The UK’s National Cyber Security Centre (NCSC) also advises that organizations review privileged access controls, restrict Domain/Enterprise Admin usage, and enforce stricter help desk authentication for elevated users.
Don’t Wait for the Next Attack: Build Resilience Now
As threat actors like Scattered Spider continue to evolve, organizations need more than just reactive defenses. Immutable, air-gapped backup and recovery systems are becoming a critical last line of defense—particularly against ransomware operations that target identity infrastructure and erase recovery points.
Strengthen your defenses with StoneFly DR365, an enterprise-grade option built specifically for ransomware resilience. It’s a fully air-gapped, immutable backup and recovery appliance trusted by large organizations to ensure operational continuity even during sophisticated cyberattacks. Don’t wait—act now!
