Urgent Cybersecurity Briefing:  Scattered Spider Attacks

PDF

Several insurance companies have been targeted this month by cyberattacks, including AFLAC, Erie Insurance, and Philadelphia Insurance. The threat actor, Scattered Spider, is now focusing on the insurance industry. We want to provide you with information about Scattered Spider’s techniques to support you in taking steps to prevent or mitigate impact in the event of a potential targeted threat.

The prolific “Scattered Spider” cyber-criminal group, which has been conducting a range of financially motivated activity since 2022, has recently made headlines as a threat to the insurance sector.

• Scattered Spider (also tracked as UNC3944, 0ktapus, Scatter Swine, Starfraud, and Muddled Libra) is a hacking group notorious for both their hacks on Snowflake Cloud Computing and the casino attacks in 2023. Google’s Threat Intelligence Group has confirmed “multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity.”
• In April 2025, it attacked retailers in the U.K., including Marks & Spencer, Co-op, and Harrods. In May 2025, the group pivoted to the US retail sector, targeting major brands, then turning to the insurance sector this month:
• In June 2025, AFLAC was breached, involving potential theft of SSNs, insurance claims, and health information.
• Erie Insurance was also targeted, with network outages beginning June 7 and lasting over 10 days with complete system disruption.
• Philadelphia Insurance Company detected suspicious activity on June 9, with proactive system disconnections causing widespread outages.

Scattered Spider is particularly distinguishable for its: (a) speed - the group can execute full attack chain in 24-48 hours; (b) cultural fluency and sophisticated social engineering - leveraging extensive intelligence from LinkedIn, press releases, and social media, and facilitating convincing impersonations of Western corporate employees; (c) identity focus -  specifically targeting identity and access management systems; and (d) persistent access - establishing multiple backdoors for future exploitation.

It is imperative for insurance companies to take preventative and preparatory measures now, both technical and procedural. Don’t wait until you are hit - have a plan with the right resources in place for incident response, business continuity and disaster recovery, and handling potential downstream litigation. This plan should include lining up both legal and technical resources. If you have questions or would like to discuss, please reach out to us.

Incident Response Hotline
1-877-624-2923
MNBreachHelp@MaynardNexsen.com