{ "id": "735f0f93-35f4-41e0-8da0-b31456ad172b", "created_at": "2026-04-29T08:21:25.15994Z", "updated_at": "2026-04-29T10:41:41.697069Z", "deleted_at": null, "sha1_hash": "6431c1c21d4cce6686b3b44d057f31b66e817aba", "title": "Aflac discloses breach amidst Scattered Spider insurance attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 703417, "plain_text": "Aflac discloses breach amidst Scattered Spider insurance attacks\r\nBy Sergiu Gatlan\r\nPublished: 2025-06-20 · Archived: 2026-04-29 08:09:09 UTC\r\nOn Friday, American insurance giant Aflac disclosed that its systems were breached in a broader campaign\r\ntargeting insurance companies across the United States by attackers who may have stolen personal and health\r\ninformation.\r\nAflac (short for American Family Life Assurance Company) is the largest supplemental insurance provider in the\r\nU.S. and a Fortune 500 company that provides insurance services to millions of customers in the U.S. and Japan.\r\nIn a press release earlier today, the insurance company added that its network was not affected by ransomware. It\r\nis unclear, though, if ransomware was deployed and blocked or if this was just a data theft attack.\r\nhttps://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/\r\nPage 1 of 3\n\n\"We promptly initiated our cyber incident response protocols and stopped the intrusion within hours. Importantly,\r\nour business remains operational, and our systems were not affected by ransomware,\" Aflac stated.\r\n\"We continue to serve our customers as we respond to this incident and can underwrite policies, review claims,\r\nand otherwise service our customers as usual. This attack, like many insurance companies are currently\r\nexperiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against\r\nthe insurance industry.\"\r\nAfter detecting the breach, Aflac hired external cybersecurity experts to investigate the incident and review the\r\ncontents of files potentially exposed during the attack.\r\nAs the company explained in a filing with the U.S. Securities and Exchange Commission (SEC), these documents\r\ncontain a wide range of sensitive information related to customers, beneficiaries, employees, agents, and other\r\nindividuals, ranging from claims and health information to social security numbers and/or other personal\r\ninformation.\r\nScattered Spider attacks targeting insurance firms\r\nWhile an Aflac spokesperson couldn't attribute the breach to a specific cybercrime group, the breach exhibits all\r\nthe signs of a Scattered Spider attack.\r\nScattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a group of\r\nthreat actors known for their sophisticated social engineering attacks against high-profile organizations\r\nworldwide, with tactics that include phishing, SIM swapping, and multi-factor authentication (MFA) bombing.\r\nIn September 2023, they escalated their attacks by breaching MGM Resorts and encrypting over 100 VMware\r\nESXi hypervisors using BlackCat ransomware after gaining access by impersonating an employee. They've also\r\npartnered with other ransomware operations, such as RansomHub, Qilin, and DragonForce. Other organizations\r\ntargeted by Scattered Spider include Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.\r\nAs John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), told BleepingComputer earlier this\r\nweek, Scattered Spider has recently been targeting and breaching U.S. insurance companies.\r\nHultquist also told BleepingComputer today that \"the insurance industry should be on high alert\" and pay\r\nparticular attention to potential social engineering attempts on help desks and call centers, \"given this actor's\r\nhistory of focusing on a sector at a time.\"\r\nThe most recent examples are Philadelphia Insurance Companies (PHLY) and Erie Insurance, which experienced\r\noutages and disruptions after detecting unauthorized network access.\r\nIn May, GTIG's chief analyst also warned that Scattered Spider switched from targeting retail chains in the United\r\nKingdom to targeting retailers in the United States. \"The actor, which has reportedly targeted retail in the UK\r\nfollowing a long hiatus, has a history of focusing their efforts on a single sector at a time,\" he added\r\nhttps://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/\r\nPage 2 of 3\n\n99% of What Mythos Found Is Still Unpatched.\r\nAI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits\r\nis coming.\r\nAt the Autonomous Validation Summit (May 12 \u0026 14), see how autonomous, context-rich validation finds what's\r\nexploitable, proves controls hold, and closes the remediation loop.\r\nClaim Your Spot\r\nSource: https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/" ], "report_names": [ "aflac-discloses-breach-amidst-scattered-spider-insurance-attacks" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-29T10:39:53.738423Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-29T10:39:55.37926Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-29T10:39:54.789942Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-29T10:39:53.527057Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-29T10:39:54.669259Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-29T10:39:53.406911Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Muddled Libra", "Scattered Swine", "Scatter Swine", "Octo Tempest", "0ktapus", "Storm-0971", "DEV-0971", "Starfraud", "UNC3944", "Oktapus" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-29T10:39:55.144656Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-29T10:39:54.667107Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777450885, "ts_updated_at": 1777459301, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6431c1c21d4cce6686b3b44d057f31b66e817aba.pdf", "text": "https://archive.orkl.eu/6431c1c21d4cce6686b3b44d057f31b66e817aba.txt", "img": "https://archive.orkl.eu/6431c1c21d4cce6686b3b44d057f31b66e817aba.jpg" } }