{ "id": "65be378a-26b2-46fe-8fb3-5ea254c5d9ba", "created_at": "2026-04-06T00:11:36.544049Z", "updated_at": "2026-04-10T03:31:49.934086Z", "deleted_at": null, "sha1_hash": "b9d9fac07fcafd03818d607da0cf8ccd8e2b3716", "title": "Hackers switch to targeting U.S. insurance companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3242386, "plain_text": "Hackers switch to targeting U.S. insurance companies\r\nBy Ionut Ilascu\r\nPublished: 2025-06-16 · Archived: 2026-04-05 13:29:11 UTC\r\nThreat intelligence researchers are warning of hackers breaching multiple U.S. companies in the insurance industry using all\r\nthe tactics observed with Scattered Spider activity.\r\nTypically, the threat group has a sector-by-sector focus. Previously, they targeted retail organizations in the United Kingdom\r\nand then switched to targets in the same sector in the United States.\r\n“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered\r\nSpider activity. We are now seeing incidents in the insurance industry,” John Hultquist, Chief Analyst at Google Threat\r\nIntelligence Group (GTIG), told BleepingComputer.\r\nhttps://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHultquist warns that because the group approaches one sector at a time, “the insurance industry should be on high alert.”\r\nGTIG’s chief researcher says that companies should pay particular attention to potential social engineering attempts on help\r\ndesk and call centers.\r\nJust this month, two insurance companies disclosed that their systems were impacted by cyberattacks.\r\nPhiladelphia Insurance Companies (PHLY) announced that on June 9 it discovered unauthorized access on its network and\r\ndisconnected the affected systems to stop the attack from spreading.\r\nThe outage continues as the company's website still shows the outage notification.\r\nPhiladelphia Insurance Companies (PHLY) alerts of outage caused by unauthorized access\r\nErie Insurance also suffered business disruptions that started on June 7. A few days later, the company reported in a filing\r\nwiht the U.S. Securities and Exchange Commission that the outage was caused \"unusual network activity,\" which prompted\r\nan immediate protection response for systems and data.\r\nScattered Spider tactics\r\nScattered Spider is the name given to a fluid coalition of threat actors that employ sophisticated social engineering attacks to\r\nbypass mature security programs.\r\nThe group is also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra, and has been linked to\r\nbreaches at multiple high-profile organizations that mixed phishing, SIM-swapping, and MFA fatigue/MFA bombing for\r\ninitial access.\r\nIn a later stage of the attack, the group has been observed dropping ransomware like RansomHub, Qilin, and DragonForce.\r\nDefending against Scattered Spider attacks\r\nOrganizations defending against this type of threat actor should start with gaining complete visibility across the entire\r\ninfrastructure, identity systems, and critical management services.\r\nhttps://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nPage 3 of 5\n\nGTIG recommends segregating identities and using strong authentication criteria along with rigorous identity controls for\r\npassword resets and MFA registration.\r\nSince Scattered Spider relies on social engineering, organizations should educate employees and internal security teams on\r\nimpersonation attempts via various channels (SMS, phone calls, messaging platforms) that may sometimes include\r\naggressive language to scare the target into compliance.\r\nAfter hackers breached Marks \u0026 Spencer, Co-op, and Harrods retailers in the U.K. this year, the country’s National Cyber\r\nSecurity Centre (NCSC) shared tips for organizations to improve their cybersecurity defenses.\r\nIn all three attacks, the threat actor used the same social engineering tactics associated with Scattered Spired and dropped\r\nDragonForce ransomware in the final stage.\r\nNCSC’s recommendations include activating two-factor or multi-factor authentication, monitoring for unauthorized logins,\r\nand checking if access to Domain Admin, Enterprise Admin, and Cloud Admin accounts is legitimate.\r\nAdditionally, the U.K. agency advises that organizations review how the helpdesk service authenticates credentials before\r\nresetting them, especially for employees with elevated privileges.\r\nThe ability to identify logins from unusual sources (e.g. VPN services from residential ranges) could also help identify a\r\npotential attack.\r\nUpdate [June 17]: Added information about cyberattacks on two insurance companies in the United States.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nhttps://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/" ], "report_names": [ "google-warns-scattered-spider-hackers-now-target-us-insurance-companies" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434296, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9d9fac07fcafd03818d607da0cf8ccd8e2b3716.pdf", "text": "https://archive.orkl.eu/b9d9fac07fcafd03818d607da0cf8ccd8e2b3716.txt", "img": "https://archive.orkl.eu/b9d9fac07fcafd03818d607da0cf8ccd8e2b3716.jpg" } }