Scattered Spider Attacks: A Growing Threat to the Insurance Industry

Written By

Who Likes Spiders?

The insurance industry, a cornerstone of financial stability, has become the latest target of the notorious cybercriminal group Scattered Spider. Known for their sophisticated social engineering tactics and ability to bypass multi-factor authentication (MFA), this group has shifted its focus from retail to insurance, causing significant disruptions and data breaches. Recent incidents at companies like Aflac and Erie Insurance highlight the urgency for robust cybersecurity measures. This report explores Scattered Spider’s tactics, their impact on the insurance sector, strategies to combat these attacks, and how Crux Security can help organizations fortify their defenses.

Un-Scattering the Spiders

Scattered Spider, also known as UNC3944, 0ktapus, or Muddled Libra, is a cybercriminal group comprising young, English-speaking individuals, operating in Western countries. Since emerging in 2022, they have targeted large organizations across various sectors, including hospitality, telecom, and retail, before pivoting to insurance in mid-2025. Their high-profile attacks include breaches at MGM Resorts and Caesars Entertainment, where they deployed ransomware and stole sensitive data for extortion.

How They Operate: Tactics, Techniques, and Procedures (TTPs)

Scattered Spider’s success stems from their advanced social engineering techniques, which exploit human vulnerabilities to gain initial access. Their key TTPs include:

  • Credential Phishing and Smishing: Sending fraudulent emails or SMS messages to harvest passwords.

  • SIM Swapping: Convincing telecom providers to transfer a victim’s phone number to an attacker-controlled SIM card, bypassing SMS-based MFA.

  • MFA Fatigue (Push Bombing): Overwhelming victims with repeated MFA prompts to trick them into approving access.

  • Vishing: Directly calling victims to extract MFA codes or other sensitive information.

  • Help Desk Scams: Posing as legitimate employees to manipulate IT help desks into resetting passwords or MFA settings.

  • Living-off-the-Land Techniques: Using legitimate tools like PowerShell and Cobalt Strike to move laterally, escalate privileges, and exfiltrate data without triggering detection.

  • Ransomware Deployment: Partnering with groups like BlackCat/ALPHV, RansomHub, or DragonForce to encrypt systems, particularly VMware ESXi environments.

These tactics allow Scattered Spider to bypass mature security programs and maintain persistent access, even reversing mitigations to regain entry.

Impact on the Insurance Industry

Lets face it, we trust insurance companies with a lot of sensitive information. The insurance sector’s complex IT infrastructures and vast repositories of sensitive customer data make it an attractive target for all types of attackers, especially for Scattered Spider. Recent attacks have demonstrated significant consequences:

Notable Incidents

  • Erie Insurance (June 2025): Reported “unusual network activity” on June 7, leading to system outages that disrupted customer access to online accounts. The company activated incident response protocols and is working with cybersecurity experts to investigate, though attribution to Scattered Spider is not yet confirmed (CyberScoop).

  • Aflac (June 2025): Disclosed a cyber intrusion as part of a broader crime spree targeting the insurance industry, with characteristics aligning with Scattered Spider’s TTPs (BleepingComputer).

Consequences - In Real Life

The impact of these attacks extends beyond immediate disruptions to normal business operations:

  • Data Breaches: Theft of customer data, including personal and financial information, can lead to identity theft and regulatory penalties under frameworks like HIPAA or GDPR.

  • Operational Disruptions: System outages, as seen at Erie Insurance, hinder customer service and business operations, leading to revenue losses.

  • Financial Losses: Costs include ransom payments, remediation efforts, legal fees, and potential fines.

  • Reputational Damage: Breaches erode customer trust (especially critical in the insurance industry).

The sector’s reliance on large help desks and outsourced IT functions, often with distributed operations, makes it particularly vulnerable to social engineering attacks.

Combating Scattered Spider Attacks

Defending against Scattered Spider requires a multi-layered approach that addresses both technical and human vulnerabilities. Key strategies include:

1. Strengthen Identity and Access Management (IAM)

  • Phishing-Resistant MFA: Implement hardware tokens or app-based authentication with device binding, avoiding SMS or email-based codes.

  • Least-Privilege Access: Regularly audit user accounts to ensure minimal permissions, reducing the impact of compromised credentials.

  • Account Monitoring: Use behavioral analytics to detect unusual login attempts or privilege escalations.

2. Employee Training and Awareness (yes, this STILL matters!)

  • Social Engineering Training: Educate help desk and other support staff to recognize phishing, vishing, and other social engineering tactics.

  • Verification Procedures: Implement strict protocols, such as out-of-band call-back verification, for password or MFA resets.

  • Flagging Suspicious Requests: Train staff to identify and escalate repeated or urgent requests as potential threats.

3. Secure Help Desk Operations

  • Mandatory Escalation Paths: Require supervisor approval for sensitive account changes.

  • Checklists for Verification: Use standardized checklists to ensure high-assurance identity verification before processing requests.

4. Advanced Monitoring and Incident Response

  • Network Monitoring: Deploy tools to detect lateral movement, unusual authentication activity, or data exfiltration.

  • Incident Response Plan: Develop and test a plan to quickly contain and mitigate breaches, minimizing impact. Run bi-annual incident response tabletop exercises. 

  • Threat Intelligence: Use services to proactively identify indicators of future attacks.

5. Regular Security Assessments

  • Penetration Testing: Simulate social engineering and technical attacks to identify vulnerabilities in help desk processes and network security.

  • Security Audits: Conduct periodic audits to ensure compliance with standards like SOC 2, HIPAA, or NIST 800-171 (if you’re a defense contractor)

6. Automated Security Tools

  • Use automated tools for network scanning, user audits, risk management, and vendor tracking to maintain a proactive security posture.

How Crux Can Help

Crux offers a streamlined platform to build economical cybersecurity programs tailored to industry needs. Our services are particularly suited to countering threats like Scattered Spider.

Security Assessment and Penetration Testing

Crux provides industry-leading security assessments and penetration testing to identify vulnerabilities in network infrastructure, help desk operations, and employee processes. By simulating social engineering attacks, it can pinpoint weaknesses that Scattered Spider might exploit, such as lax verification procedures or susceptible MFA configurations.

Automated Security Tools

The “Complete” plan includes automated tools for:

  • Perimeter Network Scanning: Detects vulnerabilities in external network.

  • User Audits: Monitors account permissions to to asses least-privilege access.

  • Risk Register: Logs and prioritizes security risks for future actions.

  • Vendor Tracking: Ensures third-party services meet security standards.

These tools enable continuous monitoring and proactive defense, critical for detecting Scattered Spider’s stealthy tactics.

Tailored Security Programs

Crux Security offers three plans to meet varying needs:

  • Startup: Includes security policies, procedures, training, task management, and dashboards, ideal for budget-conscious organizations starting a security program.

  • Complete: Adds automated tools for ongoing security reviews, suitable for companies committed to periodic assessments.

  • Assisted: Provides a dedicated project team to implement and manage the security program, perfect for organizations needing rapid deployment or facing audits.

These plans are customizable to align with compliance requirements (e.g., HIPAA, SOC, CMMC/NIST 800-171) and strategic goals, bridging development, security, and business functions to manage risk effectively.

Benefits for the Insurance Industry

  • Proactive Vulnerability Identification: Penetration testing uncovers weaknesses in internal and external networks, as well as applications.

  • Compliance Support: Tailored programs ensure adherence to industry standards, reducing regulatory risks post-breach.

  • Cost-Effective Security: The platform’s economical approach allows insurance firms to build robust defenses without excessive costs.

By partnering with Crux Security, companies can strengthen their resilience against sophisticated social engineering attacks and maintain operational continuity.

Let’s Wrap This Web Up

Scattered Spider’s pivot to the insurance industry represents a significant and evolving threat, leveraging advanced social engineering to exploit human and technical vulnerabilities. The attacks on Aflac and Erie Insurance underscore the potential for data breaches, operational disruptions, and financial losses.

By adopting robust identity management, employee training, secure help desk practices, and advanced monitoring, organizations can significantly reduce their risk.

Crux Security provides a powerful ally in this fight, offering tailored cybersecurity solutions that address the specific challenges posed by Scattered Spider. From penetration testing to automated tools and comprehensive security programs, Crux Security empowers insurance firms to proactively defend against these sophisticated threats, ensuring the protection of sensitive data and customer trust in an increasingly perilous cyber landscape.

Next

Learning from IndyCar Racing