The insurance industry should be on high alert: a notorious cybercrime group seems to have turned its attention to insurers.
Recent cyberattacks targeting Erie Insurance, Philadelphia Insurance Companies, and most recently Aflac, suggest an emerging trend. According to Google’s Threat Intelligence Group, the decentralized hacking collective known as Scattered Spider has shifted its focus from retail businesses to insurance companies.
“Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry,” John Hultquist, chief analyst at Google’s Mandiant, posted to X. “They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers.”
In recent months, Scattered Spider — in collaboration with the ransomware-as-a-service group DragonForce — had been targeting the retail sector across the U.S. and U.K., wreaking havoc on companies such as United Natural Foods (a supplier to Whole Foods), Marks & Spencer, Co-op, Adidas, The North Face, Cartier, Victoria’s Secret, and others."
Since Hultquist first reported the group’s shift in industry focus, the U.S. has carried out airstrikes against Iran — raising concerns that retaliation could come in the form of cyberattacks. Despite the heightened threat from Iranian actors, Hultquist admitted, “threat I lose sleep over is Scattered Spider.”
“They are already taking food off shelves and freezing businesses. The Iranian hackers may not even have Internet access, but these kids are in play right now,” he posted.
Keith Wojcieszek, global head of threat intelligence at Kroll, told Insurance Journal that he recently learned of a case where an insurer fell victim to a phishing attack, granting hackers access to the company’s IT systems. Once inside, the attackers leveraged the information they obtained to map the organization’s hierarchy and conduct targeted social engineering campaigns.
Much like the retail sector, insurers hold vast amounts of highly valuable personally identifiable information and financial data, which they store, process, and sometimes monetize. Additionally, insurers possess detailed information on policyholders, which, according to Wojcieszek, could be exploited to identify future targets.
“These attacks may be about money but there could also be a two-prong approach,” he said, explaining that insurers now gather a lot information on companies in order to insure them. “The network security of each company—[insurers] are so detailed on the cybersecurity each company has. What a wealth of knowledge to have to know how to attack the next company or industry, or develop tools to go in and attack.”
On a positive note, Wojcieszek observed that cyber insurance policies have evolved into service-oriented agreements, with many insurers maintaining close partnerships with the cybersecurity vendors included in their cyber insurance offerings.
“The good news is the (the insurance industry) understand what they need to do and how to address this because they’re doing it every day,” he said. Nonetheless, Wojcieszek recommended updating employee training programs to better defend against potential phishing attacks and social engineering tactics.
