Cyber-crime crew Scattered Spider has infected US insurance companies following a series of ransomware attacks against American and British retailers, according to Google, which urged this sector to be on “high alert.”
The warning follows multiple disclosures from insurance companies about digital break-ins and system outages disrupting customer access.
“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” chief analyst John Hultquist said in a statement emailed to The Register.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes, which target their help desks and call centers,” Hultquist added.
Hultquist did not immediately respond to questions about Scattered Spider’s most recent victims. We will update this story as we learn more about the insurance industry attacks.
Before apparently turning its attention to insurers, however, the loosely knit crime crawlers carried out several digital intrusions and attempts against retailers in the UK and the US. Most of Scattered Spider’s attacks begin with fake help-desk calls, and the criminals deployed DragonForce ransomware in several of the recent break-ins.
Following the retail cyberattacks, Google issued hardening guidance about how organizations can protect against Scattered Spider’s social engineering and ransomware attacks. Among other recommendations, the Chocolate Factory’s security researchers say companies should train their help desks to positively identify callers – for instance, by verifying them on camera or with challenge-and-response questions – and to use stronger authentication methods, like an authenticator app that uses phishing-resistant multi-factor authentication.
Multiple insurers’ networks still down
Google’s warning comes as Erie Insurance and Philadelphia Insurance Companies’ network outages enter week two, although The Register has not confirmed that these outages are related to Scattered Spider’s activities.
Erie Insurance, which purports to be the 12th largest home and auto insurer in the US, first reported a “network outage that is affecting all systems” on June 8.
In a June 11 SEC filing, Erie Indemnity, which manages the insurance company, told federal regulators that it first spotted “unusual network activity” on June 7, and later determined this to be “the result of an information security event.”
The biz said it is working with law enforcement and taking action to safeguard its systems. “The Company continues to take protective measures, and is conducting forensic analysis with the assistance of leading third-party cybersecurity experts to gain a full understanding of this event,” the Form 8-K disclosed.
In its most recent incident update, Erie Insurance said it continues “making strong and steady progress.”
“Our teams — working alongside leading cybersecurity experts — continue working around the clock to restore access for customers, agents and employees,” it said. “We’re confident in our actions, but this work is complex and takes time.”
Meanwhile, Philadelphia Insurance Companies (PHLY) also experienced a network outage that shut down its phones, email systems, and online applications around the same time.
“Late on June 9, our IT Team received an alert regarding suspicious activity on our network,” according to a notice posted on the PHLY website.
“We subsequently determined there was unauthorized access to our systems,” the alert continued. “In response, we proactively disconnected affected systems to contain the threat. A forensic investigation is ongoing and we have notified law enforcement.”
On June 13, Tokio Marine North America, which owns Philadelphia Insurance Companies, Tokio Marine America Insurance Company, and First Insurance Company of Hawaii, released a similar statement confirming suspicious network activity and unauthorized access to its systems.
“Since then, we have notified law enforcement and have been conducting a forensic investigation with a team of external experts to determine the nature and scope of the incident,” the company said. “That investigation is ongoing.” ®