Scattered Spider Shifts Focus: Major Cyberattacks Now Targeting US Insurance Industry
Do Son 
The cybercriminal group Scattered Spider has shifted its focus, redirecting its malicious efforts from the retail sector to the insurance industry. Analysts at Google have issued a warning, urging companies within this domain to remain exceptionally vigilant. Previously, Scattered Spider gained notoriety for orchestrating breaches against major retail chains across the United States and the United Kingdom, including a high-profile attack on Marks & Spencer.
Now, the group has turned its attention to American insurance firms. According to John Hultquist, head of Google’s Threat Intelligence team, multiple intrusions into insurance networks have been detected, bearing the unmistakable hallmarks of Scattered Spider’s operations. He noted that the group tends to concentrate its campaigns on one sector at a time and cautioned that upcoming attacks are likely to involve sophisticated social engineering techniques—particularly those targeting help desks and call centers.
Before pivoting to the insurance industry, Scattered Spider carried out a series of assaults on retailers, which included attempts to deploy the DragonForce malware. In all observed cases, the attacks were initiated through fraudulent support calls that enabled the attackers to gain footholds within corporate environments.
In response to this escalation, Google experts have revised their defensive guidance. Organizations are now advised to implement stringent identity verification protocols for inbound calls, adopt video-based verification or structured challenge questions, and deploy phishing-resistant multi-factor authentication, preferably using purpose-built security applications.
While Google has yet to disclose the names of new confirmed victims, the insurance sector is already witnessing unsettling developments. For the past two weeks, persistent disruptions have plagued the networks of Erie Insurance and Philadelphia Insurance Companies, though their direct connection to Scattered Spider remains unconfirmed.
Erie Insurance—ranked among the largest property and auto insurers in the United States—experienced a network outage affecting all systems on June 8. In a June 11 report filed with the Securities and Exchange Commission, its managing company, Erie Indemnity, revealed that signs of unauthorized activity were first detected on June 7 and were later classified as a “cybersecurity incident.” The company is collaborating with law enforcement and conducting a thorough technical investigation supported by external experts.
In its most recent update, Erie stated that restoration efforts for customer, agent, and employee access are underway around the clock, and described progress as “steady and confident.” Nonetheless, the company acknowledged the complexity of the recovery process and the time it may take.
A similar scenario has unfolded at Philadelphia Insurance Companies (PHLY), where suspicious network activity was identified on June 9. The IT team promptly shut down systems to contain the threat and launched an investigation. Unauthorized access was confirmed, and the company engaged external specialists while notifying law enforcement agencies.
On June 13, parent company Tokio Marine North America confirmed the breach had affected several of its subsidiaries, including PHLY, Tokio Marine America Insurance, and First Insurance Company of Hawaii. An official statement affirmed that investigations are ongoing to determine the nature and extent of the incident.
Though the full impact of these attacks remains uncertain, Google’s advisory underscores a stark reality: the insurance industry has become the latest target of one of the most aggressive and resourceful cybercriminal organizations of recent years.
Donate