Scattered Spider continues to dominate the headlines, with the latest news linking the hackers to attacks on U.S. insurance giant Aflac, Philadelphia Insurance Companies, and Erie Insurance, disclosed through SEC Form 8-K filings which indicate the theft of sensitive customer data and operational disruption.
This comes at the same time that Google Threat Intelligence Group shared that it “is now aware of multiple intrusions in the U.S. which bear the hallmarks of Scattered Spider activity”, specifically impacting the insurance industry.
But what exactly does this mean? To answer this, let’s quickly recap how we got here and what a Scattered Spider attack looks like.
How did we get here?
The criminal collective tracked by analysts as Scattered Spider has been active since 2022 and have been linked to a range of high-profile breaches, for example the attacks on Caesars and MGM Resorts in 2023, and Transport for London in 2024.
Caesars: hackers impersonated an IT user and convinced an outsourced help desk to reset credentials, after which the attacker stole the customer loyalty program database and secured a $15m ransom payment.
MGM Resorts: hackers used LinkedIn information to impersonate an employee and reset the employee’s credentials, resulting in a 6TB data theft. After MGM refused to pay, the attack eventually resulted in a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.
Transport for London: resulted in 5,000 users’ bank details exposed, 30,000 staff required to attend in-person appointments to verify their identities and reset passwords, and significant disruption to online services lasting for months.
The calling card in these attacks was the abuse of help desk processes to reset passwords and/or MFA factors used to access an account.
The attacker simply calls up the help desk with enough information to impersonate an employee, asks them to send an MFA enrollment link for their new mobile device, and can then utilize self-service password reset functionality to take control of the account. Scarily simple.
... continue reading