Cybercrime group Scattered Spider targets insurers

What is Scattered Spider?

"Scattered Spider, also known as Octo Tempest or Muddled Libra, is an advanced cybercrime group. Although they are known for ransomware attacks where they encrypt data and demand ransoms, they are increasingly operating as initial access brokers. That involves penetrating organisations and then selling or passing access to corporate networks to other threat actors. This method underlines the increasingly complex cybercrime ecosystem. Groups exchange their expertise and services through forums and platforms, and therefore increasingly work together."

Your Scattered Spider Update shows that the group has cunning tactics. How do these criminals operate?

"They are true psychology experts and use social engineering to deceive people. Through e-mail phishing and now also voice phishing, they obtain passwords and multi-factor authentication codes. But before they attack, they do an extensive reconnaissance. They map out employees, IT service providers and their roles within an organisation in detail."

"This exploration goes much further than drawing up professional profiles. They also dive into personal lives to gather as much information as possible for abuse. They then pretend to be, for example, an employee of a company who calls the helpdesk with an acute request to reset their password or multi-factor authentication (MFA). They know better than anyone how to gain trust and put pressure on someone to share sensitive information. The extensive preparation makes their social engineering tactics effective and difficult to detect."

The Google Threat Intelligence Group recently issued a warning after multiple incidents at U.S. insurers that resemble Scattered Spider activity. Why is the insurance sector now the target?

"They work in a very focused way. Previously, retailers were targeted. And now they are attacking airlines and insurers. The reason for aviation is simple. It is high season and that means a high workload for the helpdesk, among others. Insurers are interesting because they store large amounts of personal data. In addition, the adoption of cloud services and AI is increasing. And there is often a complex IT landscape with different IT suppliers. That combination makes insurers attractive."

Ashmore continues: "And the fact that this group consists of English speakers who are based in Western countries does not alter the fact that Dutch insurers do not have to worry. With AI, a Dutch email is written in no time. They also do not shy away from the use of deep fakes based on recordings of, for example, board members. Developments are moving at lightning speed and they are making good use of it. Did it take a few days to penetrate a company at first? Now sometimes less than 24 hours."

What should security specialists at insurers pay attention to?

"Evaluate the authentication and access policies. What is the policy? And is that enough? Pay close attention to users with special rights such as admins and helpdesk employees. Invest in dynamic conditional access policies with multiple layers of security. For example, we recently saw that Scattered Spider calls a helpdesk employee and pretends to be a colleague. Through social engineering, they convince the helpdesk to reset a password or resend an MFA code. In such a case, it is important to implement a two-person rule where the helpdesk employee calls the colleague in question. Or use an extra verification via a team manager. That's more work. But if you don't do it, it can lead to a successful ransomware attack."

Finally; You state that all employees are responsible for keeping cybercriminals out. How can companies raise awareness internally?

"Because cybercriminals' tactics change so quickly, an explanation or warning during onboarding is not enough. Organize regular awareness training for all employees. The threat of today is not the same as that of 6 months or a year from now. Explain what social engineering is, how information is misused, and how employees may be affected by it. And yes, everyone can contribute to keeping the digital environment safe. From board member and sales manager to helpdesk employee. By understanding social engineering and recognising attacks, you strengthen the defence together."