Scattered Spider Pivots to Insurance Sector: Aflac Breach Signals New Wave of Attacks

Breached Company

Breached Company

7 min read
Scattered Spider Pivots to Insurance Sector: Aflac Breach Signals New Wave of Attacks
Photo by Oleg Didenko / Unsplash

The notorious cybercrime group has shifted focus from retail to insurance companies, with sophisticated social engineering campaigns targeting the sector's valuable trove of personal data

Scattered Spider
Scattered Spider, a notorious hacking group also known as UNC3944, Scatter Swine, or Muddled Libra, has gained notoriety in the cybersecurity world for its sophisticated cyber attacks. This group, consisting mostly of individuals aged 19 to 22, has been active since at least May 2022 and is believed to be
Breached CompanyBreached Company

Executive Summary

In a concerning escalation of cyber threats against critical industries, the sophisticated cybercrime group known as Scattered Spider has pivoted from targeting retail companies to launching a coordinated campaign against the U.S. insurance sector. The group's latest high-profile victim, insurance giant Aflac, disclosed a breach on June 20, 2025, that potentially compromised Social Security numbers, health information, and claims data belonging to millions of customers.

The attacks on Aflac, Erie Insurance, and Philadelphia Insurance Companies—all occurring within a five-day period in June 2025—represent a systematic targeting of the insurance industry by actors bearing the hallmarks of Scattered Spider activity, according to Google Threat Intelligence Group.

The Aflac Breach: A Wake-Up Call for the Industry

According to a filing with the U.S. Securities and Exchange Commission (SEC), Aflac identified unauthorized access to its network on June 12, 2025, and believes it contained the intrusion within hours. The company said it identified unauthorized access on its network June 12. Upon initiating its cybersecurity incident response protocols, Aflac "believes that it contained the intrusion within hours," and "the company's business remains operational, and its systems were not affected by ransomware."

According to its Friday press release, Aflac said the hackers used social engineering tactics to break into its network. The attack potentially exposed names, claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, and employees.

While an Aflac spokesperson couldn't attribute the breach to a specific cybercrime group, the breach exhibits all the signs of a Scattered Spider attack. The insurance company, which serves approximately 50 million customers, represents the largest victim to date in this campaign against the insurance sector.

The Broader Campaign: A Pattern of Systematic Targeting

The largely decentralized hacking group known as Scattered Spider have pivoted from retailers to insurance companies, according to Google Threat Intelligence Group. Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.

The timing and methodology of recent insurance company breaches suggest a coordinated campaign:

  • Erie Insurance (June 7, 2025): Network outages and business disruption
  • Philadelphia Insurance Companies (June 10, 2025): Subsidiary of Tokio Marine Holdings experienced similar disruptions
  • Aflac (June 12, 2025): Data theft with no ransomware deployment

Scattered Spider targets one sector at a time in waves of attacks. It previously struck retailers, including alleged involvement in attacks against Dior, Harrods, the Co-Op Group, and Marks & Spencer.

Understanding Scattered Spider: Masters of Human Manipulation

Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a group of threat actors known for their sophisticated social engineering attacks against high-profile organizations worldwide, with tactics that include phishing, SIM swapping, and multi-factor authentication (MFA) bombing.

Key Characteristics:

Demographics and Operations: The group primarily consists of young individuals (ages 19-22 as of September 2023) operating from the US and UK. SOSIntelligence researchers identified a distinctive characteristic of this threat actor: they appear to be native English speakers with strong ties to Western countries. This cultural fluency makes their phone-based attacks and impersonation schemes alarmingly effective when targeting corporate help desks and support personnel.

Primary Attack Methods: The group primarily leverages phishing frameworks like Evilginx and social engineering methods like vishing to gain initial access into organizations. 70% of Scattered Spider's targets belong to technology, finance, and retail trade sectors, making them especially vulnerable to credential theft and ransomware attacks.

"These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the FBI said in a post on X. "These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts."

Sophisticated Tactics and Evolution

To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim's Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the threat actor's intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses.

Over the last year, we have seen relatively significant changes in their deployment decisions and phishing kits. There has been a shift in preferred hosting providers, the underlying code of the phishing kits has changed, and several other changes have enabled our team to develop strong fingerprints against them.

Why Insurance Companies Are Prime Targets

The insurance sector presents particularly attractive targets for cybercriminals like Scattered Spider for several compelling reasons:

Massive Data Repositories

The scope of personally identifiable information and sensitive data processed by insurers puts the industry at increased risk of social engineering and ransomware. Insurance companies collect vast amounts of personal and financial information, making them prime targets for cybercriminals seeking to exploit this data.

Financial Vulnerability

Like the retail sector, insurers have a huge amount of valuable personal identifiable information and financial data for cybercriminals to store, use and sell. According to Nozomi, cybercriminals investigate companies' cyber insurance policies so they can customize their ransom requests to match.

Business Criticality

Business disruption through cyber incidents is also a major problem for insurance companies, which need to react quickly to fulfill their contracts and maintain the trust of their clients.

Industry Experts Sound the Alarm

Cybersecurity professionals are expressing serious concern about this shift in Scattered Spider's targeting:

"If Scattered Spider is targeting your industry, get help immediately," said Cynthia Kaiser, who until last month was deputy assistant director of the FBI's Cyber Division and oversaw FBI teams investigating the hackers. "They can execute their full attacks in hours. Most other ransomware groups take days."

While concerns about Iranian cyber capabilities are in the news because of the Israel-Iran war, "the threat I lose sleep over is Scattered Spider," said John Hultquist, chief analyst at Google's Threat Intelligence Group. "They are already taking food off shelves and freezing businesses. The Iranian hackers may not even have Internet access, but these kids are in play right now."

"Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry," John Hultquist, chief analyst at Google's Mandiant, posted to X. "They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers."

The effectiveness of social engineering attacks, Scattered Spider's primary weapon, is backed by alarming statistics:

More than half of the data breaches in 2020-2021 were due to cyber criminals exploiting the human element. According to Verizon's "Data Breach Investigations Report", the human element is the common root cause of 68% of data breaches.

The average organization is targeted by over 700 social engineering attacks a year. Proof point reported that 83% of the targeted users fell victim to phishing attacks in 2022.

Defense Strategies: Protecting Against Sophisticated Social Engineering

Given the human-centric nature of Scattered Spider's attacks, organizations must implement comprehensive defenses that address both technical and human vulnerabilities:

Technical Controls

The FBI and CISA recommend organizations implement mitigations to improve your organization's cybersecurity to reduce the risk of compromise by Scattered Spider threat actors. The mitigations include: Implementing application controls. Implementing FIDO/WebAuth authentication or Public Key Infrastructure (PKI)-based MFA. Strictly limiting the use of Remote Desktop Protocol (RDP) and other remote desktop services.

Identity Verification Protocols

"We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g., employee IDs) that could be used for a subsequent social engineering attacks," Mandiant's Charles Carmakal said.

Employee Training and Culture

Cybersecurity training can help limit damage from cybercrime, particularly social engineering attacks, which are a primary concern for most organizations. Most data breaches involve human error.

A positive cyberculture is one in which personnel consistently value, use, and appropriately protect organizational information and resources. Cultivating such a culture requires deliberate effort, but organizations can take several steps to embed cybersecurity awareness into their everyday operations and mindset.

Network Segmentation and Monitoring

Organizations defending against this type of threat actor should start with gaining complete visibility across the entire infrastructure, identity systems, and critical management services. GTIG recommends segregating identities and using strong authentication criteria along with rigorous identity controls for password resets and MFA registration.

Looking Ahead: The Future of the Insurance Cyber Threat Landscape

Munich Re expects the global cyber insurance market to reach USD 16.3bn in 2025. However, The cost of premiums has risen significantly, nearly doubling between 2019 and 2022, largely due to the increasing threat from ransomware.

Since Hultquist's first post on the cybercrime group's change in industry focus, the U.S. has bombed Iran—raising some concern that retaliation could include cyberattacks. Even with the increased cyber threat from Iran, Hulquist said the "threat I lose sleep over is Scattered Spider."

The Scattered Spider campaign against insurance companies represents a troubling evolution in cybercrime, demonstrating how sophisticated threat actors systematically target entire industries with sector-specific knowledge and tactics. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert.

Recommendations for Insurance Organizations

  1. Immediate Action Items:
    • Review and strengthen help desk verification procedures
    • Implement phishing-resistant MFA (FIDO2/WebAuthn)
    • Conduct emergency security awareness training focused on social engineering
    • Review and test incident response procedures
  2. Medium-term Initiatives:
    • Develop comprehensive identity governance programs
    • Implement zero-trust architecture principles
    • Enhance monitoring for unusual authentication activities
    • Regular penetration testing and red team exercises
  3. Long-term Strategic Investments:
    • Build mature cybersecurity culture across the organization
    • Invest in advanced threat detection and response capabilities
    • Develop strategic partnerships with cybersecurity vendors
    • Consider cyber insurance as part of comprehensive risk management

As Scattered Spider continues to demonstrate their ability to rapidly adapt and target new sectors, the insurance industry must recognize that their valuable data repositories and critical business functions make them prime targets. The time for proactive defense is now—before the next wave of attacks claims more victims in this vital sector of the economy.

This analysis is based on current threat intelligence and should be supplemented with organization-specific risk assessments and expert cybersecurity guidance.

Read more

2025: The Year Law Enforcement Struck Back - A Comprehensive Review of Major Cybercriminal Takedowns

How international cooperation and sophisticated investigative techniques delivered unprecedented blows to global cybercrime networks The year 2025 has emerged as a watershed moment in the fight against cybercrime, with law enforcement agencies worldwide delivering a series of devastating blows to criminal networks that had previously operated with near impunity. From

By Breached Company