Threat actors linked to Scattered Spider and UNC3944 have shifted focus to U.S. insurance companies, deploying social engineering, ransomware, and SIM-swapping tactics to compromise sensitive data. Recent incidents, including breaches at New Era Life Insurance and Change Healthcare, highlight the sector’s vulnerability to financially motivated attacks1, 3. This article examines the technical methodologies, mitigation strategies, and implications for security teams.
Attack Tactics and Observed Incidents
Scattered Spider’s 2025 campaign against U.S. insurers leveraged help desk impersonation and ransomware, targeting personally identifiable information (PII) and financial records for extortion1. Parallel activity by UNC3944 (affiliated with RansomHub) involved similar tactics, including credential theft via phishing and lateral movement through compromised vendor networks2. The New Era Life Insurance breach exposed 335,506 individuals’ protected health information (PHI), including Social Security numbers and medical diagnoses, due to unpatched vulnerabilities in third-party software3.
Technical Analysis of Threat Actor Tradecraft
Key techniques observed in these campaigns include:
- SIM Swapping: Attackers bypass multi-factor authentication (MFA) by social engineering telecom providers to port victim phone numbers.
- Ransomware Deployment: BlackCat/AlphV and LockBit variants were used to encrypt systems, with ransom demands averaging $4.3 million per incident4.
- Supply Chain Compromise: Exploitation of SolarWinds-style vulnerabilities in insurance software vendors led to downstream breaches5.
Mitigation Strategies for Security Teams
To counter these threats, organizations should prioritize:
- Zero Trust Architecture: Enforce strict access controls and continuous authentication for sensitive systems.
- Vendor Risk Management: Audit third-party vendors for compliance with NIST SP 800-171 standards.
- AI-Driven Anomaly Detection: Deploy machine learning models to identify unusual help desk ticket patterns or abnormal data exfiltration.
Relevance to Security Professionals
For threat hunters, indicators of compromise (IoCs) include:
| Tactic | Indicator | Detection Query (Sigma Rule) |
|---|---|---|
| Help Desk Impersonation | Unusual password reset requests from non-corporate IPs | title: "Password Reset" AND src_ip NOT IN corporate_ips |
| Ransomware Execution | Mass file renames to .encrypted extension | file_rename: *.encrypted AND process: "vssadmin.exe" |
Conclusion
The insurance sector’s concentration of sensitive data makes it a high-value target for cybercriminals. Proactive measures, including threat intelligence sharing and adoption of AI-enhanced security tools, are critical to mitigating these risks. Future attacks may exploit emerging vectors like deepfake-based social engineering, necessitating ongoing vigilance.
References
- “Google warns Scattered Spider hackers now target US insurance companies,” BleepingComputer, Jun. 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies
- “Google warns UK retailer hackers now targeting US,” SecurityWeek, May 2025. [Online]. Available: https://www.securityweek.com/google-warns-uk-retailer-hackers-now-targeting-us
- “New Era Life Insurance companies data breach,” HIPAA Journal, 2025. [Online]. Available: https://www.hipaajournal.com/new-era-life-insurance-companies-data-breach
- “Hackers target Change Healthcare,” MHA Online, 2024. [Online]. Available: https://www.mhaonline.com/blog/hackers-target-change-healthcare
- “Insurance: The cybercriminals’ target of choice,” Ricoh USA. [Online]. Available: https://www.ricoh-usa.com/en/insights/articles/insurance-the-cybercriminals-target-of-choice
