Scattered Spider is not your average cyber threat. Fluent in English and skilled in social engineering, this loosely connected group of U.S. and U.K.-based cybercriminals has been behind some of the most high-profile breaches in recent years, including recent attacks on major insurance providers such as Aflac and Erie. On June 12, 2025, Aflac detected a breach that potentially exposed personal and health information, while Erie Insurance disclosed a similar incident just five days earlier. Google’s Threat Intelligence Group has since warned of an industry-wide pivot from other sectors to insurance. After previously targeting industries such as telecommunications and entertainment, the group appears to be deliberately zeroing in on insurance providers due to the rich troves of sensitive data and the potential for high-impact extortion. Their tactics are bold personal, and alarmingly effective, from impersonating IT staff to bypassing MFA through SIM swapping and fatigue attacks. As this group shifts focus from retail to insurance, organizations across the globe must reassess their defenses. In this article, we'll expose Scattered Spider: who they are, how they launch their attacks, and the essential steps you can take to stay one step ahead.
Scattered Spider isn’t your typical cyber threat. They speak perfect English, know your IT team’s weak spots, and have already taken down major brands. Are your defenses ready for them?
Scattered Spider is a cybercriminal group known to target large companies, especially those specializing in domains such as customer relationship management (CRM) and business process outsourcing (BPO), for financial gain since early 2022. Also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, the group typically engages in data theft for extortion and has been known to use ransomware to lock users out of their accounts and devices.
It is Believed to have been founded in the summer of 2022 as a loosely connected group of English-speaking young adults from the USA and the UK. Analysts at cybersecurity firm Recorded Future describe Scattered Spider as more of a catch-all collective than a centralized crew of financially motivated cybercriminals, hence the “scattered” in the name. What really sets them apart, and makes them especially dangerous, is how much more effective they are at phishing and “call desk” attacks compared to Russian or other non-English-speaking groups. The difference? When an American gets a phone call or text from someone with a native English accent, or receives a message that sounds right, they’re simply more likely to trust it. That’s a hurdle Russian groups struggle with. But while Scattered Spider’s U.S. roots give them an edge in social engineering, they also make the group more vulnerable to law enforcement in ways overseas actors aren’t.
Recently, the group has been making headlines for attacking insurance companies. On June 12, 2025, insurance giant American Family Life Assurance Company of Columbus (Aflac) detected its systems had been breached. Although contained within hours, there is a chance that personal and health information was stolen. Earlier this month, Erie Insurance, a property and casualty insurance company, disclosed being a victim of a cyberattack on June 7, 2025. Shortly after, researchers from Google’s Threat Intelligence Group released a warning on attackers pivoting from the retail to insurance sector while showing hallmarks of Scattered Spider. This report analyzes specific activity that occurred during the cyberattack, attributed TTPs, and recommendations to safeguard your environment from the recognized cyber group.
Figure 1: Countries and industries targeted/of interest. Countries include the United States, Canada, Germany, United Kingdom, Thailand, Brazil, France, India, Italy, Singapore and Switzerland.
Figure 2: Scattered-Spiders-Attack-Lifecycle
Cybercriminal groups often use a similar approach in their attacks. These attacks, also called attack signatures, are identified based on key factors such as their capabilities, owned malicious programs, timing, and success probability. After an attack takes place, it is studied for generating attack patterns, researched for early detection and finally incorporated into tools to respond when certain detections are made. Doing so helps to attribute attackers, to learn new developments in the attack, and enable collaboration with other organizations to strengthen their cybersecurity defenses. When it comes to Scattered Spider, the group’s attack pattern can be explained in the following steps.
They would use sophisticated social engineering techniques to gain initial access to the systems. In this step, they would attempt to obtain employee credentials by acting as a legitimate member of the organization, usually someone from the Helpdesk or IT department. They have also been known to contact employees and direct them to run commercial remote access tools on their devices.
After successfully gaining the credentials, they would log in to move laterally within the environment. If the accounts are MFA-enabled, they would ask employees for their code via SMS messages or phone calls. Another tactic would be to cause MFA Fatigue, a process of sending simultaneous login attempts to induce the victim to click on the accept button. They would go as far as contacting and convincing cellular carriers to transfer control of the victim’s phone number to a sim card in their possession, thus bypassing MFA procedures. After a successful compromise, they would use these credentials to escalate privileges. Gaining higher access allows them to perform actions that have a wider impact and carry out more damaging attacks.
After gaining access, remote access tools are installed on the victim’s device. This allows attackers to maintain a presence in the environment and perform lateral movement–a technique to move within the organization’s resources and deploy ransomware. A successful ransomware deployment locks users out of their accounts, allowing the attackers to extort money.
Figure 3: Scattered Spider’s Tactics, Techniques and Procedures (TTP’s)
To neutralize threats from Scattered Spider to your ecosystem, the following set of mitigations is recommended.
Consortium has a dedicated CrowdStrike Center of Excellence which is available to all of our customers. Our team can provide the following complimentary exercises to further mitigate the threats listed above:
If you have questions, concerns, or just want to discuss this further, please let us know. We’re here to help. Reach out to us through the method that works best for you, and our team will be happy to assist.
About Consortium
Consortium is the cybersecurity industry’s Next Generation Value-Added Reseller (NGVAR). As a trusted advisor and product reseller, Consortium helps organizations align business objectives, risk priorities, and cybersecurity investments. Powered by its proprietary Metrics That Matter® platform, Consortium delivers data-driven insights and strategic guidance to reduce cyber risk and drive measurable outcomes. Learn more at consortium.net.
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
[2] https://www.theguardian.com/technology/2025/may/01/how-native-english-scattered-spider-group-linked-to-ms-attack-operate
[3] https://www.crowdstrike.com/adversaries/scattered-spider/
[4] https://www.cybersecuritydive.com/news/aflac-cyber-crime-spree-insurance/751175/
[5] https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/