Fresh off a series of recent attacks targeting major retail companies in the United States and the UK, the notorious Scattered Spider cybercrime group is now targeting insurance companies, and earlier this month apparently bagged a high-profile victim in Aflac.

The intrusion in Aflac, which was detected June 12 when the insurance company’s security team identified suspicious activity on its network in the United States, was stopped within hours and there was no ransomware found in its systems, the company said in a public statement and a filing with the U.S. Securities and Exchange Commission (SEC) eight days later.

“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” the company said in its statement. “This was part of a cybercrime campaign against the insurance industry.”

John Hultquist, chief analyst at Google’s Threat Intelligence Group, wrote in a statement to news organizations June 16 that the unit knew of “multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

Aflac Not the Only Insurance Victim

At least two other insurance companies in the United States – Philadelphia Insurance Companies and Erie Insurance, also of Pennsylvania – earlier this month announced cyber incidents that disrupted services. Though they didn’t attribute the attacks – June 7 for Erie and June 9 for Philadelphia Insurance – to Scattered Spider, both said in public statements and SEC filings that they detected unusual network activity and responded by shutting down the networks.

“The network shutdown broadly impacted all Company systems, including email, phone, and online applications,” Philadelphia Insurance wrote in a FAQ page. “The network shutdown was necessary to contain the threat and protect Company systems and data. We are still conducting a comprehensive forensic investigation.”

In Aflac’s case, the Georgia-based company said it remained operational and that ransomware wasn’t involved in the incident. The threat actor used social engineering tactics to gain access to Aflac’s network, company executives wrote, adding that it appears some information was stolen.

The company won’t know how much data was taken or how many people were affected until a fuller investigation is completed, but the files stolen contain such information as claims data, health information, Social Security numbers, and other personal information that relate to customers, beneficiaries, employees, agents, and others in Aflac’s U.S. business.

A Shift by the Gang From Retailers

This comes a month after U.S. and UK retailers were attacked by Scattered Spider, a threat group that has been around since 2022 and has a reputation of attacking companies in one industry before moving on to a new one. Among the victims in England were Marks & Spencer, the Co-Op, and Harrods. In late May, lingerie retailer Victoria’s Secret said it was the victim of a “security incident” that forced it to shut down its U.S. website.

Other high-profile Scattered Spider targets over the past three years include U.S. cloud communications company Twilio in 2022 and MGM and Caesars Entertainment gaming operations a year later. Despite the arrest in 2024 of seven people believed to be part of Scattered Spider – which also is known as UNC3944, Star Fraud, and Octo Tempest and is thought to be part of a larger hacking group known as The Com or The Community – the bad actor continues its aggressive strategy, according to threat analysts with security firm Silent Push.

Additional companies targeted this year include Chick-fil-A, HubSpot, Forbes, X (formerly Twitter) and T-Mobile, the Silent Push analysts wrote in a report in April.

A Busy 2025 is Underway

“Silent Push has determined the evolving threat Scattered Spider is still actively hunting for victims,” they wrote, adding that the vendor has identified the group’s infrastructure and tactics, techniques, and procedures (TTPs) and developed ways to protect against it. “Changes to deployments and phishing kits in early 2025, however, suggest Scattered Spider is turning the page on some past decisions.”

The includes a new version of the Spectre RAT (remote access trojan) to gain persistent access to compromised systems and a boomerang domain ownership between the threat actor and X.

Regarding the attack on Aflac, both Kumar Saurabh, founder and CEO of managed detection and response company AirMDR, and Ted Miracco, CEO of cybersecurity firm Approov, commended the insurance company’s quick response to the threat when it was detected. Miracco called the response and transparency “both commendable and somewhat atypical.”

Social Engineering and Agentic AI

“The use of social engineering to gain network access is part of a growing trend we’re seeing across the insurance and broader financial services sector,” he said. “These attacks are often aided by agentic AI, as attackers are targeting the human element, at scale, to bypass perimeter defenses and exfiltrate sensitive data such as health records and social security numbers. This reinforces the urgent need for a layered security approach. … As cybercriminals evolve their tactics, companies will adopt dynamic defenses that protect both infrastructure and the entire app-to-API ecosystem. Aflac’s case should be a wake-up call to revisit how we defend customer data.”

Keep an Eye on Scattered Spider

Google Threat Intelligence Groups Hulquist wrote that the growing conflict in the Middle East is drawing a lot of attention to the cyber capabilities of Iran. However, the threat of Scattered Spider should not be overlooked.

“The anticipated threat of Iranian cyber capability to US organizations has been the focus of many discussions lately, but these actors are already targeting critical infrastructure,” he wrote. “We expect more high-profile incidents in the near term as they move from sector to sector.”