Scattered Spider’s Web Expands
6–24–2025 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, June 24, 2025, and I’m coming back online after a few days offline and off the grid, and boy did I seem to miss a bunch of news!
Scattered Spider’s Web Expands
We talked last week about the escalation between Iran and Israel, and that’s clearly continued to ratchet up, now with direct US involvement. Lots of discussion about the cyber implications there - obviously a leverage extender, and Iran has cyber capabilities that we’ve discussed here before.
But Iran isn’t what we’re talking about today, because we’re tracking the expanding web of the threat actor group known as Scattered Spider.
As a reminder, Scattered Spider is behind the retail attacks we’ve covered here in the past months, and now Google / Mandiant are noting that they’re pivoting away from retail and focusing on US-based insurance carriers.
Two insurers - Erie Indemnity Co. and Philadelphia Insurance Companies (which also includes Tokio Marine America and First Insurance Company of Hawaii) - are claiming that their ongoing outages are not ransomware.
As always, it’s hard to discern the truth from the outside in, but we’ve now got a third data point in a late Friday filing from a third insurer - Aflac.
In an interesting twist, Aflac seems to acknowledge that it’s ransomware at the other shops, too, noting in their statement that “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group.”
I would also argue that the notation as sophisticated isn’t necessarily true - these threat actors come right down the middle: they phish for credentials, SIM Swap or push notification flood the victim for 2FA / VPN access, then recon the AD infrastructure, exfiltrate data, and drop the ransomware.
None of this is new - CISA has published guidance on these exact TTPs as early as November 2023. Yet - these attacks are still working.
Why?
People.
They’re attacking your people, not your systems. Those resources they’re just logging in to once they’ve defeated your human firewalls.
Upskilling people is hard. Awareness campaigns are hard. The human element of security is always tricky, but you’ve got to run a multi-pronged effort here - training, testing, and technology - to keep them, and you, from being the next victim.
If you aren’t training your people, start. If you aren’t testing your people, start. If you are considering deploying phishing resistant MFA, start.
There’s nothing to be gained in waiting. Read the articles, share them with leadership, then get back to work.
Fundraising
From a fundraising perspective this week, a very light week with just a few hundred million crossing my radar - perhaps due to a little vacation, perhaps the calm before the end-of-the-quarter storm, or perhaps everyone is heading into summer mode a touch early.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://cyberscoop.com/scattered-spider-pivot-insurance-industry/
https://www.healthcareinfosecurity.com/two-insurers-say-ongoing-outages-ransomware-based-a-28758
https://www.cnn.com/2025/06/20/tech/aflac-cyberattack
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a