HC3: Scattered Spider hits healthcare with social engineering

The HHS Health Sector Cybersecurity Coordination Center issued an alert about Scattered Spider cyberthreat actors, who have targeted healthcare and other sectors with financially motivated cyberattacks. The group is known for using sophisticated social engineering techniques to target victims.

Specifically, Scattered Spider cyberthreat actors have been observed using AI to spoof the voices of victims and obtain initial access to victim organizations.

The HHS Health Sector Cybersecurity Coordination Center (HC3) referenced an April 2024 alert regarding social engineering attacks targeting IT help desks in healthcare. These attacks involved cyberthreat actors calling IT help desks and correctly answering security questions by using stolen information. In HC3's latest alert, it stated that while these attacks were not linked to a specific threat actor, the tactics overlapped with those of Scattered Spider.

HC3 noted that Scattered Spider is comprised of English-speaking individuals from the U.S. and United Kingdom, largely between the ages of 19 and 22. The group has been active since 2022 and has graduated from targeting customer relationship management and business process outsourcing firms to entities in the gaming, retail, manufacturing, hospitality and financial sectors.

"More recently, the group has expanded its operations to cloud environments," HC3 stated. "During campaigns, Scattered Spider has leveraged targeted social engineering techniques, attempted to bypass popular endpoint security tools, and has deployed ransomware for financial gain."

In addition to social engineering attacks, Scattered Spider has also used remote monitoring tools and information stealers during its campaigns, and has deployed notorious ransomware such as ALPHV/BlackCat. In the second quarter of 2024, experts observed Scattered Spider adding RansomHub and Qilin to its arsenal, HC3 noted.

Both RansomHub and Qilin have a reputation for targeting healthcare. Qilin claimed responsibility for a cyberattack against National Health Service supplier Synnovis in the United Kingdom, and RansomHub claimed a cyberattack against Planned Parenthood of Montana in August 2024.

HC3 pointed healthcare defenders to mitigation recommendations from the FBI and Cybersecurity and Infrastructure Security Agency, including implementing application controls and limiting the use of remote desktop protocol.

"While Scattered Spider is comprised of young individuals, they have successfully executed high-profile breaches largely due to their advanced social engineering capabilities. Despite this, the group appears to have poor operational security, as multiple key members have been arrested," HC3 stated.

"Nonetheless, the group continues to conduct successful attacks while evolving its [tactics, techniques and procedures] to evade detection in victim environments. HC3 assesses with moderate confidence that the group will likely continue to target various industries, including healthcare, for financial gain."

Ransomware and cyberthreat activity generally is on the rise in healthcare, according to an October 2024 report from Microsoft. The report stated that ransomware attacks in healthcare have surged by 300% since 2015. Microsoft researchers credited ransomware-as-a-service with lowering the barriers to entry for hackers and making it easier to target victims.

Microsoft pointed to the healthcare sector's thin margins, broad attack surface, legacy systems and inconsistent security protocols as driving factors in becoming a target for cyberthreat actors. What's more, social engineering tactics have become more advanced, with threat actors increasingly using real names and legitimate services to trick unsuspecting victims.

As healthcare continues to be aggressively targeted, defending against common schemes like phishing and the exploitation of known vulnerabilities will prove crucial to preventing cyberattacks.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.