Top 3 Threat Actors Targeting the Insurance Industry in 2026

The insurance industry continues to face sustained attacks from threat actors that disrupt operations and expose sensitive data. Incidents affecting major insurers such as Allianz Life, Erie Insurance, and Philadelphia Insurance highlight how attractive insurers are to both financially motivated and politically aligned threat actors.

While the scale and impact of these incidents varied, a consistent pattern emerged. Attackers are increasingly targeting identity systems, cloud platforms, and trusted third-party services rather than relying solely on traditional malware. Given the concentration of personal, financial and health data insurers manage, this approach is unlikely to change.

To better understand the threats facing the industry, Specops researchers analyzed recent campaigns to identify the actors involved, their tactics, techniques, and procedures (TTPs), and how these operations intersect with insurance organizations. Our team identified three key threat actors identified three threat actors whose activity best reflects the risks facing the insurance industry today.

Scattered Lapsus$ Hunters threat profile

Scattered Lapsus$ Hunters is a financially motivated cybercriminal alliance linked to individuals associated with Scattered Spider, Lapsus$, and ShinyHunters. Throughout 2025, our threat intelligence team observed this group targeting large Western enterprises, including insurers, with a strong emphasis on English-language social engineering and cloud-native data theft.

Scattered Lapsus$ Hunters are relatively unique among ransomware groups with how openly they operate within underground ecosystems. The group maintains an active presence on Telegram and cybercrime forums. In September 2025, they also launched a dedicated data leak site to support extortion operations. This site has been used to publish data stolen from multiple victims, including organizations affected by the Salesforce supply-chain attack.

Scattered Lapsus$ Hunters’ TTPs

Scattered Lapsus$ Hunters relies heavily on identity abuse rather than malware delivery. Initial access is typically gained through voice phishing, with operators impersonating IT or service desk staff. These interactions are designed to convince employees to reset credentials, enroll new multi-factor authentication methods, or approve malicious application access.

Once access is obtained, the group focuses on persistence and expansion inside Software-as-a-Service (SaaS) environments using living-off-the-land techniques. This often means creating additional cloud and domain accounts to maintain access.

In 2025, a defining tactic was the theft and abuse of OAuth and refresh tokens via third-party integrations. By compromising trusted applications, the group was able to use legitimate APIs to quietly access and exfiltrate data from email, SharePoint, code repositories, and cloud file stores. In many cases, stolen data was held for weeks or months before extortion demands were made, complicating efforts to assess the full scope of compromise.

Notable Scattered Lapsus$ Hunters activity against the insurance industry

In the first half of 2025, Scattered Lapsus$ Hunters conducted a large-scale third-party compromise via Salesforce. Operators impersonated IT support staff and persuaded employees to authorize a malicious version of Salesforce Data Loader.

Once approved, the application provided broad access to Salesforce environments, enabling large-scale data extraction. Insurance organizations affected included Allianz and Aflac. In several cases, extortion attempts did not begin until months after initial access.

Cl0p threat profile

Cl0p is a financially motivated threat group of Russian origin active since at least 2016. Initially linked to activity tracked as TA505 and FIN11, Cl0p began with large-scale malware campaigns before entering the ransomware ecosystem in 2019.

Over time, the group shifted away from broad ransomware deployment toward a data-theft-first extortion model. By 2025, Cl0p had established itself as one of the most impactful extortion groups globally, largely due to its systematic exploitation of zero-day vulnerabilities in widely used enterprise software and supply-chain platforms.

Cl0p’s TTPs

Cl0p typically gains initial access by exploiting vulnerabilities in public-facing enterprise applications rather than targeting users directly. Our threat intelligence team has repeatedly observed the group focusing on managed file transfer platforms and widely deployed business software.

Once inside, Cl0p moves quickly to locate and exfiltrate sensitive data. The group prioritizes credential access, privilege escalation, and persistence within Windows environments, relying on built-in administrative tooling to reduce detection.

Persistence mechanisms include account manipulation, service creation, scheduled tasks, and registry modification. Cl0p demonstrates a strong ability to remove indicators of compromise and maintain access long enough to support large-scale data theft.

A defining feature of Cl0p’s operations is its preference for data theft over encryption. In many campaigns, no ransomware payload is deployed. Instead, stolen data is used directly for extortion, avoiding immediate operational disruption that might accelerate incident response.

Notable Cl0p activity against the insurance industry

Cl0p has become notorious for exploiting zero-day vulnerabilities in enterprise file transfer platforms including Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and Cleo products. These campaigns affected thousands of organizations across financial services and insurance.

In 2025, Cl0p was observed extending this approach to Oracle E-Business Suite. For insurers, this represents a high-impact threat not because of opportunistic targeting, but because of shared reliance on complex enterprise platforms. A single vulnerable system can expose large volumes of policyholder and claims data, triggering regulatory, legal, and reputational consequences.

NoName057(16) threat profile

NoName057(16) is a pro-Russian hacktivist group operating within the context of the Russia-Ukraine conflict. The group primarily conducts Distributed Denial-of-Service (DDoS) attacks against government agencies, financial institutions, media organizations, and critical infrastructure against Ukraine and its supporters.

While technically less sophisticated than financially motivated groups, NoName057(16)’s relevance lies in its collaborative model. Through initiatives such as DDOSIA, the group partners with other hacktivist collectives to amplify attack volume and impact.

NoName057(16)’s TTPs

NoName057(16) relies on relatively simple DDoS techniques, including network floods and service exhaustion attacks. Infrastructure is acquired through botnets, rented servers, and domain registrations. Operations are coordinated through online platforms and social channels.

Notable NoName057(16) activity against the insurance industry

NoName057(16) has claimed responsibility for attacks against both government institutions and private organizations across Europe and the United States. In one case, the group attacked the websites of numerous banks in Sweden. In 2023, it also took credit for DDoS attacks against several Danish financial-sector organizations.

Although these attacks typically do not result in data theft, they can cause significant service disruption. For insurance organizations, this can impact customer portals, claims processing, and public-facing services during politically sensitive periods.

How threat actors commonly target the insurance industry

Despite differences in motivation and capability, our team observed threat actors using similar tactics when targeting the insurance industry.

• Identity reconnaissance and profiling: Attackers conducted extensive pre-attack reconnaissance using public sources, leaked data, and social media to profile organizations and employees.
• Social engineering and impersonation: Voice phishing and impersonation of trusted internal roles remained central, even in technically driven campaigns.
• Abuse of valid accounts and trusted relationships: Rather than deploying custom malware, attackers increasingly relied on compromised credentials, cloud identities, and trusted application permissions.
• Cloud and SaaS data access: Data was frequently exfiltrated directly from cloud platforms using legitimate interfaces and APIs.
• Delayed extortion: Stolen data was often retained for extended periods before monetization, complicating detection and response.
• Service disruption: DDoS attacks remained a recurring tactic, particularly in politically motivated campaigns.

How Specops can help

Continuously identify exposed and reused passwords: Stolen credentials frequently remain valid long after the initial compromise and may circulate for months before being used for extortion or follow-on access. The Breached Password Protection feature in Specops Password Policy continuously checks Active Directory passwords against over 5 billion known compromised password datasets, enabling organizations to identify and remediate exposed credentials before they are abused.

Enforce stronger, realistic password policies: Many of the credentials observed by our threat analysts already met common enterprise complexity requirements. Solutions like Specops Password Policy allow organizations to enforce longer passphrases, block predictable password patterns, and prevent the use of known breached passwords, reducing the effectiveness of credential reuse and password spraying attacks.

Reduce reliance on static authentication controls: Threat actors increasingly bypass perimeter defenses by abusing valid credentials, OAuth tokens, and trusted SaaS integrations obtained through social engineering. Specops Secure Service Desk helps reduce this risk by enforcing identity verification during password resets, limiting attackers’ ability to manipulate help desk workflows and regain access using social engineering.

Improve visibility across identity workflows: Prolonged access was a recurring theme across multiple campaigns. Reducing this risk requires validating devices as well as identities to surface anomalous logins. Specops’ zero trust access solution, Specops Device Trust, binds users to trusted devices, limiting a threat actor’s ability to misuse legitimate credentials.

If you want to reduce identity and authentication risk across your organization, Specops can help with specialized identity security for insurers. Contact us to speak with a Specops expert or see how our solutions work with a demo.