Threat actors target the insurance industry for a simple reason: insurers sit on concentrated volumes of sensitive personal data, financial records, and in many cases health information, all of which are highly valuable for resale on dark markets. Claims systems, customer portals, broker platforms, and third-party service providers also present a complex attack surface that offers threat actors multiple paths into the business.

Attackers’ tactics have evolved, with recent incidents showing a clear shift away from malware delivery. Threat actors increasingly target identity systems, cloud platforms, and trusted third-party services. These attacks often involve compromised credentials, help desk manipulation, and abuse of legitimate Software-as-a-Service (SaaS) integrations.

Once inside, attackers exfiltrate data directly from cloud environments using legitimate interfaces and APIs, making activity harder to detect with traditional perimeter-focused controls. To better understand the threat landscape facing insurers, Outpost24’s threat intelligence team analyzed recent campaigns to identify the actors involved, the tactics they rely on, and the patterns that security teams should be prepared to defend against.

1. Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters is a financially motivated cybercriminal alliance linked to individuals associated with Scattered Spider, Lapsus$, and ShinyHunters. The group targets large Western enterprises, including insurers, using social engineering and cloud access abuse rather than traditional malware.

This approach is particularly dangerous for insurers because SaaS platforms often contain high-value data, including policyholder records, claims information, and broker communications. If attackers gain access through authorized application permissions, activity may appear legitimate until data exfiltration is detected.

Notable activity involving Scattered Lapsus$ Hunters

In the first half of 2025, Scattered Lapsus$ Hunters conducted a large-scale campaign targeting Salesforce environments. Notably, the group didn’t target endpoints or attack the network. Instead, they impersonated IT support staff and persuaded employees to authorize a malicious version of Salesforce Data Loader. Once connected, the application enabled broad access and large-scale data extraction.

The Saleforce breach affected hundreds of organizations, including insurers like Allianz and Aflac. In several cases, extortion attempts began months after initial access, reinforcing the risk of long-dwell compromise and delayed monetization.

2. Cl0p

The Cl0p threat group is widely believed to operate out of Russia and has been active since at least 2016. Initially linked to activity tracked as TA505 and FIN11, the group started with large-scale malware distribution campaigns before moving into ransomware operations in 2019.

Over time, Cl0p shifted focus again, this time toward a data-theft-first extortion model. By 2025, it had established itself as one of the most impactful extortion groups globally, largely due to its systematic exploitation of vulnerabilities in widely used enterprise software and supply-chain platforms.

Notable activity involving Cl0p

Cl0p has become notorious for exploiting vulnerabilities in enterprise file transfer platforms, including Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and Cleo products. These campaigns affected thousands of organizations across financial services and insurance.

In 2025, Cl0p was observed extending this approach to Oracle E-Business Suite. For insurance organizations, the risk here is shared dependence on enterprise software. Widely used platforms that contain an exploitable vulnerability can expose significant volumes of policyholder and claims data. Insurers that suffer a breach in this way could face regulatory scrutiny, legal risk, and long-term damage to customer trust.

3. NoName057(16)

NoName057(16) is a pro-Russian hacktivist group operating within the context of the Russia-Ukraine conflict. The group primarily conducts Distributed Denial of Service (DDoS) attacks against government agencies, financial institutions, media outlets, and organizations in countries supporting Ukraine. They are also believed to be allied with Palestinian and Iranian hacktivist groups.

Notable activity involving NoName057(16)

NoName057(16) has claimed responsibility for attacks across Europe and the United States. During the 2023 presidential elections in the Czech Republic, the group launched DDoS attacks against the websites of presidential candidates General Petr Pavel and Tomáš Zima. Similar attacks targeting both government infrastructure and businesses in France, Germany, Denmark, the Netherlands, the UK and more have also been attributed to NoName057(16).

While these campaigns are typically not focused on data theft, they can cause significant disruption. For insurance organizations, this can impact customer portals, broker services, claims processing systems, and other critical online services, particularly during politically sensitive periods.

Reducing risk from threat actors targeting the insurance industry

To reduce exposure to these threat actors, insurance organizations should prioritize controls that limit initial access opportunities, strengthen identity verification, and improve visibility across cloud and third-party environments. Here are seven actions insurers can take to reduce exposure and disrupt common attacker pathways:

1. Continuously discover and monitor internet-facing assets (including cloud services and third-party infrastructure) to identify unknown systems, shadow IT, and exposed services before attackers do.
2. Identify and remediate misconfigurations and exposed services such as open ports, weak authentication, unsecured remote access services, and publicly accessible management interfaces.
3. Enforce consistent identity controls across hybrid environments, ensuring the same MFA and conditional access policies apply across on-prem systems, SaaS platforms, and remote access workflows.
4. Harden help desk and password reset processes by requiring strong identity verification and preventing attackers from enrolling new MFA methods through impersonation.
5. Detect leaked credentials and monitor external threat activity, including phishing infrastructure, impersonation domains, and compromised user accounts circulating in criminal ecosystems.
6. Secure customer-facing applications and APIs through regular testing, remediation validation, and monitoring for exploitation attempts against exposed web services.
7. Improve detection of data theft behaviour, including abnormal API calls, unusual cloud storage downloads, and large-scale access to claims or policyholder data.

How Outpost24 can help

Outpost24 helps insurance security teams reduce exposure to threat actors by improving visibility across the external attack surface, detecting external threats earlier, and validating security controls before attackers can exploit weaknesses.

Outpost24 External Attack Surface Management provides continuous 360° visibility into internet-facing assets, uncovering unknown systems and misconfigurations while giving teams the context needed to prioritize remediation and track security posture over time.

This continuous visibility is strengthened through our Digital Risk Protection solution, which monitors threats across the open, deep, and dark web, including credential exposure, phishing infrastructure, and brand impersonation.

Combined with our Pen-Testing as a Service, Outpost24 helps insurance organizations identify and validate vulnerabilities in customer-facing applications and critical systems, strengthening resilience against extortion-driven attacks.

Interested in seeing how Outpost24 can support your organization? Get in touch today to speak to an expert.