By James Thaler
June 12 - (The Insurer) - A cyberattack on Philadelphia Insurance Companies (PHLY) is likely to have been carried out by the Scattered Spider group, cyber sources told Cyber Risk Insurer on Thursday.
On Thursday, as the company faced an ongoing outage it initially told staff to report to its New York-area offices, before postponing their arrival time, and then canceling in-office attendance entirely, sources familiar with the situation said.
A spokesperson for PHLY did not immediately respond to a request for comment.
The company on Thursday sent at least three missives to employees, seen by Cyber Risk Insurer, initially requesting that underwriting, claims, insurance operations and marketing staff report to the firm’s Bala Cynwyd, Pennsylvania; Ewing, New Jersey; and Jersey City offices at 1 p.m. local time.
The company said in the communication that it was planning to grant limited access to “specific employees” in the office.
“Not everyone may get access today, but we need to be ready to resume operations from the office. Please do NOT access the network in the office until you receive specific instructions to do so,” the company said in its initial message to staff.
PHLY then told staff it was pushing back its expected arrival time to 3 p.m. EST, and would notify employees by 2 p.m. EST if there would be any changes to those plans.
It then asked those staff who received the memorandum to click a link acknowledging their receipt of the message.
Senior cyber industry sources said they were surprised by PHLY’s request that staff click a link to indicate whether they planned to return to the office in the immediate aftermath of a ransomware episode.
Shortly thereafter staff received a third message instructing them not to come into the office.
“Due to our continued network outage, we are asking employees NOT to report to any offices today, June 12th, UNLESS you are individually contacted,” the company wrote.
“If you came into the office today, thank you for your cooperation. We are doing our best to keep up with this fluid situation,” the note concluded.
Multiple senior cybersecurity and cyber (re)insurance industry sources pointed to the threat actor group Scattered Spider as the most likely culprit behind the ransomware attack affecting PHLY, and the similar, ongoing event affecting fellow Pennsylvania-based insurer Erie Indemnity.
Scattered Spider is a hacking group that has been around since May 2022. The ransomware gang has established a reputation for targeting multiple companies in a single industry in waves.