MGM reeling from cyber ‘chaos’ 5 days after attack as Caesars Entertainment says it was hacked too
“The machines wouldn’t take our ticket,” said one MGM Resorts customer.
Five days after a cyberattack crippled operations of MGM Resorts International, including its signature Las Vegas properties the Bellagio and the MGM Grand, the company said Thursday morning it is still working to resolve issues as another major resort operation, Caesars Entertainment, acknowledged it was also the target of a cyberattack.
Hackers struck MGM Resorts on Sunday morning, rendering doors to the chain’s casinos and hotels unusable. Slot machines and ATM machines were also inoperable, elevators were out of order and customers had to wait hours to check into rooms. Even the company’s website remains down.
“We continue to work diligently to resolve our cybersecurity issues while addressing individual guest needs promptly,” MGM Resorts said a statement Thursday. “We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers. Thank you for your continued patience.”
But for MGM Resorts Las Vegas visitors like Walter Haywood, patience is running out.
“It was kind of chaotic,” Haywood told ABC Las Vegas affiliate station KTNV. “The machines wouldn’t take our ticket. Lines everywhere. Just chaos.”
MGM Resorts has acknowledged the attack but has released no details on how it occurred or who might be responsible.
The company said it “took prompt action to protect our system and data, including shutting down certain systems.”
The FBI said it is investigating the attack and has been in contact with the chain since Sunday.
The Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security, announced on Thursday that it is in contact with MGM Resorts “to understand the impacts of their recent cyber incident.”
“We are also offering any necessary assistance should the organization need or request it,” the CISA said in a statement.
Nevada Gov. Joe Lombardo and the Nevada Gaming Board released a joint statement, saying they are “monitoring the cybersecurity incident with MGM Resorts and are in communication with company executives.”
“Additionally, the Nevada Gaming Control Board remains in communication with other law enforcement agencies,” the statement from Lombardo and the gaming board said.
VX-Underground — a research group boasting the largest collection of malware source code, samples and papers on the internet — posted to X that the ransomware group “ALPHV,” also known as Black Cat, is allegedly is behind the MGM cyberattack. Authorities have not confirmed the report.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” VX-Underground said.
Bloomberg News reported Wednesday that the same ransomware group is responsible for a cyberattack this month on Caesars Entertainment Inc. and that the company paid “millions” to get its data back.
Caesars Entertainment — which runs more than 50 resorts including, Caesars Palace and Harrah’s in Las Vegas — acknowledged the attack occurred on Sept. 7 in a filing Thursday with the U.S. Securities Exchange Commission.
“Caesars Entertainment Inc. recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company,” Caesars said in its SEC Form 8-K filing.
While the company said it did not pay a ransom, it noted that “we have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”
Caesars Entertainment, according to the filing, said its investigation determined that hackers acquired a copy of its loyalty program database, which includes driver’s license numbers and Social Security numbers “for a significant number of members in the database.”
Caesars added, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” source
The Morning After: Hacking a Vegas casino may just take a single phone call
The ALPHV ransomware group used social engineering to attack MGM Resorts.
The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, and it apparently took the group only 10 minutes on a phone call to glean the information needed to shut down systems and slot machines — not the slot machines! — at casinos owned by MGM Resorts.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a post on X. Those details came from ALPHV but have not been independently confirmed by security researchers.
MGM Resorts didn’t respond to a request for comment but said on Tuesday that “Our resorts, including dining, entertainment and gaming, are currently operational.” source
Caesars Entertainment Paid Millions to Hackers in Attack
Hackers stole data, extorted company, people familiar said
Caesars breach came in weeks before MGM announced cyberattack
Young hackers are sticking up Las Vegas casinos for hefty ransoms
Both MGM and Caesar’s Entertainment were hacked by a group named “Scattered Spider” in recent weeks. Caesar’s even paid a ransom
A bunch of hackers aged between 19 and 22 are bringing the Las Vegas Strip’s casino-hotels to their knees.
A group dubbed “Scattered Spider” by cybersecurity researchers paralyzed the systems of MGM Resorts International this week. MGM, a $14 billion hospitality and entertainment giant, disclosed its “cybersecurity issue” in a Sep. 12 regulatory filing.
Although MGM claims to have dealt with the issue, social media posts say that everything from slot machines to hotel communication systems have been inoperable at MGM venues in Las Vegas for four days. Check-in lines are growing, room access cards and ATMs won’t work, and people are unable to use food, beverage, and free play credits. Regressing to the past, to use manual cash payouts and physical room keys, is proving slow and clunky. (One tiny silver lining: free parking.)
MGM is investigating the matter, and as is the FBI. Moody’s, the rating agency, warned that the breach, which highlights MGM’s heavy reliance on tech, could affect its credit rating negatively.
Hospitality giant of interest: Caesar’s Entertainment
A Bloomberg report revealed that another casino operator, the $12 billion Caesar’s Entertainment, had been the victim of a similar cyberattack in recent weeks. The hackers, who threatened to leak its data, demanded $30 million in ransom; Caesar’s paid roughly half. In this case too, the hackers belonged to “Scattered Spider,” thought by cybersecurity analysts to be made up of young hackers in the US and the UK.
Hackers demanded a ransom from MGM as well, two anonymous sources told Fortune. But it remains unclear how much was requested and which systems the company was locked out of.
Quotable: Scattered Spider’s modus operandi
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the United States. Many members are native English speakers and are incredibly effective social engineers.”
—Charles Carmakal, chief technology officer at Mandiant Intelligence, a part of Google Cloud, in a Sep. 15 LinkedIn post
How Scattered Spider hacked MGM and Caesers
Scattered Spider uses social engineering to gather login credentials or one-time-password (OTP) codes, which helps bypass multi-factor authentication, according to a January blogpost by the security research firm CrowdStrike. The group has previously targeted telecom and business process outsourcing (BPO) companies to perform SIM swaps, which can then be used in phishing attacks to steal data and extort ransoms.
In the case of Caesar’s, the hackers breached an outside IT vendor first to subsequently gain access to the company’s network, two people familiar with the matter told Bloomberg.
With MGM, a short telephonic exchange and some collaboration with a ransomware-as-a-service group called ALPHV, also known as BlackCat, was all it took. In April 2022, America’s cyber defense agency issued an alert noting that ALPHV had “compromised at least 60 entities worldwide.”
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” VX-Underground, a malware research group, posted on X. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
The white-hat hacker Rachel Tobac, who uses similar attack methods in her work by posing as an internal teammate, wrote on LinkedIn that organizations are less equipped to deal with phone-based attacks than email. It works for three reasons, according to Tobac: “lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.”
By the digits: The impact of the MGM hack
$13 million: The revenue that MGM’s Las Vegas Strip properties bring in daily on average, calculated based on the the $1.2 billion in revenue these hotel rooms and casinos earned for in the quarter ended June 30
30: The number of hotel and gaming venues that MGM operates around the world, with a dozen on the Vegas Strip. The websites for MGM’s biggest resorts, including MGM Grand, Mandalay Bay, Bellagio, Aria, and The Cosmopolitan, have been inaccessible for days
6,852: The number of rooms at the MGM Grand, the world’s single largest hotel
$6.99: The ATM fees that guests were charged to withdraw cash, when they wanted to keep playing during the hack, and when credit card machines had stopped working
Charted: Las Vegas’ hacked casino-hotels stocks dropped
One more thing: Casinos are ideal cyberattack victims
Casino cyberattacks aren’t uncommon. The Hard Rock Hotel and Casino was breached twice in 2015 and 2016, when hotel guest names, card numbers, expiration dates, and CVV codes were stolen. In 2019, the personal data of roughly 10 million MGM guests was published on a Russian hacking forum.
In fact, casinos are prime targets for financially motivated crimes because their cybersecurity isn’t top-notch and hackers are “more likely to get paid because they’re disrupting casino operations,” Allan Liska, an intelligence analyst at the security firm Recorded Future, told Reuters. “Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats.” source
Groups linked to Las Vegas cyber attacks are prolific criminal hacking gangs
Apair of criminal hacking groups have been linked with attacks in recent weeks on two prominent Las Vegas hotel and casino operators that has left one struggling to resume operations and prompted another to reportedly pay a multimillion dollar ransom payment.
The attacks on MGM Resorts and Caesars Entertainment have resulted in widespread outages at MGM properties, and according to a Wall Street Journal report, forced Caesars to pay roughly half of a $30 million ransom demand.
Exactly who is behind the attacks remains unclear, but two hacking groups have been linked with the breaches:ALPHV and Scattered Spider. A person claiming to be a member of the latter told CyberScoop that their group was responsible for the attack on MGM but denied responsibility for the breach of Caesars. Earlier this week VX-Underground, a well-known online malware research repository, wrote on the social media platform X that an ALPHV representative said they were behind the MGM hack.
Late Thursday, ALPHV claimed responsibility for the attack on MGM in a statement on its website. It is unclear whether Scattered Spider’s claim of responsibility for the breach of MGM is false or whether overlaps between the two groups mean that members of both hacking collectives were involved in the breach of MGM. The Scattered Spider member who spoke with CyberScoop described their group as a well-known affiliate of ALPHV.
In a Thursday regulatory filing, Caesars confirmed that the company had identified “suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor” used by the company. The attackers gained a copy of “among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database,” the company said.
Caesars said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company reported, in what may have been a veiled reference to the reported ransomware payment.
Neither Caesars nor MGM responded to multiple requests for comment. The FBI acknowledged that it was investigating the incidents Thursday but declined to comment further.
As of Thursday, MGM appears to be continuing to struggle to recover from the attack. The company’s website remains down, and reports on social media show digital slot machines in MGM casinos bearing error messages.
The member of Scattered Spider who spoke with CyberScoop said that negotiations with MGM were ongoing but would not disclose the terms of any demands. The individual claimed that stolen data included customer information, sexual abuse incident reports and other corporate records. The individual’s claims could not be independently verified.
“If MGM decide they want to discuss if they paid or how much is completely up to them, if they decide they want to pay the money we assure them their systems wont [sic] be breached again,” the person said in an online chat.
The two groups — Scattered Spider and ALPHV — linked to the attacks on the two casino operators are a set of aggressive online criminal groups with well-documented history of carrying out ransomware attacks.
Scattered Spider is the name given to a financially motivated hacking group by private industry researchers. The group was likely behind a “massive phishing campaign” targeting Okta, the U.S.-based authentication firm, which led to follow-on attacks against users of the Signal messaging app, Twilio and Cloudflare, cybersecurity firm Group-IB reported in August 2022.
Scattered Spider has been active since May 2022, and has mostly attacked telecommunications and business process outsourcing organizations until recently, when it began targeting other sectors, including critical infrastructure, according to an Aug. 17 analysis from cybersecurity firm Trellix.
The group “heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases,” according to a May 2023 Mandiant analysis.
The exact relationship between Scattered Spider and ALPHV is difficult to determine. Scattered Spider is considered a distinct, financially-motivated cybercrime group that has demonstrated connections to the ALPHV ransomware operation by using some of its tooling, experts say. ALPHV is a well-known ransomware operation, also known as BlackCat, and was perhaps the first entity to operate ransomware using the RUST language in the wild. source
MGM Resorts breached by ‘Scattered Spider’ hackers: sources
SAN FRANCISCO/WASHINGTON, Sept 13 (Reuters) – A hacking group named Scattered Spider brought down the systems of the $14 billion gaming giant MGM Resorts International (MGM.N) this week, two sources familiar with the matter said, as U.S. law enforcement officials started a probe into the breach.
Several MGM systems remained paralyzed for a third straight day after it said on Monday it had shut some of them to contain a “cybersecurity issue.” The company, which operates over 30 hotel and gaming venues around the world including in Macau and Las Vegas, said it was investigating the incident.
A Bloomberg report separately said another casino operator, Caesars Entertainment, had been hacked and paid ransom to hackers who threatened to leak its data in recent weeks, citing two people familiar with the mater.
Shares of Caesars Entertainment and MGM both fell on Wednesday.
The cause and the full impact of the breaches was not immediately clear, although social media posts showed slot machines and systems down at MGM venues in Las Vegas.
Two sources familiar with the matter told Reuters the hacking group Scattered Spider was behind it. Identified by analysts last year, this group uses social engineering to lure users into giving up their login credentials or one-time-password (OTP) codes to bypass multi-factor authentication, the security firm Crowdstrike said in a blog post in January.
It is “one of the most prevalent and aggressive threat actors impacting organizations in the United States today,” Charles Carmakal, chief technology officer at Alphabet Inc’s (GOOGL.O) Mandiant Intelligence said in a post on LinkedIn on Wednesday, following reports about the MGM breach.
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the U.S.,” he added.
Scattered Spider, also known as UNC3944, has hit telecom and business process outsourcing (BPO) companies in the past, but more recently also targeted critical infrastructure organizations, according to analyst reports.
“They leverage tradecraft that is challenging for many organizations with mature security programs to defend against,” Carmakal said.
The FBI said on Wednesday it was investigating the incident, but did not elaborate. The rating agency Moody’s warned the breach could negatively impact MGM’s credit rating.
Such attacks are typical hallmarks of ransomware incidents in which extortionists encrypt victims’ computer systems and demand ransoms in digital currency.
Analysts say casinos are prime targets of financially-motivated cybercrimes.
“They’re more likely to get paid because they’re disrupting casino operations,” said Allan Liska, intelligence analyst at the security firm Recorded Future.
“Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats.”
Moody’s analysts said in a report that the incident “highlights key risks related to (MGM’s) business operations’ heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable.”
Messages seeking further comment from MGM and the U.S. cybersecurity watchdog agency CISA were not immediately returned. MGM Resorts’ website was “currently unavailable,” according to a holding message posted to the group’s homepage.
“Our investigation is ongoing and we are working diligently to determine the nature and scope of the matter,” MGM said in a post on the social media website X on Monday. source
Caesars and MGM grapple with hacks as cybersecurity in Vegas is under scrutiny
Hackers stole Social Security numbers and driver’s license numbers from a “significant number” of loyalty program customers of Caesars Entertainment, the hospitality and casino giant said Thursday.
The disclosure comes as another big Las Vegas brand, MGM Resorts, is recovering from its own apparent cyberattack in which guests on Monday reported being unable to make room charges and access their rooms with their digital keys.
The pair of hacks has put a spotlight on the computer defenses of the multibillion-dollar casino and hospitality business in Las Vegas, which are ripe targets for cybercriminals to extort.
Caesars Entertainment, which owns famous hotel-casinos such as Caesars Palace, confirmed on September 7 that the hackers had stolen a copy of the customer loyalty program database, in a filing with the Securities and Exchange Commission. The hackers broke into computer systems via “a social engineering attack” on an IT support contractor, according to the filing.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars Entertainment said. The company did not immediately respond to CNN’s questions as to what steps were taken and whether they included paying a ransom.
For its part, MGM Resorts has repeatedly referred to a “cybersecurity issue” in describing the disruption to some of its computer systems, but the incident has the hallmarks of a cyberattack.
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” MGM Resorts said in a statement on Thursday morning. The company said on Monday, when news of the incident broke, that it had shut down certain computer systems to protect its data.
MGM Resorts did not respond to multiple requests for comment from CNN this week on how it was dealing with the apparent hack.
An FBI spokesperson said the bureau was investigating the cybersecurity incident at MGM Resorts but declined further comment, citing an ongoing investigation.
Scattered Spider considered a ‘serious threat’
It’s unclear who exactly was responsible for the cyberattacks. But a cybercriminal group known in the industry as Scattered Spider has been targeting casinos and hotels in recent weeks, according to Mandiant Consulting, a Google-owned cybersecurity firm.
Members of the hacking group “may be less experienced and younger” than many of the established cybercriminal gangs and state-backed cyber-espionage teams, but “they are a serious threat to large organizations in the United States,” said Charles Carmakal, Mandiant Consulting’s chief technology officer.
Some of the members of the group appear to be based in the United States and the United Kingdom, according to Carmakal and other sources interviewed by CNN. Bloomberg News reported on Wednesday that Scattered Spider was responsible for the pair of cyberattacks on Caesars Entertainment and MGM Resorts.
Reports that the hackers had used social-engineering techniques in which, for example, they pose as an IT support employee to gain access to an organization, raised concerns for cybersecurity experts.
“Most organizations focus on email-based threats in their technical tools and protocols,” Rachel Tobac, CEO of SocialProof Security, a social-engineering prevention firm, told CNN. “Many [organizations] are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone-based attacker in the act.” source
MGM cyberattack continues to create chaos for Vegas operations; SEC notified
MGM Resorts International website remains down
MGM Resorts International in Nevada confirmed a recent cyberattack in a Wednesday filing with the Securities and Exchange Commission (SEC).
MGM RESORTS EXPERIENCES ‘CYBERSECURITY ISSUE’ IMPACTING OPERATIONS, PROMPTS INVESTIGATION
“MGM Resorts recently identified a cybersecurity issue affecting certain of the company’s systems,” an MGM spokesperson said in a statement. “Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
On Monday, FOX 5 in Las Vegas reported that one of the company’s properties, the Bellagio Las Vegas, confirmed that the computer systems were down at all resorts and that all computer-based operations were forced to go manual.
Personnel at the resort also said the outage affected credit card machines at the properties.
MGM did not immediately respond to inquiries from Fox Digital about the cybersecurity outage. The company operates 19 resorts with more than 40,000 rooms around the world, including the MGM Grand, Mandalay Bay, Luxor and New York-New York in Las Vegas as well as the Borgata in Atlantic City, New Jersey, and more. source