A bunch of hackers aged between 19 and 22 are bringing the Las Vegas Strip’s casino-hotels to their knees.
A group dubbed “Scattered Spider” by cybersecurity researchers paralyzed the systems of MGM Resorts International this week. MGM, a $14 billion hospitality and entertainment giant, disclosed its “cybersecurity issue” in a Sep. 12 regulatory filing.
Although MGM claims to have dealt with the issue, social media posts say that everything from slot machines to hotel communication systems have been inoperable at MGM venues in Las Vegas for four days. Check-in lines are growing, room access cards and ATMs won’t work, and people are unable to use food, beverage, and free play credits. Regressing to the past, to use manual cash payouts and physical room keys, is proving slow and clunky. (One tiny silver lining: free parking.)
MGM is investigating the matter, and as is the FBI. Moody’s, the rating agency, warned that the breach, which highlights MGM’s heavy reliance on tech, could affect its credit rating negatively.
Hospitality giant of interest: Caesar’s Entertainment
A Bloomberg report revealed that another casino operator, the $12 billion Caesar’s Entertainment, had been the victim of a similar cyberattack in recent weeks. The hackers, who threatened to leak its data, demanded $30 million in ransom; Caesar’s paid roughly half. In this case too, the hackers belonged to “Scattered Spider,” thought by cybersecurity analysts to be made up of young hackers in the US and the UK.
Hackers demanded a ransom from MGM as well, two anonymous sources told Fortune. But it remains unclear how much was requested and which systems the company was locked out of.
Quotable: Scattered Spider’s modus operandi
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the United States. Many members are native English speakers and are incredibly effective social engineers.”
—Charles Carmakal, chief technology officer at Mandiant Intelligence, a part of Google Cloud, in a Sep. 15 LinkedIn post
How Scattered Spider hacked MGM and Caesers
Scattered Spider uses social engineering to gather login credentials or one-time-password (OTP) codes, which helps bypass multi-factor authentication, according to a January blogpost by the security research firm CrowdStrike. The group has previously targeted telecom and business process outsourcing (BPO) companies to perform SIM swaps, which can then be used in phishing attacks to steal data and extort ransoms.
In the case of Caesar’s, the hackers breached an outside IT vendor first to subsequently gain access to the company’s network, two people familiar with the matter told Bloomberg.
With MGM, a short telephonic exchange and some collaboration with a ransomware-as-a-service group called ALPHV, also known as BlackCat, was all it took. In April 2022, America’s cyber defense agency issued an alert noting that ALPHV had “compromised at least 60 entities worldwide.”
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” VX-Underground, a malware research group, posted on X. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
The white-hat hacker Rachel Tobac, who uses similar attack methods in her work by posing as an internal teammate, wrote on LinkedIn that organizations are less equipped to deal with phone-based attacks than email. It works for three reasons, according to Tobac: “lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.”
By the digits: The impact of the MGM hack
$13 million: The revenue that MGM’s Las Vegas Strip properties bring in daily on average, calculated based on the the $1.2 billion in revenue these hotel rooms and casinos earned for in the quarter ended June 30
30: The number of hotel and gaming venues that MGM operates around the world, with a dozen on the Vegas Strip. The websites for MGM’s biggest resorts, including MGM Grand, Mandalay Bay, Bellagio, Aria, and The Cosmopolitan, have been inaccessible for days
6,852: The number of rooms at the MGM Grand, the world’s single largest hotel
$6.99: The ATM fees that guests were charged to withdraw cash, when they wanted to keep playing during the hack, and when credit card machines had stopped working
Charted: Las Vegas’ hacked casino-hotels stocks dropped
One more thing: Casinos are ideal cyberattack victims
Casino cyberattacks aren’t uncommon. The Hard Rock Hotel and Casino was breached twice in 2015 and 2016, when hotel guest names, card numbers, expiration dates, and CVV codes were stolen. In 2019, the personal data of roughly 10 million MGM guests was published on a Russian hacking forum.
In fact, casinos are prime targets for financially motivated crimes because their cybersecurity isn’t top-notch and hackers are “more likely to get paid because they’re disrupting casino operations,” Allan Liska, an intelligence analyst at the security firm Recorded Future, told Reuters. “Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats.”
Related stories
🎰 Gamblers and hackers alike flock to Macau, the world’s casino capital
🏨 Somebody is snooping on CEOs by hacking hotel wi-fi
🏗️ Ransomware hackers are now going after supply chain companies