The MGM Resorts cyber disruption may be part of a larger wave of malicious activity targeting the hospitality industry in recent weeks, including a late August ransomware attack against Caesars Entertainment, according to security researchers.
The threat group known as Scattered Spider, or UNC3944, has been linked to a series of attacks against hospitality and entertainment venues in recent months, researchers told Cybersecurity Dive.
MGM had to shut down some of its systems earlier this week following what it called "a cybersecurity issue," leading to disruption inside many of its 30 properties around the world.
The company, which operates high-profile hotels and casinos, including the Bellagio, MGM Grand and Mandalay Bay in Las Vegas, notified law enforcement and brought in outside forensic experts to investigate an attack that disrupted card payments, knocked out reservations sites, shut down ATMs and locked guests out of their hotel rooms.
The company previously claimed operations at the casinos, restaurants and other venues were mostly restored, but websites and other operations were still not fully operational. MGM Resorts issued a new statement thanking workers Thursday morning on X, the site formerly known as Twitter.
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” the company said in the post. “We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers.”
State officials in Nevada said they are closely monitoring the situation.
“Governor Lombardo and the Nevada Gaming Control Board are closely monitoring the cybersecurity incident with MGM Resorts and are in communication with company executives,” the board said Wednesday night.
The board, which oversees casino gaming, is also in contact with other law enforcement agencies. At the end of 2022, Nevada passed regulations that required casinos to conduct security risk assessments, follow best practices and conduct rapid breach notification.
The FBI told Cybersecurity Dive earlier this week that it was aware of the MGM Resorts incident, but could not provide additional details as the situation was ongoing.
Behind the attack
The Scattered Spider threat group, composed mainly of young, native English-speaking hackers, are considered highly effective social engineers and among the most aggressive non-state criminal actors targeting the U.S.
“They are incredibly disruptive and aggressive,” said Charles Carmakal, Mandiant consulting CTO, Google Cloud, said via email. “They cause IT outages in several ways which don’t necessarily involve the deployment of ransomware encryptors.”
Mandiant has observed Scattered Spider deploy Black Cat encryptors in a subset of the organizations they have targeted for attack. In a few of the attacks, the hackers have leveraged the AlphV shaming infrastructure to use as part of the extortion.
AlphV was able to launch the attack against MGM, through a method known as voice phishing or vishing, according to the site vx-underground. The group allegedly targeted an MGM employee and then contacted the company help desk, according to the site.
Caesars Entertainment disclosed a social engineering attack on an IT support vendor led to the theft of its rewards program database, which contained personal information, including social security numbers and and/or driver’s license numbers for a significant number of customers, according to an SEC filing Thursday.
The company will notify affected customers on a rolling basis and has taken steps to harden its IT systems and to make sure the IT vendor does the same. The company said it can’t predict the full financial impact of the attack, but does not immediately anticipate a material impact on its finances or operations. Company officials did not return a request for comment.
Bloomberg reported that Scattered Spider was behind an attack against Caesars Entertainment, which led to the company paying millions of dollars in ransom after the hackers threatened to release public data. That attack allegedly began with an attack on a third-party IT vendor.
The Wall Street Journal reported the Caesars attackers demanded $30 million and the company agreed to pay half that amount.
The extent of the relationship between Scattered Spider and AlphV/BlackCat is unclear, but the groups have each carved out prolific attacks in recent years.
AlphV/BlackCat is considered a rebrand of the DarkSide hackers behind Colonial Pipeline, according to Alex Waintraub, DFIR engagement leader at CYGNVS. The group emerged earlier this year as BlackCat 3.0 and began to deploy Impacket in their toolkit.
Scattered Spider is known to pretend to be IT personnel in order to get inside organizations and take advantage of MFA fatigue, according to Waintraub. The group was previously linked to malicious activity against telecom firms, using a vulnerability in the ForgeRock AM Server, CVE-2021-35464.
Researchers from Cybersixgill told Cybersecurity Dive that threat actors have been on cybercrime forums advertising MGM Resorts Config, which are malicious configuration files used with a legitimate pen testing and data scraping tool OpenBullet. Researchers say criminal actors use OpenBullet for credential stuffing attacks.
Cybersixgill researchers have seen MGM Resorts data listed on underground forums dating back to a 2019 attack, which involved personal data of 10.6 million customers.