MGM Resorts International was hacked by the same group of attackers that managed to breach Caesars Entertainment several weeks earlier, as highlighted by four people familiar with the issue. These hackers demanded a ransom from MGM, based on a statement by two of these people.
However, it was not immediately known how much ransom was demanded from MGM or whether the hackers deployed ransomware to lock up the firm’s files.
Caesars is expected to reveal the cyberattack imminently in a regulatory filing. MGM declined to respond to questions about this attack. In a statement on September 12, MGM confirmed that the investigation is ongoing. The firm stated that it was continuing to implement various measures to secure all its business operations.
MGM was still working to resolve the challenges caused by the hackers, called Scattered Spider, four days into the cyberattack that interrupted the firm’s websites, reservation platform, and some of the slot machines at its casinos around the nation, as highlighted by two of the people.
Caesars was also compromised by the same group in a cyberattack several weeks earlier and ended up paying tens of millions of dollars to the hackers. The hackers first managed to attack an externals IT vendor before accessing the firm’s network, two of the people commented anonymously.
Scatter Spider, also known as UNC3944, is made up of hackers who operate from the UK and US, some of them as young as 19 years old, according to a cybersecurity researcher familiar with the operations of this group.
The group has targeted many firms including business process outsourcing and telecommunications companies to pull off SIM swaps of phone numbers that can then be utilized in phishing attacks to steal data from victim networks and extort a ransom.
The chief technical officer for Mandiant Inc., part of Google Cloud, Charles Carmakal, described these hackers as:
“One of the most prevalent and aggressive threat actors impacting organizations in the United States today.”
Mandiant first encountered this group in May 2022.
He stated that most of the members of this group are young native English speakers who are “incredibly effective social engineers.” They have begun deploying ransomware encryptors and they sometimes expose victims on infrastructure used by another hacking group known as ALPHV.
The FBI stated in April 2022 that the group had leased its ransomware to others which has caused compromises of over 60 entities globally.
In the case of the MGM hack, Scattered Spider might have collaborated with ALPHV, as highlighted by two people familiar with the group’s operations.
These hackers utilize multiple techniques to extort victims for money.
For example, ransomware is a kind of malware that locks up the victim’s computer files. The cybercriminals then promise to offer a decryption key in case an extortion fee is paid.
Quite recently, hacking groups have moved away from ransomware and have instead focused on stealing sensitive data from their victims. Then, they threaten to publish the information online unless they get paid.
Caesars Paid Millions In Ransom To Cybercrime Group
Several days before MGM’s computer networks were hit hard in a cyberattack, casino operator Caesars paid out a ransom worth $15 million to a cybercrime group that managed to infiltrate and disrupt its networks.
The cybercrime group has already sent a ransom demand to MGM too, according to sources familiar with the matter.
So far, there have been two majorly disruptive attacks on the gaming sector within a few weeks. Caesars reported its incident in a United States Securities and Exchange Commission filing on September 14. The 8-K report, resembling the one filed by MGM Resorts on September 13, acknowledges the hack as a material event.
The hackers demanded a $30 million ransom from Caesars, but the firm eventually agreed to pay nearly half of that. These charges will be partly reduced by Caesars’ cyber insurance policies. But, Caesars does not expect the ransom payment or fallout will have any material effect on the firm’s bottom line, based on their filing.
Chief technology officer at Google, Charles Carmakal, said:
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion and ransomware groups, they are a serious threat to large companies in the United States. Many members are native English speakers and are incredibly effective social engineers.”
Bloomberg previously announced the ransom and the same group is behind the attacks on both firms. Security researchers have linked the UNC3944 (Roasted 0ktapus) group to attacks on other firms, including Cloudflare.
SEC rules need firms to file reports within four days of a ‘material’ event. It was not instantly known why Caesars delayed filing this report announcing the hack and ransom for weeks. The SEC rushed to introduce a new cybersecurity disclosure rule earlier in 2023, requiring firms should file an 8-K report revealing the nature of a cyberattack and the effect on its business. This new rule kicks in by the end of this year.
MGM Resorts Insist Cyberattack Might Have Material Effect On It
MGM Resorts said on September 13 that the cyber incident that hit its properties across the United States for three days represents a material risk to the firm.
Simultaneously, Moody’s credit rating agency warned that the cyberattack may negatively affect MGM’s credit rating, stating that the attack highlighted ‘major risks’ within the firm.
The firm’s restaurant reservation, corporate email, and hotel booking systems remain offline because of the attack, just like the digital room keys. MGM on September 13 filed an 8-K report with the Securities and Exchange Commission saying that on September 12 the firm published a press release “regarding a cybersecurity issue involving the Company.”
8-Ks are considered as a rule filed when publicly traded firms wish to notify the SEC about an event that may have a significant material effect on the company. An MGM spokesperson confirmed that the firm views this incident as material. Later, the spokesperson clarified that he was not discussing the firm’s position outside what was highlighted in the filing. The spokesperson, however, never commented on the Moody’s warning.
MGM’s share price dropped by 6% the day it first acknowledged these outages.
On its part, the FBI is monitoring the current situation. The SEC’s new cyber disclosure is scheduled to go into effect at the end of the year. Thus, MGM is currently not obligated to offer more information to the SEC than they already have.
On social media, patrons are frustrated with the scope and duration of this outage, with some complaining that the hotel key cards are not working. Others were worried about the Security of their data. In 2020, MGM admitted that it had the personal information of over 10 million customers in a cyberattack. All that data later reemerged on a hacking forum in the same year.