Start your day with intelligence. Get The OODA Daily Pulse.

The MGM Cyberattack Should be a Wakeup Call for Corporate Boards: Will they hit the snooze alarm again?

Our research and tracking of the global information war and the dramatic increase in ransomware attacks over the last three years have been indicating, for some time, that more attacks were coming and that corporate boards and their directors should prepare. The MGM ransomware attack makes this point well. Details here.

While this attack is a massive “one off” tied to a pattern of ransomware attacks with social engineering techniques as a core competency of the hacking groups responsible for the attack, there does not seem to be a gepolitical angle here. Of keen interest to us, and something we continue to track, is a major attack which maps to a clear geopolitical, strategic agenda by China, Russia, North Korea, Iran, etc.  Our research question remains: Is such an attack – with definitive attribution to a nation-state – in the “not if but when” column?  And while there is no nation-state affiliation or geopolitical motive to this attack, this collaborative efforts by these hacking group  – at the level of Las Vegas spectacle – is an alpha test of large scale cyberattack capabilities (along with premium, global unpaid media exposure and marketing) that can now be shopped around in the dark economy.  And we know there are well resourced buyers for such services.

Background

As an early warning system for our readership, we recently provided the following interelated analyses of the ominpresent threat vectors in a global information war and the growing attack surfaces in an epidemic of large scale ransomware attacks:

Ransomware Attacks in U.S. and Cyberattacks in Pacific Islands are Battlefields in Global Cyber War – These pattern recognition and sensemaking efforts are a  follow up to our recent spotlight on The City of Dallas, Over a Month After A Ransomware Attack, Still not at Full Functionality and the U.S. Turning its Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica  – further validating the broader cyber battles that the U.S. is fighting on a daily basis (in what is a broader, global cyber war in which we are already engaged against nation-state and non-state actors alike).

Lessons Learned from the MGM Attack Timeline

September 14th

MGM still responding to wide-ranging cyberattack as rumors run rampant

MGM Resorts is still struggling to recover from a cyberattack that has hampered significant parts of its business.

Ar reported by The Record:

“Since Monday [September 11th] — when the company confirmed that it shut down some systems after identifying a cybersecurity issue — its website has been down and customers have reported widespread issues with everything from slot machines to room keys.  Customers have shared photos and videos of temporary measures the casinos are taking to continue operations while systems are down, including providing visitors with radios to communicate with staff and tallying slot machine losses or wins by hand. Rumors have run rampant as customers and employees search for answers about the situation.  The company owns several high-profile Las Vegas properties, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria.  Employees are now fearful that they will not be paid on Friday and due to the company’s size, several ancillary businesses are warning their employees to be wary of “emails, files and electronic communications.”  MGM Resorts reported that it brought in about $25 million per day in the third quarter of 2022, meaning the hotel is likely losing millions each day with the outages affecting dozens of slot machines and other resort functions.

Scattered Spider, 0ktapus and Caesars

While MGM has refused to specify the nature of the cyberattack, Bloomberg reported on Wednesday that it was a ransomware incident, backing up claims relayed to the malware research platform vx-underground that an affiliate of the Black Cat/AlphV ransomware gang was behind the attack.  A notable affiliate of the gang — known by researchers as Scattered Spider or 0ktapus — reportedly told vx-underground directly that they gained access to MGM’s systems by searching for employees on LinkedIn and spoofing the IT help desk. Reuters spoke to two sources that confirmed Scattered Spider was behind the incident.  Scattered Spider has made a name for itself with several high-profile attacks, including one on Coinbase in February. The group — which is allegedly made up of U.S. and U.K.-based hackers — has shown skill with social-engineering techniques.  The casino reportedly paid a $15 million ransom after being asked for $30 million.

Inside The Ransomware Attack That Shut Down MGM Resorts

“Imagine you save up all year to go to Vegas, and then you have this experience. It’s going to leave a bad taste in your mouth.”

As reported at Forbes:  “More than 60 hours after a brazen cyberattack targeted the computer systems at one of the world’s largest casino-hotel chains, patrons trying to access the MGM Resorts website are still met by a splash page that apologizes for the inconvenience.  Prominent among MGM’s stable of 19 U.S. properties are a dozen of the most iconic casino hotels in Las Vegas—including the Bellagio, Mandalay Bay and the Cosmopolitan.  Since the attack was discovered…it has wreaked havoc on MGM’s operations, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs and paid parking systems…VX-Underground, a malware research group with nearly 229,000 followers on X, posted that ransomware-as-a-service group ALPHV, also known as BlackCat, claimed responsibility for executing the attack by using social engineering to identify on LinkedIn an MGM employee who worked in IT support. The next step was simply to call the MGM help desk. Astonishingly, the attack took about 10 minutes to execute.”

September 15th

Okta Agent Involved in MGM Resorts Breach, Attackers Claim

ALPHV/BlackCat ransomware operators have used their leak site to “set the record straight” about the MGM Resorts cyberattack. Meanwhile, more attacks abusing Okta could be likely.

Dark Reading reports:  “The threat actors believed to be behind last week’s MGM Resorts and Caesars Entertainment cyberattacks now say they were able breach MGM’s systems by somehow cracking into the company’s Okta platform, specifically the Okta Agent, which is the lightweight client that connects to an organization’s Active Directory.  Okta is a popular identity and access management (IAM) provider for the cloud.  “MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps,” ALPHV wrote on its leak site, in a statement that Emsisoft researcher Brett Callow tweeted out. “This resulted in their Okta being completely out.” The ALPHV statement added that after lurking around Okta for a day and scooping up passwords, the threat group then launched ransomware cyberattacks against more than 1,000 ESXi hypervisors on Sept. 11, “… after trying to get in touch [with MGM] but failing,” the statement said.”

MGM Resorts Hackers Broke In After Tricking IT Service Desk

  • Okta warned about hackers using similar techniques in August
  • Group suspected of attack is well known for social engineering

From Bloomberg:  “The online attack that disrupted MGM Resorts International resorts and casinos across the country began with a social engineering breach of the company’s information technology help desk, according to a cybersecurity executive familiar with the investigation.  David Bradbury, chief security officer at the identity and access management company Okta, said his company issued a threat advisory in August about similar attacks against some of its customers, in which hackers used a low-tech social engineering tactics to gain entry and then more advanced methods that allow them to impersonate users on the networks.   A former MGM employee who was familiar with the company’s cybersecurity policies pointed to the help desk as vulnerable to attack. The person said that to obtain a password reset, employees would only have to disclose basic information about themselves – their name, employee identification number and date of birth – details that would be trivial to obtain for a criminal hacking gang. The employee, who requested anonymity to discuss sensitive matters, said details were too easy to obtain and were the root cause of what ‘caught MGM up here.'”

September 18, 2023

MGM, Caesars attacks raise new concerns about social engineering tactics

Multiple threat groups have employed the same criminal tool kit to target vulnerable systems:  “Social engineering attacks are not new — attackers have increased the sophistication and target systems for social engineering, especially the multifactor authentication process.”

The social engineering attacks against MGM Resorts and Caesars Entertainment are raising questions about previous activity linked to threat actors and the vulnerabilities they leverage.   There is a growing consensus among security researchers that the threat group AlphV, also known as BlackCat, which is taking credit for the attack on MGM, has been working with Muddled Libra…which is known under various names, including Scattered Spider, Scatter Swine and Oktapus, is likely multiple actors employing the same toolkit for attacks.   The group sent messages to targeted employees claiming they need to reauthenticate their identities or update account information, according to the Unit 42 blog. The hackers then installed multiple versions of remote monitoring and management tools, which provides them backup access to a system if they initially get caught.

‘Scattered Spider’ group launches ransomware attacks while expanding targets in hospitality, retail

Also fro The Record:  Hackers connected to a group known to researchers by names like “Scattered Spider,” “0ktapus,” and UNC3944 have moved beyond targeting telecommunication firms and tech companies into attacks on hospitality, retail, media and financial services.  The group made waves last week for its alleged role in a ransomware attack on MGM Resorts that caused chaos at several hotels in Las Vegas and drew the attention of not only federal law enforcement agencies but even the White House.  In a report late last week, security experts at cybersecurity firm and Google subsidiary Mandiant spotlighted the group’s evolution from relatively aimless — yet high-profile — data theft incidents on major tech firms to sophisticated ransomware attacks on a wide range of industries.  The researchers — who refer to the group as UNC3944 — said that since 2022, the hackers’ calling card has been “phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations.” They initially focused on SIM swapping attacks that likely supported secondary criminal operations.

I Gambled in MGM’s Hacked Casinos

At the Aria, Bellagio, and MGM Grand, evidence of the massive ransomware hack is everywhere, if you’re looking for it.

Jason Keobler at 404media shares his informal experiential learnings on the ground in Sin City:

“Las Vegas’s hottest new attraction is an interactive ransomware exhibit, currently playing out across every MGM property in the city. To experience what it’s like to gamble in a series of hacked casinos, I got on one of the first flights out of Los Angeles Saturday morning with the goal of figuring out not just how screwed up the casinos were, but also to witness the marvelous ability of the human species to adapt and cope with bizarre circumstances.  A statement on MGM’s website says: “Although the issue is affecting some of the Company’s systems, the vast majority of our property offerings currently remain operational, and we continue to welcome tens of thousands of guests each day. We are ready to welcome you.”

I wanted to see if it was actually the case that the “vast majority” of its offerings remained operational…I knew from videos posted to Twitter that some slot machines would be broken, that all elevators would be unlocked and able to travel to any floor (security guards are checking room keys before anyone can get on any elevator), that parking garages had lost the ability to charge people, that hotel check-in lines would be very long, and that certain casino operations would be cash only. What I wasn’t sure about was what this actually means for people trying to gamble and, more importantly, what it means for the workers whose jobs have suddenly become a lot more difficult.

In the time I was there, I gambled, walked around extensively, and casually spoke to visitors and casino employees about what was going on and how they were doing. The short answer is that all sorts of casino functions are fucked up in ways that are minor inconveniences for visitors but a nightmare for MGM casinos workers. Ironically, some of the systems that have been hacked and haven’t come back online are food ordering kiosk touchscreens that replaced human workers years ago. With those systems down, human workers had to step up to replace the automated systems in addition to their other duties, making it arduous and time consuming for customers to order food and giving workers only a couple working cash registers to take orders from.”

For Keobler full report, go to this link.

What Next?

  1. While this attack is a massive “one off” tied to pattern of ransomware attacks with social engineering techniques as a core competency of the hacking groups responsible for the attack, there does not seem to be a gepolitical angle here. Of keen interest to us, and something we continue to track, is a major attack which maps to a clear geopolitical, strategic agenda by China, Russia, North Korea, Iran, etc.  Is such an attack clearly in the “not if but when” column? Or are nation-state and non-nation state actors deterred by what they know are the cyber offensive capabilities of the U.S. and their Five Eye collaborators?  Or are U.S. defensive capabilties already keeping is safe – and we never hear the reports of spoiled attacks?
  2. While not geopolitical in nature, the attack did have a political and moral economy “binary fracture” to it messaging and brand communications.  At a time when hackers continue to be hounded by a negative stigma and crypto fraud is blamed for, well, everything, these hackers included a statement about the broad fraudulent nature of the “aboveground economy” parent company they attacked.  The attackers rant about MGM and how it is a bad company because insiders are only selling the stock was an interesting development in this story.  In their estimation:   “We believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?   We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months, while 7 insiders have sold shares for a combined 33 MILLION dollars. (https://www.marketbeat.com/stocks/NYSE/MGM/insider-trades/). This corporation is riddled with greed, incompetence, and corruption.”
  3. This is not a “traditional” nation-state versus nation-state war theater: The binary fracture pointed out here is between the ‘mainstream fraud’ perpetrated by companies in the Fortune 500 and the legacy perception of hackers as intrinsically ‘fraudulent.’ The APT’s that perpetrated this attack are more than pointing out the hypocrisy of MGM Resorts International, but the bifurcation of the warring ‘sides’ in this information war (that the mainstream media does not frame or surface in their coverage at all).  This binary fracture should be taken into account to avoid a failure of imagination in your risk awareness and cybersecurity strategy.   Are there non-state cyber actors that have your company or industry sector in their crosshairs?  
  4. Crime-as-a-Service:  Yes, it is a thing.  While there is no nation-state affiliation or geopolitical motive to this attack, this collaborative efforts by these hacking group  – at the level of spectacle – is an alpha test of large scale cyberattack capabilities (along with premium, global unpaid media exposure and marketing) that can now be shopped around in the dark economy.  And we know there are well resourced buyers.

Tagged: cyber cyberattack
Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.