In recent days, the hospitality and entertainment giant MGM Resorts International found itself at the center of a cyber nightmare. What began as a “cybersecurity issue” quickly escalated into a full-blown cyberattack, causing significant disruptions to MGM’s operations. This is what we know about the MGM ransomware attack.
The Initial Discovery
The incident came to light on September 11, 2023, when MGM Resorts released a statement via social media, acknowledging the presence of a “cybersecurity issue” affecting some of its systems. The company immediately launched an investigation and informed law enforcement agencies about the attack.
How It Happened
The attackers allegedly identified an MGM tech employee on LinkedIn and then proceeded to call the company’s support desk, where they exploited their knowledge to infiltrate the systems. This demonstrates the effectiveness of relatively simple methods in breaching even large and well-protected organizations. They claim it only took a 10 minute conversation to infiltrate their systems.
Who Were The Attackers?
Two hacking groups have been linked to this attack: Scattered Spider and ALPHV (also known as BlackCat). Scattered Spider is known for its expertise in social engineering, particularly “vishing,” where attackers manipulate victims through phone calls. Their tactics often involve impersonating trusted sources.
ALPHV is a ransomware-as-a-service group that has previously targeted major organizations, including Reddit and Western Digital. While both groups have claimed responsibility for the MGM attack, the exact nature of their involvement remains unclear.
Caesars Paid, MGM Didn’t
In a startling parallel to the MGM Resorts cyberattack, Caesars Entertainment also fell victim to a ransomware attack around the same time. In this case, the attackers, believed to be Scattered Spider, leveraged social engineering tactics to target an outsourced IT vendor and gain unauthorized access to Caesars’ systems. What sets this incident apart is Caesars’ response; the company chose to pay a substantial ransom, reportedly in the tens of millions of dollars, to the hackers to prevent them from exposing the compromised data. Caesars sought to safeguard sensitive customer information, such as driver’s license numbers and social security numbers, although it claimed that critical data like passwords and payment card information remained secure.
The Impact
The fallout from the attack has been substantial. MGM Resorts had to shut down computer systems across its properties, causing disruptions that affected guests in multiple ways. Slot machines, digital key cards, ATMs, and payment systems were all crippled. Guests were forced to endure lengthy check-in processes, and the company’s website and mobile app were offline for an extended period. MGM Resorts is actively working with cybersecurity experts to resolve the situation. While the extent of the breach and the exact demands of the attackers remain undisclosed, the company has taken measures to mitigate the impact, including in-person checkouts and providing physical room keys to guests. Nonetheless, the inconvenience and financial repercussions are significant. Caesars is currently facing a lawsuit, and its not unlikely that MGM could find itself in a similar legal situation.
Update 9/26: MGM Resorts recently announced its complete return to normal operations as of September 21. However, the company now finds itself entangled in legal troubles, facing class action lawsuits filed in U.S. District court in Nevada. These lawsuits allege that MGM was negligent and profited unfairly by not adequately safeguarding the personal information of its customers. Both plaintiffs argue that MGM should have been aware of the potential risks, as Okta had previously issued warnings about being a repeated target for social engineering attacks. Despite these warnings, MGM failed to take the necessary actions to protect its customers’ data.
Lessons to Learn
The MGM ransomware attack serves as a stark reminder of the evolving nature of cyber threats. It underscores the critical role of social engineering in modern cyberattacks and highlights that even the most prominent organizations can fall victim to relatively simple tactics.
In the face of such threats, organizations must continue investing in cybersecurity measures while also educating their employees about the risks of social engineering. Most data breaches are caused by people, so we can not emphasize it enough to train your employees! While is it important to train your employees, it is equally as important to have robust incident response plans in place to minimize disruptions and financial losses.