Las Vegas hackers lash out with barbed words


As fresh details continue to emerge about the Las Vegas ransomware attacks on MGM Resorts and Caesars Entertainment, a major hacker gang suspected of involvement is breaking its silence.

The ALPHV/BlackCat (ALPHV) ransomware group was named by numerous security insiders this week as the gang responsible for Monday’s crippling cyberattack on the MGM resorts and casinos conglomerate.

The gang posted its heavily worded statement just before 8 p.m. ET, claiming it had successfully infiltrated MGM’s infrastructure the previous Friday but waited until Sunday to launch its ransomware attacks, mainly due to the lack of response from MGM engineers, whom ALPHV claimed it had "pinged" repeatedly with no response.

ADVERTISEMENT

The group also lashed out at media for spreading false narratives about ALPHV “tampering with MGM slot machines to spit out cash,” and 'insulting' the seasoned ransom gang by connecting it to novice groups.

“The tactics, procedures, and indicators of compromise (TTPs) used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate,” ALPHV wrote.

ALPHV/BlackCat statement on MGM attack
ALPHV/BlackCat dark leak site

On Wednesday, insiders had thrown the name of another lesser-known threat actor into the mix: “Scattered Spider,” also known as Scatter Swine or Muddled, or by its industry label UNC3944.

The two groups were suspected by intel folk to have collaborated on the MGM hack, though the Western-based Scattered Spider has now been given full credit for the attack on Caesars, which was discovered by the Las Vegas hotel and gaming giant on September 7th, according to a recent SEC disclosure report made public Thursday.

As rumors spread like wildfire on social media, it seems ALPHV had finally had enough of the speculative talk and decided to post a lengthy diatribe on its dark leak site Thursday evening – geared towards anyone with access, but especially the media.

ALPHV also claimed to still have access to MGM systems, stating: “If a deal is not reached, we shall carry out additional attacks.”

But before we dive into the nitty-gritty of the thousand-word self-expose, titled “Statement on MGM Resorts International: Setting the record straight,” let’s do a quick recap of what’s gone down over the past few days.

ADVERTISEMENT

MGM forced into analog mode

This week's attack quickly sent all twelve MGM brand resorts on the Las Vegas strip into a tailspin as the company was forced to shut down many of its systems, leaving the hotel living on analog and cash only for at least 24 hours.

The company put out an official statement on X (formally known as Twitter) on Monday, although it is said the FBI was called to MGM’s Las Vegas-based headquarters as early as Sunday morning.

The websites of all MGM's 31 properties have been down since Monday, including the mobile app, with MGM employees wondering if they will even be paid come Friday.

The latest from the hotel insiders is that "MGM is stocking elevators with bottled water in case they get stuck, so nobody dies of dehydration." Yikes.

Besides massive financial losses, the past few days have shown guests locked out of rooms, slot machines out of service, and hotel phones inoperable.

X users posted videos of hours-long check-in lines winding through hotel lobbies. ATMs and hotel cashiers were unable to dispense cash, and at one point, guest rooms could be opened with any room key.

Caesars cough up ransom

While the MGM hack went full swing, Caesars Entertainment was quietly paying a $15 million ransom to its hackers, confirmed to be Scattered Spider by several major news outlet sources.

ADVERTISEMENT

Other reports claimed that Scattered Spider had obtained at least six terabytes (6TB) of data between both resorts, but in its official statement, ALPHV said it would not reveal if it had exfiltrated any personally identifiable information until MGM had decided if a deal with the hackers was acceptable to it.

If said deal is not reached, ALPHV says it will pass any sensitive data to the moderator of the breach check site Have I Been Pwned.

The two ransom groups carried out almost identical social engineering attacks on MGM and Caesars through voice-based phishing attacks ("vishing") involving a third-party IT help desk.

The twin tactics most likely contributed to the confusion around what gang was responsible for which attack. Meanwhile, an exclusive indepth breakdown of Scattered Spider from Cybernews suggests the gang is in fact an affiliate of ALPHV, though that does not necessarily mean the two are one and the same.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the help desk,” @vx-underground posted on X.

“A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” the post said.

The breach TTPs were also confirmed in the paperwork Caesars filed with US Securities and Exchange Commission, as required by the SEC’s recently passed breach disclosure regulations.

The biggest difference between the two attacks is that while MGM’s entire front end unraveled within hours of the attack, Caesars said its “customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.”

In an apparent reference to the multi-million dollar ransom payment and assurances that Caesars operations stay afloat, the hospitality group wrote, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

ADVERTISEMENT

A lack of guarantees when dealing with a cybercriminal gang is typical fodder in the aftermath of a ransom payment: cybersecurity researchers have even claimed that some threat actors lack the competency to properly unencrypt data, for instance.

Caesars also confirmed its attackers had obtained the entire database of loyalty members, chock-full of driver’s licenses and Social Security numbers. It’s unclear what other data may have been compromised at this time.

ALPHV: not a fan of MGM

Meantime Thursday, MGM posted its first statement since it broke the news of the hack on September 11th.

"We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly. We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers,” MGM posted, thanking guests for their “continued patience.”

MGM original Statement update
One of many MGM statement updates on the cyberattack, from September 11, 2023.

Besides calling out MGM network engineers for a “lack of understanding of how the network functions,” ALPHV slammed the company for its insider trading behavior, referencing a shady stock sale worth $33 million and poor treatment of hotel customers.

“This corporation is riddled with greed, incompetence, and corruption,” ALPHV said.

The threat actor also went into detail about how it tried to engage with an unknown MGM user, who it said essentially crept around the chat room but never made contact, even when ALPHV reached out to them.

"We posted a link to download any and all exfiltrated materials, and created a password to protect the data by combining the compromised passwords belonging to two senior executives," it added.

ADVERTISEMENT

The gang further claimed it provided the "creeper" with the two employee IDs for verification and even dropped hints “using asterisks on the bulk of the password characters, so that the authorized individuals would be able to view the files.”

The gang also chided outside experts for their lack of cybersecurity knowledge.

ALPHV said even after the experts chose to "take offline" seemingly important parts of the MGM systems, we successfully “launched ransomware attacks against more than 100 ESXi hypervisors in their environment.”

ALPHV made a point of stressing that MGM took its systems offline before the ransomware was launched, essentially creating the chaotic situation it finds itself in now.

“We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us,” the group concluded in its statement.

Since there has been no word of a ransom being paid, it seems the ball, ahem, is in MGM's court now. Cybernews will follow the story.