Caesars ransom attack linked to MGM, tens of millions paid to hackers


New sources are naming Caesars Entertainment as the first victim to be hit by a massive cyberattack on the Las Vegas strip – making MGM Resorts the second casualty in what appears to be a series of ransomware attacks targeting Sin City’s hotel and casino giants starting last month.

MGM Resorts announced it had been hit by a cyberattack Monday on X (formally known as Twitter).

First, rumors of MGM falling victim to a social engineering attack orchestrated by the notorious ALPHV/BlackCat ransomware gang were confirmed by security insiders on X. Then came the stories of Caesars Palace paying out a $30 million ransomware the week before, which also started to take root on social media.

On Monday evening, apparent MGM insider @LasVegasLocally posted on X that fellow casino giant Caesars Entertainment, like MGM, had also been hacked. The post claimed that Caesars quietly paid a $30 million ransom demand “to avoid the problems MGM is experiencing."

The following day, X user @vegassatrfish posted about getting a similar scoop from a current MGM employee. She posted a copy of a text exchange between them on her account. The supposed employee mentioned that call centers and the company's VPN were down for the hotel group as well.

Fast forward to Wednesday, and now four more sources familiar with the matter say a relatively unknown hacker group called "Scattered Spider" is responsible for both attacks, Bloomberg News first reported.

The ransom gang, known in the security industry as UNC 3944, began targeting Caesars as early as August 27th, sources told Bloomberg.

Once inside the network, the threat actors were said to have threatened to release company data stolen in the attack if a ransom was not paid.

The sources also believe Scattered Spider and ALPHV/BlackCat may have joined forces to carry out the MGM attack. A ransom demand was given to MGM, though it appears that the company has not paid any money as of Wednesday evening.

Showcasing tactics similar to the ones used on MGM, the hackers first breached an outside IT vendor before gaining access to the company’s network, most likely using social engineering, according to the sources Bloomberg spoke with.

It's not clear if all of Caesars Entertainment's 57 gaming properties were compromised in the ransom attack. More information is expected to be released on the incident once the hospitality conglomerate files with the SEC, as required by law in the event of a breach.

The MGM attack has led to devastating financial losses for MGM, and some insiders say the resort may not be able to make payroll this week.

The US risk assessment firm Moody’s said Wednesday that the agency might be forced to downgrade MGM’s credit rating, while shares of Caesars Entertainment also dropped a few percentage points.

MGM gets caught in a loop

The MGM attack forced the company to shut down part of its network systems Monday, incapacitating most guest services, room keys, and slot machines on the casino floors of all twelve of its MGM brand resorts located on the strip.

Reports of hours-long front desk lines, no phone service, handwritten check-in forms, and physical room keys that can open any door are still plaguing the resort since the breach was discovered early Sunday.

"It’s chaos at MGM. Ordinary keys are opening all rooms as if master keys," one user posted, along with a screenshot of a typed letter from MGM. The letter contains detailed instructions for guests on things like how to get into their rooms, play the slot machines, and redeem winnings while the hotel was completely analog.

Some of the 19 other MGM locations across the US had also reported system issues, including the MGM Borgata in Atlantic City. Additionally, all MGM websites, including the mobile app, were taken offline due to the attack.

MGM sources told @lasvegaslocally Wednesday that it could take at least two weeks to get its resorts back up and running normally.

Customer data is the real target

Research shows that bad actors will likely take advantage of the name brand hack by offering up the data of millions of MGM customers on the dark web markets from two previous MGM breaches from 2019 and 2022.

Cybersecurity Intel firm Cybersixgill says those attacks resulted in a massive leak of millions of customers’ personal information that continues to circulate on the underground.

In December 2022, MGM subsidiary BetMGM was also breached, with attackers reportedly acquiring customers’ names, social security numbers, and financial data.

“The hospitality industry remains an attractive target for threat actors, with casino-owning conglomerates like MGM perceived as well-capitalized entities concerned with their image and reputation,” Cybersixgill explained.

Individuals patronizing these types of vacation destinations are viewed by threat actors "as worth targeting for financial fraud, identity theft, or other forms of cybercrime." Cybersixgill said.

What's more, loyalty club databases, like MGM Rewards and the recently breached rewards platform of the US retail chain Hot Topic, can provide a treasure trove of sensitive information for cybercriminals. According to Cybersixgill, hackers often use loyalty account credentials in credential stuffing attacks, which leverage the tendency to recycle passwords across multiple platforms and services.

One recently found black market offer, posted two weeks before the ransom attack on August 24th (shown below), requests an asking price of $550 (paid in crypto) for alleged MGM customer data, including names, addresses, email addresses, phone numbers, and dates of birth.

MGM past data for sale
Image by Cybersixgill.

“The ad for MGM data illustrates the lasting value of stolen information, even years after it was initially leaked,” Cybersixgill said.

Who is Scattered Spider?

Scattered Spider (UNC3944) has been tracked by security researchers since about May of 2022.

The group is made up of English-speaking members from the US and the UK, some of them as young as 19 years old, according to a recent profile on the gang by Mandiant threat intelligence.

UNC3944 “heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases,” Mandiant reports.

Scattered Spider is also known to use SIM swapping attacks, and commonly targets businesses in the telecom industry.

Once inside a system the attackers use remote access tools to maintain a consistent presence to modify and steal its victim’s data.

Targeted businesses have been located primarily in the US, UK, Germany, France, Italy, Canada, Australia, and Japan, said one CrowdStrike report.

Nick Hyatt, cyber practice leader at security firm Optiv, describes Scattered Spider as a financially motivated threat group with a loose toolset and affiliate ties to another notorious ransomware gang, Alpha/BlackCat, who've been on the scene since 2021.

“Historically they have shared toolset usage with the Alpha/BlackCat organization,” Hyatt said.

“While these are distinctly separate groups, there is likely an affiliate relationship there, given Alpha/BlackCat's operation as a Ransomware-as-a-Service outfit,” he added.

ALPHV/BlackCat leak site
ALPHV/BlackCat leak site.

Ironically Tuesday, while MGM struggled to gain control of operations, ALPHV/BlackCat posted 2.5TB of stolen data from its latest big-name victim, Semiconductor manufacturer Seiko, who announced the breach in August.

Cybernews has reached to MGM Resorts International and Caesars Entertainment but so far there has been no response.

"Considering the recent breaches at Caesars and MGM, it's evident that malicious actors are advancing in sophistication,” Liat Hayun, CEO at Israeli startup Eureka Security, told Cybernews.

Businesses must prioritize data security with proactive, practical and immediate action. Know your data, its locations and access points, she said.