MGM Resorts continues to battle a widespread outage after a cyberattack forced it to shut down systems across its properties.
The hotel and entertainment giant, which operates a number of hotels and casinos on the Las Vegas Strip including the Bellagio, Aria and Cosmopolitan, shut down large parts of its internal networks on Sunday. This resulted in widespread disruption across the company’s hotels and casinos, with guests reporting that ATMs and slot machines are out of order, along with room digital key cards and electronic payment systems.
The outage has now rolled into its fourth day, with MGM saying in an update on Thursday that the company was working to “resolve our cybersecurity issue.” Guests continue to report issues across MGM properties, despite the company claiming earlier in the week that its resorts, including dining, entertainment and gaming, are “currently operational.”
Recent reports on social media show that MGM’s casinos remain out of action and that large queues formed at affected properties as staff have resorted to relying on pen and paper. Guests have also reported that TV service is down in hotel rooms, along with MGM’s phone lines.
MGM’s website, which on Tuesday advised guests to call in order to make reservations, now tells customers to use its Rewards app for bookings. The site also says that MGM is waiving change and cancellation fees for guests arriving until September 17.
Scattered Spider claims responsibility for MGM breach
A representative for the hacking group known as Scattered Spider told ProWellTech that it was behind the MGM cyberattack.
News of the claim of responsibility was first reported by the malware repository collective vx-underground, which on Wednesday said that Scattered Spider, believed to be a subgroup of the ALPHV ransomware gang, was responsible.
The dark web leak site that ALPHV typically posts files stolen from victim organizations has not yet listed MGM Resorts. It’s not yet known what, if any data, was exfiltrated from MGM’s systems.
Reports this week claim that Scattered Spider (also known as UNC3944) was also behind a recent cyberattack on hotel and casino giant Caesars Entertainment, which Bloomberg reported on Wednesday citing sources familiar with the event. Bloomberg said the hackers first targeted the hotel and entertainment giant in late-August by breaching one of its outside IT vendors. The Wall Street Journal later reported that Caesars paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data.
Caesars confirmed the breach in an 8-K filing with federal regulators on Thursday, saying that hackers stole its loyalty program database, which includes customers’ driver’s license numbers and Social Security numbers for “a significant number of members in the database.” Caesars also said it has “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” implying that the company paid the hackers’ ransom.
U.S. publicly traded companies are required to file 8-K notices with the SEC when an event has a material effect on their businesses. Caesars said it has incurred and may continue to incur expenses related to the attack.
The Scattered Spider representative told ProWellTech in an online message that while the group was responsible for the MGM attack, it had “no involvement” with the Caesars incident.
When asked why the group had begun targeting casinos, having previously targeted video game makers and telecom companies, the representative said that the group doesn’t have set target companies. “If you have money we want it,” the Scattered Spider representative said.
The representative did not answer ProWellTech’s other questions.
Scattered Spider told vx-underground that they compromised MGM Resorts using social engineering, whereby the hackers allegedly found an employee on LinkedIn and called the organization’s help desk to access their account. Scattered Spider is known for using social engineering techniques to trick employees into granting the hackers access to large corporate networks. Members of the transatlantic hacking group reportedly include young adults and teenagers, resembling similar hacking and extortion groups like Lapsus$.
“These are not Russian hackers, these are Western hackers,” Allison Nixon, chief research officer at Unit 221B, told ProWellTech. “There is a disproportionate number of minors involved, and that’s because the group deliberately recruits minors because of the lenient legal environment these minors exist in and they know nothing will happen to them if the police catch a kid,” Nixon said.
MGM has yet to comment on the nature of the cyberattack beyond an 8-K filing earlier in the week.
When reached by email, an FBI spokesperson declined to comment on questions related to the incident at Caesars, including whether it was aware or investigating. The FBI spokesperson, who declined to be named, confirmed it was investigating the MGM cyberattack but said it was “not able to provide any additional detail.”
U.S. authorities have long advised victims of cyberattacks and extortion not to pay the ransom.
Caesars spokesperson Robert Jarrett did not respond to a request for comment, and MGM has yet to respond to any of ProWellTech’s emails, messages or calls. It’s not clear if the company’s employees have access to corporate email systems.
Do you work at MGM or Caesars? Do you have more information about the cyberattacks? You can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact ProWellTech via SecureDrop.