Sep 13, 2023

MGM and Caesars Hacked by ‘Scattered Spider’ in Span of Few Weeks

William Turton, Christopher Palmeri and Katrina Manson, Bloomberg News

People enter the MGM Resorts International Grand Hotel & Casino in Las Vegas, Nevada, U.S., on Tuesday, Feb. 16, 2016. Photographer: David Paul Morris/Bloomberg , Bloomberg

(Bloomberg) -- MGM Resorts International was hacked by the same group of attackers that breached Caesars Entertainment Inc. weeks earlier, according to four people familiar with the matter.

The hackers demanded a ransom from MGM, according to two of the people. It wasn’t immediately clear how much ransom was requested or if the hackers deployed ransomware to lock up the company’s files.

Caesars didn’t respond to messages seeking comment. The company disclosed the cyberattack in a regulatory filing Thursday.

MGM declined to respond to questions about the attack. In a statement on Tuesday, MGM said the investigation is ongoing. The company said it was continuing to implement measures to secure its business operations.

MGM was still working to resolve the turmoil caused by the hackers, known as Scattered Spider, four days into the cyberattack that has disrupted the company’s websites, reservation system and some slot machines at its casinos across the country, according to two of the people.

Caesars was also hacked by the same group in a cyberattack a few weeks earlier, and ended up paying tens of million of dollars to the hackers, according to the people, who asked not to be identified because the information is private. The hackers first breached an outside IT vendor before gaining access to the company’s network, two of the people said. The attackers gained driver’s license and social security numbers for loyalty members, among other data, the company said in the filing Thursday.

“We have taken steps to ensure the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said.

Shares of MGM were up less than 1% at 9:31 a.m. Thursday in New York, after dropping 1.2% Wednesday to $41.47. Shares of Caesars rose 1.1% at 9:31 a.m., after dropping 2.7% to $52.35.

Scattered Spider, which is also known as UNC3944, is composed of hackers who are based in the US and UK, some as young as 19 years old, according to a cybersecurity researcher familiar with the group. The group has targeted telecommunications and business process outsourcing companies to pull off SIM swaps of phone numbers that can then be used in phishing attacks to steal data from victim systems and extort a ransom.

Charles Carmakal, chief technical officer for Mandiant Inc., part of Google Cloud, described the hackers as “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.” Mandiant first came across the group in May 2022.

He said many of the members of the group are young native English speakers who are “incredibly effective social engineers.” They have started deploying ransomware encryptors and sometimes expose victims on infrastructure used by another hacking group, ALPHV.

The FBI said in April 2022 the group had leased its ransomware to others that has resulted in compromises of at least 60 entities worldwide.

In the MGM hack, Scattered Spider may have worked with ALPHV, according to two people familiar with the group’s operations.

Hackers use several different techniques to extort victims for money.

For instance, ransomware is a type of malware that locks up a victim’s computer files. The hackers then promise to provide a decryption key if an extortion fee is paid.

More recently, hacking groups have shifted away from ransomware and instead focused on stealing sensitive data from victims. They then threaten to release the information online unless they are paid.

(Updates with Caesars filing in third, sixth and seventh paragraphs, share prices in the eighth paragraph)