Hacking gangs with multiple names, affiliates acting on behalf of ransomware operators, and accusations of false reports – we attempt to unpick the complicated story behind the attacks on MGM and Caesars.
a complicated web of cybercriminality
As the cybercriminal ecosystem has become more sophisticated and specialized, cyberattacks are very rarely as simple as one hacker targeting one organization. The attacks against the casinos MGM Resorts and Caesars that have been reported over the past week illustrate the increasingly complex nature of the cybercriminal supply chain. In this blog, we unpick some of the finer details of the story to explain what is known so far.
the mgm resorts incident
The attack against MGM Resorts was first reported on September 11, 2023 when the company tweeted a statement about a “cybersecurity issue affecting some of the Company’s systems”. The systems impacted by the incident were reported to be the company’s website, reservation systems, and hotel electronic key cards.
The cyberattack was quickly linked to the ransomware group BlackCat, also known as ALPHV (scroll down to find out more about them). It was also reported that the company was initially compromised by a relatively straightforward social engineering attack known as vishing (voice phishing).
In a lengthy statement on its dark web leak site on September 14, 2023, BlackCat disputed that it had previously claimed the attack, while asserting that it had now in fact deployed ransomware on MGM’s systems following unsuccessful negotiations with the company.
In the post (extract below), BlackCat claimed to have maintained a presence on MGM’s infrastructure in spite of the measures the company had taken to disable systems, including super administrator privileges on MGM’s Okta environment and Global Administrator permissions to the company’s Azure tenant.
Two extracts from BlackCat/ALPHV’s lengthy statement about the attack on MGM Resorts on its dark web leak site. The poster goes on to criticize MGM for its “mistreatment” of customers, as well as several publications, researchers, and journalists for publishing “false reports” about the cyberattack.
THE CAESARS INCIDENT
The attack on Caesars actually took place in the weeks before the attack on MGM Resorts, but only came to light in the days following the initial reports of that attack. Quite a lot of information about this incident can be found in the company’s Security and Exchange Commission (SEC) filing, which discloses what the company knows from its initial investigation into the attack.
For example, the report confirms that the casino’s infrastructure was also compromised by a social engineering attack, but this time on “an outsourced IT support vendor used by the company”. In Caesar’s case, the attackers targeted the “loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.”
The headline on the Caesars attack was quickly established when the Wall Street Journal alleged that the company had paid a $15m ransom. Many took sections of the company’s SEC filing as confirmation of this allegation. For example, the line that the casino had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
It is important to note that, unlike MGM Resorts, Caesars was not listed on BlackCat’s dark web leak site. However, the two incidents have been linked by the involvement of another threat group known as Scattered Spider.
WHO IS SCATTERED SPIDER AND HOW ARE THEY INVOLVED?
On September 13 Bloomberg News reported that both MGM and Caesars had been compromised by the same threat group, known by many aliases given by different cybersecurity companies including Scattered Spider, UNC3944, and Muddled Libra. For the sake of brevity we will stick to Scattered Spider from this point onwards.
The various reports on the Scattered Spider agree on several points. Firstly, that the group is financially motivated. Secondly, that it specializes in social engineering techniques. Finally, that it achieves privilege escalation by targeting password managers or privileged access management systems. All of this information fits with the reports surrounding the attacks on MGM and Caesars.
Moreover, the involvement of Scattered Spider (whose TTPs do not typically include data encryption) does not contradict reports that both companies were hit by ransomware attacks due to the grouping’s rumored status as a recent BlackCat affiliate.
WHO IS BLACKCAT/ALPHV?
BlackCat, also known as ALPHV or Noberus, is one of the most prolific Ransomware-as-a-Service (RaaS) schemes currently in operation. RaaS means that it works on an affiliate model, where other actors (such as Scattered Spider) effectively lease its ransomware to conduct their own attack and, in return, provide the BlackCat leadership with a cut of the ransom.
While only emerging onto the RaaS scene in late 2021, it quickly established itself as a major player. According to our report on the most prolific groups of 2022, BlackCat was the third most active ransomware gang last year, according to the volume of victims posted on its dark web leaks site. Our data shows that it claimed second position in the first half of this year.
This isn’t overly surprising given BlackCat’s pedigree. Its crew include developers and money launderers who worked on DarkSide, the ransomware operation most infamous for its attack on Colonial Pipeline. BlackCat is also suspected to have recruited former members of the closed REvil operation, and to have some degree of overlap with the broader threat cluster tracked as FIN7.