ALPHV: Hackers Reveal Details of MGM Cyber Attack

By Sarah Braithwaite on October 24, 2023

Executive Summary

In September 2023, MGM Resorts, a prominent hotel and casino chain, faced a cyber attack launched by hacker groups ALPHV and Scattered Spider. The hacker groups used social engineering tactics to enter MGM’s systems, which resulted in a ransomware attack. This attack led to critical operational disruptions, such as disabling online reservation systems, digital room keys, slot machines, and websites. The impact of this attack extended for ten days, causing significant losses for MGM Resorts. Additionally, concerns arose of a potential data breach that could have involved personally identifiable information (PII) of MGM customers, employees, and vendors. ALPHV, one of the hacker groups, released a statement, “Setting the record straight” on September 14, 2023. In this statement, ALPHV provided details on their strategies and involvement in the cyberattack, shedding light on the events surrounding this breach. The incident showcases the significance of organizations investing in robust cybersecurity measures to protect themselves from evolving cyber threats.

Figure 1: MGM Resorts statement on cybersecurity issue

Figure 2: Hacker group ALPHV’s statement on the MGM attack

Technical Details

 

The cyber threat group Scattered Spider, known for their expertise in social engineering, launched an impersonation and vishing scheme to enter MGM’s systems. Scattered Spider used LinkedIn to identify a current MGM Resorts employee, assumed their identity, and called the MGM IT help desk requesting assistance logging into their accounts. The phone call lasted ten minutes, and the attackers were able to gain administrator privileges to MGM’s Okta and Azure tenant environments. The following day, MGM’s security team discovered unusual activity and traffic, to which ALPHV admitted to sniffing passwords on their Okta servers. MGM hastily deactivated their Okta Sync servers and essential infrastructure components to prevent an escalation of the attack, causing the interruption of reservation systems, digital room keys, slot machines, and more. ALPHV, still having access to the system, deployed ransomware to more than 100 ESXi hypervisors within MGM’s network (Kagan, 2023). The attackers claimed to have exfiltrated data from MGM systems but did not confirm whether it included personally identifiable information (PII) of MGM customers, employees, and vendors. Furthermore, they threatened to notify Troy Hunt of HaveIBeenPwned.com if they could not come to an agreement with MGM. MGM’s hotels and casinos have since resumed normal operations, although there may still be some “intermittent issues” (Morrison, 2023).

Imapct

Multiple class action lawsuits were made against MGM Resorts, alleging that they failed to protect PII data after being advised by Okta about targeted social engineering tactics against the company (Jones, 2023). MGM also suffered a financial loss of roughly 8.4 million dollars a day in revenue due to this cyber attack (Milutinovic et al., 2023). Furthermore, this incident raised concerns among MGM’s customers about the security of their information and financial records.

Significance

The speedy infiltration of MGM’s systems is a reminder that no organization is immune to cyber-attacks. The breach highlights the importance of employee training and awareness to mitigate the risks of social engineering attacks. Furthermore, the incident sheds light on the devastating effects of ransomware and its ability to debilitate organizations, especially those with vulnerable security infrastructures. MGM’s rapid decision to shut down critical systems in response to this incident shows the importance of having a well-structured incident response plan to detect, assess, and respond to cyber threats appropriately. The significance of this incident is magnified by MGM Resorts’ previous encounter with a cyberattack in 2019, where hackers stole the PII of more than 10.6 million guests and posted that information online (Jones, 2023). MGM-owned betting platform BetMGM also faced a data breach in 2022, where 1.5 million customer’s PII was stolen (Kovacs, 2023). MGM systems’ recurring attacks and vulnerabilities further emphasize the importance of prioritizing security measures.

References

Boyd, C. (2023). Ransomware group Steps up, issues statement over MGM Resorts compromise. Malwarebytes. https://www.malwarebytes.com/blog/personal/2023/09/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise#:~:text=We%20have%20made%20multiple%20attempts,infrastructure%20by%20their%20internal%20teams

Jones, D. (2023, September 25). MGM Resorts warns customers of fraud as it faces class action lawsuits. Cybersecurity Dive. https://www.cybersecuritydive.com/news/mgm-resorts-negligence-lawsuits-cyber/694618

Kagan, S. (2023, September 21). Unmasking the ALPHV-MGM Saga: A masterclass in cybersecurity missteps and ethical conundrums. The Final Hop. https://www.thefinalhop.com/unmasking-the-alphv-mgm-saga-a-masterclass-in-cybersecurity-missteps-and-ethical-conundrums/

Kovacs, E. (2023, September 14). Ransomware gang takes credit for disruptive MGM Resorts cyberattack. SecurityWeek. https://www.securityweek.com/ransomware-gang-takes-credit-for-highly-disruptive-mgm-resorts-attack/

Milutinovic, R., Malenovic, M., & Mitic, V. (2023, September 18). MGM loses up to $8.4 million in daily revenues to recent cyberattack. World Casino News. https://news.worldcasinodirectory.com/mgm-loses-up-to-8-4-million-in-daily-revenues-to-recent-cyberattack-110386

Morrison, S. (2023, September 15). The chaotic and cinematic MGM Casino Hack, explained. Vox. https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware

Figure 1: https://twitter.com/mgmresortsintl/status/1701256032369164399?s=46&t=lsQnDGaIxXu8473b2CsBoQ

Figure 2: https://cybernews.com/news/mgm-caesars-ransom-hacker-alphv-statement/

Related Posts