According to a cybersecurity executive involved in the investigation, the cyberattack that caused disruption to MGM Resorts International resorts and casinos nationwide originated from a breach of the company’s IT help desk through social engineering tactics.
David Bradbury, chief security officer at identity and access management company Okta, said his company issued a threat alert in August about similar attacks against some of its customers, in which hackers used low-tech social engineering tactics to gain entry and then more. sophisticated methods that allow them to impersonate users on networks.
Okta’s advisory warned that hackers tricked IT help desk staff into resetting multi-factor authentication settings registered by “highly privileged users”.
At the time, Bradbury said his staff was not sure who was behind the attacks. But in the weeks since, he said, “all signs point” to a group called Scattered Spider, the same outfit suspected of hacking MGM and Caesars Entertainment Inc. in recent weeks. Okta has been assisting customer MGM in its response to the attack, he said. Okta also counts Caesar as a customer.
MGM Resorts spokesman Brian Ahern declined to comment on the details of the attack. Ahern said the company has been cooperating with the FBI and the US Cybersecurity and Infrastructure Security Agency since the breach.
The FBI said in a statement to Bloomberg News that it is investigating both the Caesars and MGM cases.
A former MGM employee who was familiar with the company’s cybersecurity policy showed that Helpdesk was also vulnerable to attacks. The person said that to get a password reset, employees only need to reveal basic information about themselves — their name, employee ID number and date of birth — information that would be trivial for criminal hacking gangs to obtain. The employee, who requested anonymity to discuss sensitive matters, said the details were too easy to come by and were the root cause of what “gets MGM caught up here.”
Ahern declined to comment on the former employee’s allegations.
In a regulatory filing, Caesars said it detected suspicious activity on its network “resulting from a social engineering attack against an outsourced IT support provider used by the company.” The attack on Caesars took place in recent weeks, with hackers breaking into the company’s systems and threatening to release information, according to two people familiar with the matter. Caesars paid the attackers tens of millions of dollars, the people said. “We have taken steps to ensure that the unauthorized operator removes the stolen information, although we cannot guarantee that outcome,” Caesars said in the filing.
The Scattered Spider, also known as UNC3944, is known for its social engineering skills. The members of the group live in the United States and Great Britain, and some of them are as young as 19, according to four cyber security experts familiar with the group.
They also sometimes work with a ransomware gang known as ALPHV, which is believed to be based in Russia, according to cybersecurity experts.
Read more: Lina Khan stuck in MGM Hack crash in Las Vegas
In a statement posted on the group’s dark web page on Thursday, ALPHV claimed responsibility for the attack and called to report that teenagers from the US and UK were involved in the breach rumours. The group also said that MGM’s attempts to evict them from the Okta system did not go according to its plans.
Bradbury, of Okta, said it wants to get the word out about hackers and their techniques so customers can strengthen their cyber defenses. He described the hackers as highly skilled in identity technology, “so we can expect them to do more and more attacks going forward.”