“Good morning, am I speaking with the IT support team? Am I speaking with Erik by any chance? Yes? How are you? Yes, this is John Doe, the slot machine technician. Look, sorry to bother you, but we have an emergency in the VIP gaming lounge, and I can’t log into the system with my user account. I need you to reset my access password as quickly as possible.”
It’s September 2023, and the technician at the MGM Hotel-Casino in Las Vegas who received this call (give or take a few words) is unaware that by complying with this request he is about to enable the largest cyberattack to occur globally that year.
On September 11, the massive MGM hotel chain in Las Vegas one of the largest in the city and located on the Strip publicly announced that it was experiencing a catastrophic IT incident. A cyberattack that brought the hotel and its services to their knees.
Immense lines of customers waiting to complete their check-in and check-out processes, large gaming halls collapsing, guests unable to access their rooms due to downed access systems, rows of slot machines out of service, and employees walking around the casino with chips and cash to meet customer needs.
The casino has returned to the Stone Age.
The cause: a massive cyberattack that spread throughout the megacorporation, infecting and corroding every system it touched. And even worse, much of the existing data was extracted. It was ransomware and a type never seen before.
How can the mega-hotel recover? Well, it has two options: either pay the ransom demanded by the attackers (estimated at around 30 million dollars) or choose to rebuild each of its systems from the ashes (which may cost even more than the ransom).
Who is the attacker? There are three theories: The first is that the perpetrator is none other than AlphaV, Ex Blackcat, ex Darksidea cybercriminal group of likely Slavic origin, responsible for what may have been the most significant cyberattack on critical infrastructure in history: the Colonial Pipeline attack of May 2021.
The second theory suggests that the attacker was Scattered Spider,, a newer criminal group composed of individuals with excellent English skills (possibly native speakers).
The third, and most likely, is that it was a coordinated attack between both organizations, using an RaaS (Ransomware-as-a-Service) modeling the use of digital mercenaries, as analyzed in our previous column.
The intrusion method used to deploy the ransomware: an extremely refined social engineering technique the classic “pretexting” phone scam. The attackers impersonated a real casino employee (the famous John Doe, fictionalized for this article), whose personal information as well as the identities of potential support agents was obtained by analyzing LinkedIn profiles (a social network for professionals).
A simple yet meticulous open-source intelligence exercise.
How did the attack end? The truth is no one knows for sure. What we do know is that the casino initially refused to pay the ransom, which caused the chaos described in this article for roughly a week, until operations suddenly and quickly returned to normal. Whether a smaller ransom was eventually negotiated, only company executives know.
This situation, which led to enormous financial losses (and even greater reputational damage), clearly demonstrates failures in several prevention mechanisms primarily not educating staff to recognize fraudulent requests detection mechanisms (failing to properly monitor the spread of the ransomware and the data exfiltration), and finally response (being unable to restore daily operations in a timely manner).
It is from events like this that organizations must analyze and learn. Yesterday it was MGM; tomorrow it could be us.
What happened in Vegas should not stay in Vegas.