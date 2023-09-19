Our research and tracking of the global information war and the dramatic increase in ransomware attacks over the last three years have been indicating, for some time, that more attacks were coming and that corporate boards and their directors should prepare. The MGM ransomware attack make this point well. Details here.



While this attack is a massive “one off” tied to a pattern of ransomware attacks with social engineering techniques as a core competency of the hacking groups responsible for the attack, there does not seem to be a gepolitical angle here. Of keen interest to us, and something we continue to track, is a major attack which maps to a clear geopolitical, strategic agenda by China, Russia, North Korea, Iran, etc. Is such an attack clearly in the “not if but when” column? And while there is no nation-state affiliation or geopolitical motive to this attack, this collaborative efforts by these hacking group – at the level of Las Vegas spectacle – is an alpha test of large scale cyberattack capabilities (along with premium, global unpaid media exposure and marketing) that can now be shopped around in the dark economy. And we know there are well resourced buyers for such services.

Background

As an early warning system for our readership, we recently provided the following interelated analyses of the ominpresent threat vectors in a global information war and the growing attack surfaces in an epidemic of large scale ransomware attacks:



Ransomware Attacks in U.S. and Cyberattacks in Pacific Islands are Battlefields in Global Cyber War – These pattern recognition and sensemaking efforts are a follow up to our recent spotlight on The City of Dallas, Over a Month After A Ransomware Attack, Still not at Full Functionality and the U.S. Turning its Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica – further validating the broader cyber battles that the U.S. is fighting on a daily basis (in what is a broader, global cyber war in which we are already engaged against nation-state and non-state actors alike).

Lessons Learned from the MGM Attack Timeline

All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation. — vx-underground (@vxunderground) September 13, 2023

September 14th

MGM Resorts is still struggling to recover from a cyberattack that has hampered significant parts of its business.

Ar reported by The Record:

“Since Monday [September 11th] — when the company confirmed that it shut down some systems after identifying a cybersecurity issue — its website has been down and customers have reported widespread issues with everything from slot machines to room keys. Customers have shared photos and videos of temporary measures the casinos are taking to continue operations while systems are down, including providing visitors with radios to communicate with staff and tallying slot machine losses or wins by hand. Rumors have run rampant as customers and employees search for answers about the situation. The company owns several high-profile Las Vegas properties, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria. Employees are now fearful that they will not be paid on Friday and due to the company’s size, several ancillary businesses are warning their employees to be wary of “emails, files and electronic communications.” MGM Resorts reported that it brought in about $25 million per day in the third quarter of 2022, meaning the hotel is likely losing millions each day with the outages affecting dozens of slot machines and other resort functions.

Scattered Spider, 0ktapus and Caesars

While MGM has refused to specify the nature of the cyberattack, Bloomberg reported on Wednesday that it was a ransomware incident, backing up claims relayed to the malware research platform vx-underground that an affiliate of the Black Cat/AlphV ransomware gang was behind the attack. A notable affiliate of the gang — known by researchers as Scattered Spider or 0ktapus — reportedly told vx-underground directly that they gained access to MGM’s systems by searching for employees on LinkedIn and spoofing the IT help desk. Reuters spoke to two sources that confirmed Scattered Spider was behind the incident. Scattered Spider has made a name for itself with several high-profile attacks, including one on Coinbase in February. The group — which is allegedly made up of U.S. and U.K.-based hackers — has shown skill with social-engineering techniques. The casino reportedly paid a $15 million ransom after being asked for $30 million.

What Next?