The FBI has warned before about the cyber vulnerabilities of both physical and online casinos, and the issue reared its ugly head again this week as two major casino properties suffered crippling cyberattacks that are still being investigated.
The Las Vegas Review-Journal reported a Russian ransomware hacker gang was possibly responsible for MGM Resorts International’s cybersecurity issue that has plagued the company all week.
The newspaper reported that the hacker gang ALPHV, also known as BlackCat, claimed it had breached the gaming giant with a simple phone call, according to a post on X, formerly known as Twitter, from malware repository ox-underground. ALPHV has not publicly claimed responsibility.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” vx-underground posted on X, the Review-Journal reported. “A company valued at $33.9 billion was defeated by a 10-minute conversation.”
And Bloomberg News, citing “two people familiar with the matter” reported that Caesars Entertainment Inc. paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data. The group behind the attack is known as Scattered Spider or UNC 3944, sources told Bloomberg News.
New SEC rules in play
The attacks happened just a few weeks after new U.S. Securities and Exchange rules become official requiring public companies to disclose “material” cybersecurity issues in their public filings.
MGM Resorts said in its SEC filing this week that once the problem was discovered it began investigating “with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems.
“Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
MGM did not respond to a request for further comment Friday. The FBI has confirmed it is investigating the MGM incident but would not elaborate.
In 2019, MGM suffered a security breach that exposed the personal information of more than 10 million customers, some of whom sued the company because their personal details were released.
Social engineering attack
Caesars was more forthcoming about its incident, saying in its SEC filing that it identified suspicious activity in its information technology network “resulting from a social engineering attack on an outsourced IT support vendor used by the company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.”
Caesars said it activated the company’s incident response protocols and “implemented a series of containment and remediation measures to reinforce the security of our information technology network. We also launched an investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators.”
On Sept. 7, the company said, investigators determined the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.
“We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.” In addition to offering credit monitoring and identity theft protection services to loyalty program members, Caesars said it would be notifying individuals affected by the incident on a rolling basis in the coming weeks.
“While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents,” the company said in its filing. “We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems.
Caesars referred public inquiries for further information about the incident to an FAQ website.
Analysts have debated whether MGM’s lockdown of certain systems was the right thing to do.
Made the right call
Bobby Cornwell, vice president strategic partner enablement and integration at SonicWall, said casinos are an obvious target for cyber-attacks because of their high financial turnover, and a well-executed casino attack can yield a treasure-trove of personal information and financial data, such as credit card numbers, and the names and addresses of its customers, he noted.
Cornwell believes MGM made the right call to lock down many of its systems, “even if it meant inconveniencing its guests because of their actions.
“The fact that they were willing to quickly shut down their lucrative gaming system attests to the seriousness of this breach. On a positive note, the fact that gaming and guest services, to a degree, have resumed leads me to believe the compromised network was isolated, and allowed normal operations to resume for the gaming network.”
Cornwell added, “This is another example of the importance of ensuring critical infrastructure within a networked environment is up-to-date and patched, it also stresses the importance of a layered security approach on the perimeter and critical infrastructure segmentation when using security solutions provided by multiple vendors and education and awareness training of employees.”
The Journal-Review said in a Friday story that it’s unclear what cybersecurity insurance Caesars and MGM Resorts International have and what it covers.
Alex Hamerstone, advisory solutions director for information security consultancy firm TrustedSec, told the newspaper some hackers, once in a company’s network, will look for the insurance policy then demand that amount.
“Companies have tried to offload or have offloaded risks by buying insurance for a long time, and that’s becoming much more difficult now,” Hamerstone said. “Cyber-insurers are raising rates, raising the deductibles and retention and having smaller recovery just because these incidents are so common.”
FBI Director Christopher Wray told attendees at the FBI Atlanta Cyber Threat Summit this week that today’s cyber threats are “more pervasive, hit a wider array of victims, and carry the potential for greater damage than ever before.
“Even as I'm standing here speaking to you, the Bureau is investigating more than 100 different ransomware variants. And that's just ransomware.”
The FBI is also dealing with “a host” of unique cyber threats posed by nation states, Wray said, “and it's becoming increasingly difficult to discern where cyber-criminal activity ends and nation state activity begins as the line between those two continues to blur.”
About the author: John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
