Caesars Entertainment reportedly paid "tens of millions of dollars" to hackers who threatened to release company data, Bloomberg has reported. The attack was reportedly perpetrated by a group called Scattered Spider (aka UNC 3944), a group skilled at using social engineering to bypass corporate network security. It's the second notable attack of a Las Vegas casino group, following a hack that caused a cyber outage at MGM Resorts.
Members of the hacking group are reportedly located in the US and UK and are as young as 19 years old. They began targeting Caesars as early as August 27th, and obtained access to an outside vendor before entering the company's network, according to the report. Caesars is expected to disclose the attack "imminently" in a regulatory filing.
Scattered Spider has reportedly been activate since May of 2022, and has largely attacked telecom and business outsourcing organizations, according to Trellix. The group is known to impersonate IT personnel and uses social engineering to persuade company officials to rum remote monitoring and other tools. From there, they exploit vulnerabilities and use tools like "Stonestop" to evade security software. Security Week describes them as a "financially-motivated threat actor."
The group has been implicated in the MGM Resorts cyber outage as well, though another ransomware group called ALPHV/BlackCat also took credit. ALPHV also claims to have used social engineering to get inside, saying it took just a ten minute conversation to gain access. MGM has reportedly declined to pay the demanded ransom.
MGM Resorts confirmed on Monday that it was hit by a cybersecurity issue, shutting down systems across its suite of casinos. The hotel giant owns a notable swath of casinos along the Las Vegas Strip, where some gamblers reported slot machines being taken offline because of the incident. At MGM Resorts' international properties, hotels are currently taking reservations via phone because of website shutdowns.
"MGM Resorts recently identified a cybersecurity issue affecting some of the company's systems," the company wrote in a statement. It said the company "took prompt action to protect our systems and data, including shutting down certain systems" in response to the attack. MGM Resorts has not confirmed how widespread the shut down is, what systems have been affected or other details about the incident.
Customer anecdotes report issues making reservations, using ATM machines, playing certain games and mobile key entry into hotel rooms, but Engadget has not independently confirmed these reports. While MGM Resorts informed the Las Vegas Metropolitan Police Department about the incident, the department said in a statement that these types of incidents are typically passed along to federal agencies.
Hackers claim it only took a 10-minute phone call to shut down MGM Resorts
The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group.
"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk," the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers.
The international resort chain started experiencing outages earlier this week, as customers noticed slot machines at casinos owned by MGM Resorts shut down on the Las Vegas strip. As of Wednesday morning, MGM Resorts still shows signs that it's experiencing downtime, like continued website disruptions. MGM Resorts has not responded to a request for comment, but said in a statement on Tuesday that "Our resorts, including dining, entertainment and gaming are currently operational."
ALPHV has a reputation in the cybersecurity community as being "remarkably gifted at social engineering for initial access," according to vx-underground. From there, it usually uses ransomware ploys to extort a target into paying up, and it's been going after huge corporate targets. In July, ALPHV and another threat actor Clop listed beauty giant Estée Lauder on their data leak sites.