Cyberattacks hit both MGM Resorts and Caesars Entertainment on September 7 and 10 until September 20 bringing their operations to an absolute standstill.
The cyberattacks impacted all MGM properties in the United States. The systems intended to handle resort services, hotel check-ins, dining, entertainment, pools, and spas, were all impacted and taken offline as a result.
While MGM took a strong stance against the attackers and refused to pay any ransom, Caesars Entertainment quickly paid a nearly 15,000,000 dollar ransom to the attackers. Brett Callow, a threat analyst for cybersecurity firm Emsisoft, notes that paying a ransom is dangerous and ineffective, as “there is no way to actually know that [hackers] do delete [stolen data] or that it won’t be used elsewhere.”
MGM and Caesars Entertainment attributed the attacks to the group “Scattered Spider” – adept in utilizing SIM swap scams, fatigue attacks, and other sorts of phishing – under a larger Russian-based group known as “ALPHV/BlackCat.”
The group breached Caesars Entertainment through SMS text phishing to obtain password resets and bypass codes. Caesars reports there is no evidence that attackers gained access to customers’ passwords, bank accounts, or credit card information.
UNLV Professor and Director of Cybersecurity Gregory Moody claims that the cyberattacks and consequential shutdowns cost MGM nearly 8,000,000 dollars per day, with a total of 80,000,000 dollars over the ten-day attack window. MGM averages a weekly revenue of 270,000,000.
Executive director of the National Cybersecurity Alliance Lisa Plaggemier says “Caesars Entertainment’s decision to pay the ransom highlighted a lack of confidence and investment in their cyber defenses,” adding that “any target can be breached, as the defense cannot win 100% of the time.”
The FBI announced an ongoing investigation into the breaches of MGM and Caesars Entertainment but refused to provide any elaboration to the press.