A pair of criminal hacking groups have been linked with attacks in recent weeks on two prominent Las Vegas hotel and casino operators that has left one struggling to resume operations and prompted another to reportedly pay a multimillion dollar ransom payment.
The attacks on MGM Resorts and Caesars Entertainment have resulted in widespread outages at MGM properties, and according to a Wall Street Journal report, forced Caesars to pay roughly half of a $30 million ransom demand.
Exactly who is behind the attacks remains unclear, but two hacking groups have been linked with the breaches: ALPHV and Scattered Spider. A person claiming to be a member of the latter told CyberScoop that their group was responsible for the attack on MGM but denied responsibility for the breach of Caesars. Earlier this week VX-Underground, a well-known online malware research repository, wrote on the social media platform X that an ALPHV representative said they were behind the MGM hack.
Late Thursday, ALPHV claimed responsibility for the attack on MGM in a statement on its website. It is unclear whether Scattered Spider’s claim of responsibility for the breach of MGM is false or whether overlaps between the two groups mean that members of both hacking collectives were involved in the breach of MGM. The Scattered Spider member who spoke with CyberScoop described their group as a well-known affiliate of ALPHV.
In a Thursday regulatory filing, Caesars confirmed that the company had identified “suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor” used by the company. The attackers gained a copy of “among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database,” the company said.
Caesars said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company reported, in what may have been a veiled reference to the reported ransomware payment.
Neither Caesars nor MGM responded to multiple requests for comment. The FBI acknowledged that it was investigating the incidents Thursday but declined to comment further.
In a statement Friday, Anne Neuberger, the deputy national security advisor for cyber and emerging technology, encouraged American companies to work with the U.S. government to respond to cyberattacks.
After a set of conflicting statements earlier in the day, in which Neuberger at first said that MGM had turned down assistance from the federal government, it emerged that MGM had begun working with the FBI. “We are working in close coordination across the U.S. government in response to the recent ransomware attack against MGM,” she said late Friday, adding that “this incident underscores our strong recommendation that companies do not pay ransoms.”
Brian Ahern, the executive director of communications at MGM Resorts, told CyberScoop Friday that the company has been working with the FBI “from the beginning.” The FBI declined to comment late Friday.
As of Thursday, MGM appeared to be continuing to struggle to recover from the attack, but by Friday the resort and casino giant had its casino floors in Las Vegas up and running again.
The member of Scattered Spider who spoke with CyberScoop said that negotiations with MGM were ongoing but would not disclose the terms of any demands. The individual claimed that stolen data included customer information, sexual abuse incident reports and other corporate records. The individual’s claims could not be independently verified.
“If MGM decide they want to discuss if they paid or how much is completely up to them, if they decide they want to pay the money we assure them their systems wont [sic] be breached again,” the person said in an online chat.
The two groups — Scattered Spider and ALPHV — linked to the attacks on the two casino operators are a set of aggressive online criminal groups with well-documented history of carrying out ransomware attacks.
Scattered Spider is the name given to a financially motivated hacking group by private industry researchers. The group was likely behind a “massive phishing campaign” targeting Okta, the U.S.-based authentication firm, which led to follow-on attacks against users of the Signal messaging app, Twilio and Cloudflare, cybersecurity firm Group-IB reported in August 2022.
Scattered Spider has been active since May 2022, and has mostly attacked telecommunications and business process outsourcing organizations until recently, when it began targeting other sectors, including critical infrastructure, according to an Aug. 17 analysis from cybersecurity firm Trellix.
The group “heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases,” according to a May 2023 Mandiant analysis.
Charles Carmakal, Mandiant’s chief technology officer, called Scattered Spider “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.” The group’s members may be “less experienced and younger” than more established criminal hacking groups, but they are “native English speakers and are incredibly effective social engineers,” Carmakal added, referring to the practice of tricking or persuading a person with access to a particular company or network to provide access to someone not authorized to have it.
The exact relationship between Scattered Spider and ALPHV is difficult to determine. Scattered Spider is considered a distinct, financially-motivated cybercrime group that has demonstrated connections to the ALPHV ransomware operation by using some of its tooling, experts say. ALPHV is a well-known ransomware operation, also known as BlackCat, and was perhaps the first entity to operate ransomware using the RUST language in the wild.
Updated, Sept. 14, 2023: This article has been updated to include confirmation that the FBI is investigating both incidents and ALPHV’s claim of responsibility for the breach of MGM Resorts.
Updated, Sept. 15, 2023: This article has been updated with comments from Anne Neuberger, a senior White House cybersecurity advisor and Brian Ahern, an MGM spokesperson, about the company’s cooperation with the FBI.