Case-Study of the MGM & Caesars Cyberattack

Article Written By: Lakkshanasre Viyasarramanujam

Article Designed by: Lakkshanasre Viyasarramanujam & Sanvi Desai

The Target and the Players

In September 2023, the city of Las Vegas broke down, from its glitz and glamorous fortunes to becoming the stage for one of the most significant and public cyberattacks, and it affected the two titans in Las Vegas’s best of the hospitality industry: MGM Resorts International and Caesars Entertainment. 

Behind this clever digital heist were identified as the Scattered Spider, a group of scammers and hackers built on clever, financially motivated strategy and was known for its fluent English-speaking members and social engineering tactics. However, they weren’t working alone as their strategy allowed them to partner up with ALPHV/BlackCat ransomware-as-a-service (RaaS) group, leveraging their potent ransomware capabilities to extort their high-profile targets. The partnership of these two groups is what led the city to its demise, just as the casinos were gearing up for its busy fall convention season. The attackers struck, aiming for maximum disruption and financial leverage.

Image by mgmresortsnational.com

The Breach

The sophistication of this attack surprisingly wasn’t super complex, but rather in a simple yet effective human manipulation. The main entry point was a classic case of "vishing" – voice phishing. Scattered Spider reportedly targeted an IT help desk employee at MGM (and a similar vulnerability at Caesars) after finding their information on LinkedIn – yes, a simple platform like LinkedIn can act as a simple entryway to access personal information.

With just a quick, convincing phone call, impersonating an employee requesting a password reset, they gained initial access. The entire process, from the first call to gaining critical access, only took about 10 minutes. 

Once gaining access, this allowed the hackers to pivot across the networks, elevating their privileges and seizing control of critical operational systems. And it felt real as soon as systems crashed down. Out in the real world, digital room keys stopped working, slot machines went dark, ATM services failed, reservation systems crashed, among so much more, leading to massive queues and widespread frustration. This backed up many customer requests as thousands of employees acted frantically over the whole situation, leading to more than 100 million dollars in loss in the following days.

The Two Different Outcomes

Although MGM and Caesars were attacked through this same operation, both casinos ended up taking different routes to end this chaos. At the end, Caesars took the more pragmatic approach, which they reportedly entered negotiations early and paid a $15 million ransom, half of the initial $30 million demand. Although this aroused many controversy, Caesars did what was best to continue their business continuity. 

On the other hand, MGM refused to pay the ransom and decided to shut down their own internal network system. This led to ten days of offline chaos, but it prevented the hackers from further getting access to their data or tightening their grip. However, this didn’t change the financials of it all. MGM was still forced to pay $45 million to address the data exposure of 37 million customers in a massive lawsuit and reported a loss of $100 million to their earnings. By late September of that year, most operations were cleaned up, yet the damages had made a lasting scar on the reliability of these two casinos. 

Image by Getty Images

Future Considerations

With just a simple vulnerability through percepting the attack through a human, the Vegas attacks taught the industry that a human is often the weakest link. After learning from the drastic chaos caused by this operation, many companies are updating their playbooks with these strategies:

1. Help Desk Hardening

2. Enforcing Stronger MFA Security Protocols

3. Network Segmentation