In a trick reminiscent of a heist movie, the hackers who allegedly breached the security at MGM’s casinos this month originally planned to manipulate the software running the slot machines, and “recruit mules to gamble and milk the machines”.
Thwarted in that plan, the group fell back on a decade-old formula that has reaped billions of dollars for ransomware operators — they siphoned off the company’s data, encrypted some of it and are now demanding cryptocurrency to release it.
In an interview over the Telegram messaging app, a person who claimed to represent the group described the techniques used to evade detection in the systems of one of the world’s largest casino operators.
While their claims cannot be independently verified, security researchers familiar with the group nicknamed “Scattered Spider” said the technical descriptions given to the Financial Times matched attacks on at least 100 other victims over the past two years.
MGM, which has a market capitalisation of $14.6bn, did not reply to emails seeking comment. The Nevada Gaming Control Board said overnight that the state’s governor, Joe Lombardo, was working with law enforcement on the hack, which left thousands of guests without functioning key cards for their hotel rooms and forced slot machines offline in MGM casinos around the US.
The owner of some of those storied casinos on the Las Vegas strip, including the Bellagio, the Aria, the Cosmopolitan and Mandalay Bay, had to resort to “manual mode” gambling, including cash payouts and some handwritten IOUs, according to the company and reports on social media.
The person declined to say how the group initially gained access to MGM’s systems. In the past, Scattered Spider has been known to use well-rehearsed phone calls to help desks to gain new passwords or generate multifactor authentication codes for an employee they had surveilled through social media, and compromised their corporate phone’s SIM through a practice called SIM-phishing.
Members of the group — who refer to themselves as “Spider-1”, “Spider-2” and “Spider-3” — evaded detection from the company’s security team by using common remote login software, and access to MGM’s corporate VPN to impersonate an employee’s digital footprint. They ran their malware remotely and claim to have penetrated the system within five hours of starting the attack, and evaded detection for eight days.
They were successful because, unlike the Russian-speaking cybercriminals who dominate the ransomware industry, the Scattered Spider crew speaks fluent English. Mandiant Consulting, a cyber security company owned by Google, suspects their members are based in Europe.
Like other hackers after a successful breach, the person claiming to represent the cybercriminals alternated between bragging and discretion in their chats with journalists. The goal is to put pressure on MGM to pay up before more embarrassing information is shared publicly.
“After all, Scattered Spider is a group of ethical pentesters,” the person said, referring to penetration testers, who are often hired by companies to search out vulnerabilities in their systems.
This is a common refrain among cybercriminals, who try and describe their activities with bravado and hide behind false claims of ethical behaviour. “When a company is infected with our ransomware (and chooses to pay) the ransom, we help better their security so this doesn’t become a continuous problem down the line,” the person said
MGM shut down large parts of its corporate intranet to contain the hackers, a person familiar with the situation said. That protective measure triggered the chaos, and has brought scrutiny to security practices across the casino industry.
Bloomberg News reported that Caesars Entertainment, an MGM rival, had recently paid a multimillion dollar ransom to a cybercriminal gang. Scattered Spider was not behind that hack, the person representing the group said.
Caesars disclosed in a filing to the Securities and Exchange Commission on Thursday that the hackers had accessed personal details, including driver’s licence numbers and perhaps social security numbers, for a “significant number of members in the database”.
It added that it had “taken steps to ensure that the stolen data is deleted by the unauthorised actor”.
The plan to manipulate MGM’s slot machines probably failed because the attackers were unfamiliar with the code behind them, said Lior Frenkel, the chief executive of Israel-based Waterfall, which provides cyber security for several casinos on the Las Vegas strip.
That is because the hackers work off a generic toolkit designed to work across a large swath of companies, irrespective of the industry.
“If a company has money and it meets our requirements, it doesn’t matter what field it’s in, we’ll hit it,” the person representing Scattered Spider said. They avoid hacking hospitals, “because that’s a (jail) sentence just waiting to happen”, airports are “terrorism” and the gas industry has bespoke systems that are “cancerous to manoeuvre around”.
Most casino hacks had been much simpler, said Frenkel, if still effective. “They don’t care that your business is gambling — they’re just looking for the easiest way in,” he said, referring to the hackers. “Get into whatever building management system you have — the air conditioning, the elevators — and shut them down, or say that you will, and the (business) will pay.”
In one instance that he was aware of, the hackers gained access to the fire safety system, and threatened to turn it off and force the casino to shut down. They were paid by the casino operator, he said, declining to name the victim.
Scattered Spider was already busy working on its next hack, said the person representing the group. Too busy, in fact, to have seen Ocean’s 13, the 2007 George Clooney and Brad Pitt comedy heist movie where the thieves figure out how to rig the slot machines in casinos to deliver instant jackpots.
“I’ll watch it tonight,” the person said.