Updated September 14, 2023 - 4:51 pm
A collaboration of Russian ransomware hacker gangs may have been responsible for MGM Resorts International’s cybersecurity issue that has plagued the company for four days.
The hacker gang ALPHV, also known as BlackCat, said that it had breached the gaming giant with a simple phone call, according to a post on X from malware repository vx-underground.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
— vx-underground (@vxunderground) September 13, 2023
ALPHV provided the ransomware and the infrastructure and affiliate groups have used it to carry out the attacks, experts said. A group calling itself Scattered Spider is believed to have carried out the attack, according to Brett Callow, a threat analyst for Emsisoft, an anti-malware software company.
MGM has not commented on the cause of the issue, which it hasn’t characterized as a cyberattack.
MGM, the state’s largest employer, has a major presence on the Strip with 10 resorts under its control. In addition to hosting thousands of visitors each night, MGM properties are major destinations for conventioneers with its Mandalay Bay Convention Center and sports fans with affiliations with multiple arenas, including T-Mobile Arena.
Some Cosmopolitan of Las Vegas employees who asked for anonymity said they’ve been told by supervisors that the outage could take seven to 10 days to resolve.
Meanwhile, a report published Wednesday said another casino giant, Reno-based Caesars Entertainment Inc., also was hacked in late August.
Bloomberg reported that Caesars paid millions of dollars in ransom after being cyberattacked by a group known as Scattered Spider or UNC 3944. The report said Caesars would soon issue a regulatory filing addressing the incident.
Another Las Vegas resort, Westgate Las Vegas, experienced some computer issues in mid-August, but it turned out that a construction crew had sliced through a fiber-optic cable, rendering some computer systems inoperable. A Westgate spokesman said systems were back online within 24 hours.
For MGM, the incident was financially material enough for the company to issue a Securities and Exchange Commission filing late Tuesday, which didn’t elaborate on the cybersecurity issue.
Companies generally disclose material information on the SEC’s Form 8-K, a report to announce major events shareholders should know about.
The SEC recently approved new cyber disclosure rules that require companies to disclose hacking and data loss circumstances, but those rules don’t take effect until the end of the year so MGM is not obligated to provide more information.
In addition, the major American credit rating institution Moody’s Corp. indicated the incident could negatively affect MGM’s credit rating because it said the attack showed “key risks” within the company.
MGM shares, traded on the New York Stock Exchange, fell 52 cents or 1.2 percent to $41.47 a share in average volume trading Wednesday. Since Monday, MGM’s stock price has fallen $2.74 a share, a 6.2 percent decline.
The financial and reputational damage to MGM has been extensive and experts believe the company may be losing millions of dollars as a result of the outage.
With computer systems offline, MGM has not been able to use the technological advantages it maintains over some other companies.
Since the incident occurred Sunday, the company has been directing customers seeking hotel reservations to call properties directly because the online reservation system is inoperative.
Hotel check-ins nationwide are offline resulting in front-desk personnel checking people into their rooms manually. Because the MGM app that enables customers to enter their rooms is down, front-desk personnel have issued key cards for room access.
Some slot machines that use “ticket in-ticket out” technology aren’t functioning, requiring slot runners to pay out slot machine balances manually. The company reportedly took some slot machines offline because they didn’t have enough employees to pay machine balances manually. Some retail outlets and restaurants have not been able to manage credit card transactions and on-property ATMs are not able to dispense cash.
Sportsbooks at MGM Grand and New York-New York were closed earlier in the week, but have reopened, although about half of the automated kiosks remain offline and can’t take wagers.
Properties haven’t been able to collect parking garage revenue because those computerized systems aren’t working.
Customers experience issues
The scene at Aria on Wednesday afternoon was typical of other MGM Strip properties.
While parking is typically only free for Nevada residents, parking at Aria was free for all on Wednesday afternoon. An attendant waved in cars that entered the parking lot.
The line to check in at Aria started to grow in the late afternoon, with staff members handing out complimentary champagne, mimosas, juice, soda and water.
Ayelsha Murphy, 35, waited with several large bags for her husband, Heerak, 35, to check in to the Aria for about a half-hour midafternoon Wednesday and wasn’t happy with the situation.
The couple is visiting the western United States from London and drove from Southern California for a three-day stay in Las Vegas.
“We walked at least a mile though the back parts of the hotel to get here,” Murphy said, with a complimentary pink champagne drink in her hand.
The couple heard about the issues at MGM properties on Monday but didn’t consider booking another hotel since they had prepaid for their stay at the Aria.
“It is what it is, I just hope they get on with it and get these cybersecurity issues fixed,” Murphy said.
Murphy also said a car rental return center at Aria was closed Wednesday.
Patsy Byrd, 69, and Rosanne Barrows, 69, were sitting at out-of service slot machines in the Luxor casino late Wednesday afternoon. They have been on vacation since last Thursday, traveling from Greensboro, North Carolina and to celebrate Byrd’s and another friend’s birthday over the weekend. They decided to stay a few extra days to enjoy the city, but they wished they hadn’t.
“We could’ve gone home and saved a lot of money,” Byrd said.
The pair said they spent Monday away from the Luxor and didn’t notice any issues right away and MGM Resorts didn’t formally notify them of any problems. But Burrows said the first indication they got was when they walked past the lobby and it was unusually crowded and seeing all the out-of-order slot machines.
The pair like to gamble while in Las Vegas but say the issues have been disruptive.
“The whole process has changed and you may have to leave money in the machines since you have to wait for someone to come over,” Burrows said. “If it’s under a dollar you may as well just leave it and where does that money go.”
The pair said they looked into moving hotels and went to the Excalibur but found the same issues as the Luxor.
How hackers got in
The alleged hackers reportedly gained access to MGM systems after a phone call.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” vx-underground posted on X. “A company valued at $33.9 billion was defeated by a 10-minute conversation.”
“The threat actors themselves” provided this information, according to vx-underground, which describes itself as the largest collection of malware source code, samples and papers on the internet.
“The comments made to VXU do not sound at all improbable,” Callow said in an email. ALPHV is “not an unlikely suspect — but the fact the comments were made at all is a little peculiar.”
“Cybercriminals typically don’t discuss attacks until they’ve given up on being able to monetize them,” he wrote. “This is mainly because they want their targets to have the option to pay to make the problem go away as quickly and as quietly as possible.”
MGM issued a statement late Tuesday reiterating most of its comments made since Monday, a day after multiple systems failed, including those for room and restaurant reservations, mobile app room access, company email and some networked slot machines.
“MGM Resorts recently identified a cybersecurity issue affecting certain (number) of the company’s systems,” the company’s latest statement issued from a Gmail account said.
“Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts,” the statement said. “We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
On Tuesday, the Las Vegas field office of the FBI affirmed it is investigating the matter. Representatives of the U.S. Department of Homeland Security, which investigates cyberterrorism and other terrorist activity, referred a reporter to MGM.
Government leaders in the loop
Nevada elected officials have been monitoring the incident involving MGM.
“We’ve reached out to MGM and are monitoring the situation and response closely,” a representative of the office of Rep. Dina Titus, D-Nev., said Wednesday. “The attack highlights the emerging threat of cyberattacks to the gaming industry and businesses in Southern Nevada and across the country.”
Titus heads the House’s gaming caucus.
The office of Sen. Jacky Rosen, D-Nev., added, “Sen. Rosen has been closely monitoring the situation and she’s been in touch with MGM leadership, as well as federal law enforcement.”
Gov. Joe Lombardo, a former Clark County sheriff, also is keeping an eye on the situation.
“Gov. Lombardo and the Nevada Gaming Control Board are monitoring the cybersecurity incident with MGM Resorts and are in communication with company executives,” Lombardo spokeswoman Elizabeth Ray told the Review-Journal. “Additionally, the Nevada Gaming Control Board remains in communication with other law enforcement agencies.”
Contacted Wednesday afternoon, the Gaming Control Board said it would have no additional comments about the incidents involving MGM and Caesars.