The online attack that disrupted MGM Resorts International resorts and casinos across the country began with a social engineering breach of the company’s information technology help desk, according to a cybersecurity executive familiar with the investigation.
David Bradbury, chief security officer at the identity and access management company Okta, said his company issued a threat advisory in August about similar attacks against some of its customers, in which hackers used a low-tech social engineering tactics to gain entry and then more advanced methods that allow them to impersonate users on the networks.
Okta’s advisory warned that hackers were tricking IT service desk staff into resetting multifactor authentication settings enrolled by “highly privileged users.”
At that time, Bradbury said his staff wasn’t sure who was behind the attacks. But in the weeks since then, he said “all signs are pointing” to a group known as Scattered Spider, the same outfit suspected of hacking MGM and Caesars Entertainment Inc. in recent weeks. Okta has been assisting MGM, a customer, in its response to the attack, he said. Okta also counts Caesars as a client.
Brian Ahern, spokesperson for MGM resorts, declined to comment about specifics of the attack. Ahern said the company has been working with FBI and the US Cybersecurity and Infrastructure Security Agency since the breach, he said.
The FBI said in a statement provided to Bloomberg News that it is investigating both the Caesars and MGM incidents.
A former MGM employee who was familiar with the company’s cybersecurity policies pointed to the help desk as vulnerable to attack. The person said that to obtain a password reset, employees would only have to disclose basic information about themselves – their name, employee identification number and date of birth – details that would be trivial to obtain for a criminal hacking gang. The employee, who requested anonymity to discuss sensitive matters, said details were too easy to obtain and were the root cause of what “caught MGM up here.”
Ahern declined to comment on the former employee’s allegations.
Caesars said in a regulatory filing that it identified suspicious activity in its network “resulting from a social engineering attack on an outsourced IT support vendor used by the company.” The attack on Caesars occurred in recent weeks, and the hackers broke into the company’s systems and threatened to release data, according to two people familiar with the matter. Caesars paid the attackers tens of millions of dollars, the people said. “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the filing.
Scattered Spider, also known as UNC3944, are known for its social engineering skills. Members of the group are based in the US and UK and some are as young as 19 years old, according to four cybersecurity experts familiar with the group.
They also sometimes work with a ransomware gang known as ALPHV, which is believed to be Russia-based, according to cybersecurity experts.
Read More: Lina Khan Got Stuck in the Fallout of the MGM Hack in Las Vegas
In a statement posted on the group’s dark web page on Thursday, ALPHV claimed credit for the attack and called reporting that teenagers from the US and UK were involved in the breach rumors. The group also said MGM’s attempts to evict them from Okta system didn’t go according to its plans.
Bradbury, from Okta, said he wanted to get the word out about the hackers and their techniques so customers can bolster their cyber defenses. He described the hackers as highly skilled in identity technology, “so we can expect that they will make more and more attacks going forward.”