On September 10, 2023, MGM Resorts, a leading hotel and casino chain, became the target of a sophisticated cyberattack orchestrated by the hacker groups ALPHV and Scattered Spider. Utilizing advanced social engineering tactics, the attackers impersonated a current employee to gain unauthorized access to MGM's systems. This breach allowed them to deploy ransomware across over 100 ESXi hypervisors, crippling crucial operational components such as online reservation systems, digital room keys, slot machines, and various websites. The chaos unfolded over a harrowing ten-day period, during which MGM faced significant operational disruptions and financial losses, estimated at approximately $8.4 million per day. As the incident progressed, concerns mounted over the potential exfiltration of personally identifiable information (PII) belonging to customers, employees, and vendors—casting a long shadow over the organization’s reputation and cybersecurity posture. The attack not only highlighted the vulnerabilities within MGM's infrastructure but also underscored the pressing need for robust cybersecurity measures in an increasingly hostile digital landscape.

• The cyber attack caused an estimated $8.4 million daily revenue loss for MGM Resorts during the incident's ten-day duration.
• Key operational assets were severely impacted:
  • Online reservation systems were disabled, affecting customer bookings.
  • Digital room keys became inoperative, inconveniencing guests.
  • Slot machines were rendered unusable, disrupting casino operations.
  • Websites were taken offline, hindering customer access to services.
• MGM’s systems experienced significant disruptions:
  • Critical infrastructure components were shut down to prevent further escalation, resulting in data corruption and inaccessible systems.
  • Ransomware was deployed on over 100 ESXi hypervisors, locking essential data and systems.
• The organization faced operational challenges:
  • Inability to handle customer inquiries and bookings led to guest dissatisfaction.
  • The attack raised concerns about the security of personally identifiable information (PII), further damaging customer trust.
• Multiple class action lawsuits emerged, compounding potential financial and reputational damage.

The cyber attack on MGM Resorts occurred due to a sophisticated social engineering scheme orchestrated by the hacker group Scattered Spider. They identified a current employee through LinkedIn, impersonated them, and executed a vishing attack by calling the MGM IT help desk. During a ten-minute conversation, they successfully gained administrator privileges to MGM’s Okta and Azure environments. This unauthorized access allowed the attackers to navigate critical systems undetected.

Once inside, Scattered Spider and their affiliates, including ALPHV, leveraged their access to sniff passwords and monitor activities on Okta servers. Despite MGM’s security team noticing unusual activities the following day, the attackers had already escalated their attack by deploying ransomware across more than 100 ESXi hypervisors within the network.

The combination of inadequate employee training on recognizing social engineering attempts and the lack of robust multi-factor authentication mechanisms likely facilitated the breach. This incident underscores the critical need for organizations to enhance their cybersecurity protocols and employee awareness to defend against evolving cyber threats.

MGM Resorts' initial response to the cyber attack involved immediate action by their security team upon discovering unusual activity and traffic in their systems. The security team quickly investigated the anomalies, which led to the realization that the Okta servers had been compromised. In response, MGM hastily deactivated their Okta Sync servers and other essential infrastructure components to prevent further escalation of the attack.

The identification of malware occurred when the security team detected abnormal patterns in system activity, prompting an urgent assessment of their network. They recognized that the threat actors had gained unauthorized access and were actively deploying ransomware across their systems. To mitigate the damage, MGM prioritized the shutdown of critical systems, disrupting online reservation systems, digital room keys, and slot machines, thereby containing the spread of the ransomware and limiting additional operational disruptions. The swift decision-making and execution of containment measures were crucial in their initial response to the incident.