How Hackers Swindled Vegas

Josephine Wolff
·5 min read
1
A Vegas slot machine spinning.
welcomia/iStock/Getty Images Plus

In the mid-2010s, cybercriminals shifted their ransomware strategy. Instead of spamming as many individual victims as possible with ransomware, criminals began targeting large organizations: hospitals, governments, hotel chains, pipeline companies—the types of victims who could pay millions, not hundreds, of dollars to regain control of their computer systems. By going after these high-value targets, they could make a lot more money while distributing a lot less malware. It was only a matter of time before the cybercriminals came for Vegas. Earlier this fall, a ransomware attack hit both Caesars and MGM Resorts.

Las Vegas casinos may be an obvious target for cybercriminals, but according to the Financial Times, the hackers’ original plan was fairly complicated: They were going to hack into the slot machines at MGM’s casinos so that they could fix the results, then hire people to go to the casinos and win money at the hacked slot machines. As it turned out, the slot machine software was apparently not so easily manipulable, according to an interview the Times conducted with one of the hackers via Telegram. Their inability to rig the slot machines forced the hackers to shift gears and resort to their backup plan: steal all of the casino’s data, encrypt it, and demand a ransom payment to return it to MGM.

The ransomware attack had its desired effect: It forced several MGM-owned casinos and hotels, including the Bellagio and the Cosmopolitan, to stop using their computers entirely and instead check in hotel guests manually and provide customers with cash payouts. Caesars, which was hit by the same attackers a few weeks earlier, reportedly avoided similar disruptions by paying a $15 million ransom (half of what was apparently a $30 million ransom demand). Caesars later disclosed the breach to the U.S. Securities and Exchange Commission in a Form 8-K filing on Sept. 7, noting that it had determined that an outside hacker had accessed the driver’s license and Social Security numbers of some of its loyalty program members. But the company made no mention of the multimillion-dollar ransom payment in the filing.

MGM, meanwhile, was unable to bring its computers back online for 10 days following the attack. MGM’s CEO, Bill Hornbuckle, later said that the hack left the company’s computers “completely in the dark,” adding that MGM was “shutting down systems by our own design” in order to protect the networks from further malware spread and prevent the attackers from accessing MGM’s core systems. He also stated that the company did not pay a ransom and had never even considered doing so, though the attackers told the Times that they had made a ransom demand of MGM as well.

MGM also filed a Form 8-K with the SEC on Sept. 12 about the incident and another on Oct. 5, estimating its losses from the attack at $100 million and confirming that the hackers had accessed customer information, including driver’s license numbers and some Social Security and passport numbers, but no passwords, bank account numbers, or payment card information. In the Oct. 5 filing, MGM also stated that it believed that its cybersecurity insurance would cover the costs of the incident.

The MGM attack itself, despite the grand slot machine–rigging aspirations of the perpetrators, was not particularly sophisticated or unusual. The hackers reportedly found an MGM employee’s information on LinkedIn, then called the company’s IT help desk and pretended to be that employee to reset their account credentials. The cybercriminals claiming credit for the attack, a group called “Scattered Spider,” have used similar social engineering tactics in the past to infiltrate firms via phone calls (a technique sometimes called vishing, short for “voice-call phishing”).

Casinos have a reputation for excellent security, but it seems that that security may be more focused on physical vulnerabilities than online ones, particularly if all it takes is a few short phone calls to infiltrate their computer networks. Moving forward, I would expect to see a lot of major casino companies buying a lot more cyberinsurance, instituting much stricter security protocols for their IT help desks, monitoring anomalous activity on their computer systems much more closely, and segmenting their networks much more aggressively, so that someone who infiltrates one computer cannot so easily compromise all of the others across the organization.

It will also be interesting to see what the SEC makes of Caesars’ and MGM’s filings. This summer, the SEC adopted new cybersecurity rules, which state that material cybersecurity incidents must be disclosed four business days after their discovery. Despite the new guidelines, intended in part to elicit more information about cybersecurity incidents, both Caesars and MGM filed extremely vague descriptions of their respective cyberattacks with no details about any ransom payments, how the incidents occurred, or the costs they imposed on the companies.

The bad news for casinos is that any victim willing to pay a $15 million ransom is going to be targeted again and again and again. There are very few known ransom payments larger than that, including the $40 million ransom paid in 2021 by insurer CNA Financial Corp. By comparison, in 2021, Colonial Pipeline paid only $4.4 million in ransom, and meatpacking company JBS paid $11 million. It’s no surprise that the casinos have a lot of money to extort, but the ease with which Scattered Spider managed to infiltrate two of the largest casino companies in the country in short succession is a striking reminder that just because organizations have lots of money doesn’t mean they have lots of cybersecurity.