A cyber criminal gang proficient in impersonation and malware has been identified as the likely culprit for an attack that paralized networks at US casino operator MGM Resorts International.
The group, which security researchers call “Scattered Spider,” uses fraudulent phone calls to employees and help desks to “phish” for login credentials. It has targeted MGM and dozens of other Western companies with the aim of extracting ransom payments, according to two people familiar with the situation.
The operator of hotel casinos on the Las Vegas Strip, including the Bellagio, Aria, Cosmopolitan, and Excalibur, preemptively shut down large parts of its internal networks after discovering the breach on Sunday, one of the people said.
The effort to contain the hackers caused chaos. Slot machines stopped working, electronic transfers of winnings slowed down, and key cards for thousands of hotel rooms no longer functioned. MGM did not respond to a request for comment.
The FBI said it was investigating, and the Nevada Gaming Control Board was informed of the breach’s impact, with the state’s governor, Joe Lombardo, coordinating with local and national law enforcement, the board said in a statement.
Scattered Spider is a relatively new entrant in the ransomware industry and has hit at least 100 organizations, most of them in the US and Canada, in the two years that Mandiant has been tracking it, said Charles Carmakal, chief technology officer at the Google-owned cyber security group.
“They are very active, very disruptive and causing chaos and do a good job of breaking in and causing a lot of pain,” he said.
Scattered Spider stands out from rivals among the Russian-speaking cyber criminal gangs that dominate the multibillion-dollar ransomware industry, which focuses on software attacks to encrypt or steal data and demand ransoms.
The gang learns about individuals from social media profiles in order to impersonate them and make phone calls in English to glean passwords or digital codes needed to access networks.
The group’s members are likely based in the UK or Europe, Carmakal said. “They’re successful because they are very good at research and have good skills,” he added.
At a sprawling company such as MGM, with thousands of employees and several overlapping networks, shutting down some internal functions to contain the breach would be a standard approach, said Steve Stone, head of Rubrik Zero Labs, another cyber security company.
Its various systems—from hotel check-ins to financial transactions—had been engineered to trust one another, he said.
“Given the widespread challenge MGM is having, it seems there’s a lot of trust built into their environments,” Stone said. “That makes for a highly efficient business until there’s a problem—and that strength is now your weakness.”