Understanding the Las Vegas Cyberattacks

After almost two weeks on national news and across all sorts of industry headlines, the dust of the Las Vegas Cybersecurity breaches is finally starting to settle.  MGM announced yesterday that most of their systems are back online and operational, drawing the most visible and newsworthy element of the incident to a close.  However, we won’t know significant, meaningful details of what occurred for several weeks, by which time the news cycle and public attention will well and truly have moved on. Let’s take a few minutes to look at what the likely learnings from the event will be, and what to keep an eye out for.

What Happened? 

On Monday, September 11^th, MGM Resorts International reported suffering from a “cybersecurity issue” and shut down several critical elements of their information infrastructure to contain and resolve the issue.  As a result, many aspects of their business operations were essentially inoperable, including slot machines, mobile check-in cards, room keycards and mobile reservations through their website or loyalty program.  

Several days later on Thursday, Caesars Entertainment filed a disclosure with the SEC that they experienced a cybersecurity incident in the previous week, in which sensitive customer information, such as Driver’s License and Social Security Numbers, had been stolen.  In short, the two companies that own most of the Las Vegas strip, and many other properties around the world, were both hit by cyberattacks in the span of a week.

Evolving Understanding

Speculation began immediately that these incidents were related.  There has been some ongoing debate and uncertainty about whether this is true, and who the responsible threat actors are, but at time of writing the evidence seems to be leaning to support that the incidents are related and carried out by the same group. 

The group “Scattered Spider” first claimed responsibility for the MGM attack, while denying any involvement in the incident involving Ceasar’s Entertainment. However, based on reports and insider sources at both MGM and Ceasar’s Entertainment, it appears that both attacks proceeded in very similar ways, originating from the same group, or “Threat Cluster” of groups, UNC3944. The group relies strongly on phone and text phishing tactics to start their attacks and gain access to an organizations environment, and from that beachhead identifies business critical data, and password managers and PAM solutions to escalate privileges before rapidly encrypting and exfiltrating key data

Key Takeaways

While we will probably understand the situation in more detail in nuance in a few months, particularly after both companies have filed their quarterly SEC filings, we can already identify some key learning points and takeaways from the industry.

1. There’s a Cybersecurity Gap in the Hospitality Sector:

   While it is true that even the best prepared and most vigilant organizations may someday be victims of a cybersecurity breach, the fact that the two largest hospitality chains in Las Vegas were hit within a matter of weeks is striking. It exposes a wider gap in information security in the hospitality industry.   Just as Vegas casinos once had to implement thorough physical security and surveillance to protect themselves against cheaters and advantage players, they now need to bring that security to the digital realm.

2. It is Better to Think in Terms of “Threat Clusters” than groups:
   The discussion that went on in the industry over the past week about who was responsible for the attacks highlights the constantly evolving nature of the cyberthreat landscape.  Rather than focusing specifically on a threat group, ie. a set of individuals, it makes more sense to think in terms of “threat clusters,” developed around the strategies, tactics, and techniques that threat actors employ. Clusters may overlap or include several clues, but most importantly, contain the key information from a threat intelligence perspective to enable effective prevention and remediation. 
3. Ransomware Threats Remain a Substantial Business Factor:

   There’s no way around it, it’s been two very expensive weeks for MGM and Caesars.  Industry insiders estimate that the incident and weeklong shut down cost MGM between $80 Million and $270 Million. While Caesars Entertainment did not experience significant public disruptions, it is believed that they paid out the demanded ransom. Meanwhile, both organizations are facing uncertain stock valuations going forward, possible reduced credit ratings, and reputational damage.

4. Social Engineering Remains the Main Attack Vector:

   As the first widely publicized cyber breaches attributed to over-the-phone social engineering, the Vegas incidents highlight a key change and continuity in the security space.  The human factor remains the largest attack surface.  And while we have gotten used to phishing attacks delivered via email and have a variety of tools focused on preventing and limiting email phishing attacks, many organizations lack similar capabilities for phone or SMS communication.  It’s a reminder of the ongoing importance of multi-layered defense-in-depth security strategies.

Conclusion 

The recent cyberattacks on MGM Resorts and Caesars Entertainment serve as a stark reminder that cybersecurity is a critical business issue. The recent incidents reveal critical gaps in the hospitality sector’s digital security, underscore the evolving nature of ransomware threats, and highlight the persistent vulnerability of human factors like social engineering. As the news cycle moves on, the lessons from these incidents should not be forgotten. They should serve as a call to action for businesses in all sectors to reassess and bolster their cybersecurity measures, ensuring they are prepared for the evolving landscape of digital threats.