As MGM casino-hotel properties in Vegas continue to struggle to get back to full operational status, Caesars Entertainment quietly disclosed its own recent cyber attack in a mandatory SEC filing. Unlike MGM, Caesars appears to have skated through their own incident by making a $15 million ransom payment to the hackers.
It also appears that the same group is behind both cyber attacks. VX-Underground has linked dark web chatter about both incidents to a newer group called “Scattered Spider” or “Roasted 0ktapus,” an affiliate of the Blackcat ransomware group that deploys their ALPHV malware during attacks. The group was first documented in December 2022 and has quickly built a reputation for skilled social engineering approaches, and are unusual in that its members are thought to be based in the US and UK.
Caesars cyber attack: Loyalty program database stolen, payment information not accessed
The exact range of data stolen in the MGM cyber attack remains unclear, with no detailed update as of yet from the resort giant and the attackers only telling the media that they took six terabytes worth of information. The Caesars disclosure indicates that the attackers specifically accessed the “Caesar’s Rewards” loyalty program database, and agreed to not make it public in return for a ransom payment.
The loyalty program would likely have only basic contact information attached to it, such as email addresses and possibly home mailing addresses or phone numbers of guests. However, the disclosure indicates that at least some amount of driver’s license and Social Security numbers were also taken. Unless these belong to employees, the numbers were most likely collected for loyalty program members that either established lines of credit at the company’s casinos or had to provide tax information to claim a large jackpot (as required by law). Caesars says that customers not enrolled in the loyalty program are not impacted by the cyber attack.
The disclosure also indicates that the attackers initially demanded a $30 million ransom payment, with Caesars able to negotiate the eventual amount down to $15 million. The company said that it is only partially covered by cyber attack insurance but that it does not expect the incident to have a material effect on its bottom line.
The Caesars cyber attack appears to have taken place several weeks prior to the MGM breach, with the ransom payment made mere days before the attackers moved on to the other casino giant of Vegas. Collectively, Caesars and MGM own most of the casino-hotel properties on the Vegas Strip. Like MGM, Caesars also has properties scattered throughout the United States along with international properties in Canada and Dubai. MGM locations outside of Vegas reported similar problems in the wake of the breach, such as offline reservation systems and gaming machines.
Ransom payment provides contrast to MGM’s struggles
Making a ransom payment is always a dicey proposition, as one has to trust the hackers to not only keep their word about unlocking systems but also not later sell or release stolen data. However, at least in the near term, the outcomes for the two Strip neighbors and rivals illustrate why many companies still see the payment as the best way out of the situation.
As of this writing MGM has yet to fully recover its IT systems, with continuing disruptions to various computer-reliant aspects of its properties. Scattered Spider has confirmed that ransomware was deployed and that more than 100 ESXi hypervisors (used to create multiple virtual machines) were encrypted in that cyber attack.
Recent posts on social media indicate that some slot machines and other electronic games are still down, “hand pays” are required for winnings at the games that are still operational (and can involve long delays), and digital room keys and sports betting kiosks are still nonfunctional. It remains unclear how long it will take MGM to fully recover, but full restorations from backups at this scale can potentially take weeks. Anecdotal reports from social media indicate that Caesars is directly benefiting, as Strip visitors ditch the troubled MGM gaming floors and hotels for its properties.
The 8-K filing indicates that the Caesars cyber attack was also the result of employee social engineering by phone. Scattered Spider is likely having so much success with these cyber attacks as its members appear to be native English speakers from either the US or UK that have familiarity with target networks and procedures. The group is thought to be responsible for the recent “Oktapus” campaign that targeted Okta login credentials for some 130 organizations, including multiple Fortune 500 companies. It is not yet clear how much it has racked up in total ransom payments.
Dave Ratner, CEO of HYAS, expands on the trend of social engineering becoming a preferred first approach for criminal hackers seeking ransom payments or salable data: “Social engineering is one of the most successful ways bad actors breach an environment, and one of the hardest gaps to close. Continued user training is needed, but this must be complemented with defense-in-depth strategies that assume breaches will occur and detect the initial telltale signs of a breach, the digital exhaust indicating anomalous activity, so that the attack can be stopped before it expands and impacts operational resiliency.”
James McQuiggan, security awareness advocate at KnowBe4, notes that poor communication between third-party cybersecurity contractors and the in-house team at MGM appeared to exacerbate the outages caused by that breach: “While cybersecurity occurs daily, a Third Party Risk Management program is crucial to assess vendors, security practices, controls, past breaches, and financial stability. Utilizing a least privilege and Zero Trust access program where organizations can limit vendor access permissions to only essential systems and data is crucial. Provide cybersecurity training for vendor management teams on risks, regulations, and contract best practices if needed. If a third-party organization does not have a strong security training program, it should be reviewed to consider if the risk is acceptable to work with them. Proactively managing third-party cyber risk is crucial for resilience. A robust TPRM program can pay significant dividends in the long run and will only lead to a data breach without one.”
Emily Phelps, Director of Cyware, adds: “If organizations take away anything from the Caesar’s ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn’t. Improving security awareness must be an ongoing effort, and it is only the beginning. To minimize social engineering risks, it’s important to also ensure you require multifactor authentication, ideally using different types of authentication such as a passphrase and an authenticator app. Threat intelligence is critical to recognizing potential risks before they can cause harm. Organizations must not only have access to reliable intel; they must also be able to operationalize intelligence quickly. If you aren’t taking action, you aren’t reducing risk. This is why security collaboration and trusted intelligence sharing are critical to enabling enterprises to rapidly act on context-rich insights, moving from a reactive to a proactive security posture.”