As two of the biggest names in the casino industry, it came as a shock to many when it was revealed that both Caesars and MGM Resorts had been compromised as part of a cybersecurity attack.
If these two giants could succumb to hackers, surely anyone could?
However, as more details were released, it became clear both had been accessed by a similar flaw in their security systems; their employees.
MGM Resorts
Of course, one of the largest hacks of the year has been that against MGM Resorts, happening earlier this month. The operator reported on 11 September that it had identified a cybersecurity issue affecting its company systems. The announcement was made via Twitter and explained that MGM had notified law enforcement and taken action to protect customer data.
But this cyber attack took down several aspects of the company for several days; many MGM Resorts venues reported that hotel room keys and slot machines weren’t working.
Although MGM has over 30 properties across the globe, it seems like the majority of those affected were based in Las Vegas. That’s no consolation, though, as MGM also operates some of the biggest names on the Strip, including the Aria, the Bellagio, the Four Seasons Hotel and MGM Grand, to name a few.
Many of these properties had to go into ‘manual mode,’ where staff would track casino winnings on paper and digital keys had to be swapped out for physical ones.
It took around 10 days for MGM Resorts to recover from the attack, announcing on Twitter once again that its hotels and casinos were ‘operating normally’ with only ‘intermittent issues’ by 20 September. These issues included limited MGM Rewards functionality and promotional offers.
Both MGM and Caesars are now subject to class-action lawsuits as a result of the hacks.
Caesars
Once the cyber attack on MGM Resorts hit headlines, it wasn’t long until it was discovered that Caesars Entertainment had been hit only a few days earlier. Although the exact dates of certain interactions remain confidential, it was discovered through a Securities and Exchange Commission (SEC) form filed by Caesars, explaining that the operator had launched an investigation into a cyber threat on 7 September.
Penned by Edmund Quatmann Jr, Caesars Entertainment Chief Legal Officer, EVP and Secretary, the statement said: “While no company can ever eliminate the risk of a cyber attack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents.
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter."
“The full scope of the costs and related impacts of this incident, including the extent to which the costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined” - Edmund Quatmann Jr
It was later reported in The Wall Street Journal that Caesars allegedly paid half of the $30m demanded by the hackers to prevent an attack on the company.
So how did it happen?
Although the full details of the attacks against Caesars and MGM haven’t been released yet, it’s believed that both of them were committed by the group known as Scattered Spider, otherwise known as UNC3944.
This group is supposedly made up of a younger demographic of members across the US and UK.
Affiliated with ALPHV, known as BlackCat, one of the most well-known cyber exploitation groups, Scattered Spider supposedly used the BlackCat Ransomware as a Service (RaaS) model alongside social engineering to access Caesars and MGM Resorts systems.
So, what is social engineering?
This is the method of accessing information or security measures by psychological manipulation, or in simple terms, lying.
In the Caesars SEC form, Quatmann explained that information from the company was accessed through a third party.
“Caesars Entertainment, Inc. recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company” - Edmund Quatmann Jr
This seems to be a similar method to the MGM hack, which was reportedly accessed by the cyber attack group impersonating an employee.
Although the incident is still being investigated by the Federal Bureau of Investigation (FBI), it is believed that members from Scattered Spider used employee information found on LinkedIn to obtain private credentials from a call with the MGM IT help desk.
This was then used to gain entry into the MGM system, where the group could then trigger the rest of the attack.
In response, shares in both Caesars Entertainment and MGM fell and it’s believed that the credit rating of the companies could also be affected, on account of their IT systems being compromised.
How can this be prevented from happening again?
Despite the fact that many international governments have invested in dedicated cyber division departments for over two decades now, it’s clear that cyber attacks are an ever-evolving threat.
Admittedly, it is much easier to sit on the side and discuss why MGM and Caesars should both have done better. More difficult is to actually implement tight enough defences to span millions of database entries, let alone multiple jurisdictions.
As explained by Christopher Wray, FBI Director: “While this topic is not new to us at the FBI, our approach to countering the cyber threat has certainly changed over that time.
“It's becoming increasingly difficult to discern where cyber criminal activity ends and adversarial nation-state activity begins.
“But we know these operations often don't completely eradicate the threats we're facing, so the process continues.”
Despite the fact that MGM Resorts and Caesars had both spent millions on cybersecurity, including prevention, detection and incident management layers, this was undone by essentially human error.
The companies were accessed through social engineering and the manipulation of IT staff.
Alex Waintraub, CYBNVS Cybersecurity Expert, explained in a recent blog: “Phishing attacks are one of the most common types of cybercrime, with 92% of organizations falling victim to phishing attacks in 2022, a 29% increase from the year before."
“In these situations, the employee had no malicious intent, but the end result is no less devastating” - Alex Waintraub
It could be argued that the modern-day reliance on cybersecurity has led to a false sense of security among employees in companies.
After all, it would be easy to believe that a few human mistakes would be caught by the multi-million cybersecurity systems in place should an attempt to breach the systems take place.
However, it’s been made clear by the recent attacks that gaining a few credentials on an employee at a company is all that’s needed by cyber attack groups to bypass the cybersecurity systems.
In the SEC form submitted by Caesars, Quatmann emphasised that alongside hardening its information systems to protect against future attacks, there is more that needs to be done to prevent this kind of breach from happening again.
“We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems” - Edmund Quatmann Jr
MGM, Caesars not alone
Of course, it’s worth mentioning that it’s not just MGM Resorts and Caesars that have been targeted by recent hacks.
The FBI confirmed that The Lazarus Group, another cyber gang that specialises in social engineering, managed to steal $41m from Stake.com on 4 September.
Based in North Korea, the group reportedly managed to attack the online casino site and move funds associated with the Ethereum, Binance Smart Chain (BSC) and Polygon networks from Stake.com into anonymous cryptocurrency addresses.
Also this year, Crown Resorts in Australia reported a data breach through its file service provider, GoAnywhere, which led to another ransomware group obtaining a number of company files.
If these attacks have shown the industry anything, it’s that staff at all levels need to be appropriately trained on how to identify potential phishing scams or attempts to gain company information.
While cybersecurity groups such as Scattered Spider would always try to use other means to access a company, the fact it was able to take down companies by using social engineering seems particularly avoidable.
But where should companies who have such a large amount of employees start? Answers on a cyber postcard, please.
The recent cyber attacks show things have moved on even since Gambling Insider's cybersecurity special edition in 2021. In the upcoming November/December issue of Gambling Insider magazine, we will further explore the MGM and Caesars cyberattacks with an exclusive Q&A.
