Alphv/BlackCat Group Reportedly Hit Casino Operator via Social Engineering Attack
Booking and reservation systems, as well as slot machines, hotel room door locks, ATMs and more remain offline at MGM Resorts as it battles an apparent hack attack.
Las Vegas-based MGM Resorts first warned Monday that it was experiencing “a cybersecurity issue” that affected some of its hotel and casino systems, and that at least some of the outage traced to its incident response efforts.
“Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts,” MGM Resorts said in a Tuesday statement.
“We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems,” it said. “Our investigation is ongoing, and we are working diligently to resolve the matter.”
MGM Resorts is one of the world’s biggest casino operators, running 31 casino hotels globally. The company’s hotels in Las Vegas include the Aria, Bellagio, Excalibur, Luxor, Mandalay Bay, MGM Grand, Mirage and New York-New York. The company also operates casino hotels in Maryland, Michigan, Mississippi, New Jersey, New York and Ohio, as well as China.
Due to the outages, multiple guests reported being checked in by staff who used pen and paper, and that their room keys were not working properly, which required them to verify their identity and get escorted to their room by security when they needed access.
Guests reported that their in-room television, telephone and internet access wasn’t working. On the casino floor, they said table games remained unavailable and slot machines weren’t working. Guests also said payment cards and MGM Resorts’ rewards cards couldn’t be used, with the resort’s restaurants only accepting cash.
As of Wednesday, none of the websites for any of those hotels appeared to be functioning. Instead, placeholder messages on each site directed customers to an alternative website for reservations and restaurant information.
With the outage continuing, MGM Resorts issued another update on Tuesday. “Our resorts, including dining, entertainment and gaming are currently operational,” it said in a statement posted on social media. “Our guests remain able to access their hotel rooms and our front desk staff is ready to assist our guests as needed. We appreciate your patience.”
Shares of the company’s stock fell 1.7% Tuesday, to $41.99 in New York, after having fallen 2.4% on Monday.
Ties to Ransomware Group
While MGM Resorts has not said if ransomware is involved in its outage, security researchers say this does appear to be the case.
Malware research group VX-Underground reported that based on conversations it had with the Conti-spinoff ransomware group Alphv, also known as BlackCat, the outage traces to a social engineering attack that took the group about 10 minutes to execute.
“All Alphv ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the help desk,” VX-Underground said. “This particular subgroup of Alphv ransomware has established a reputation of being remarkably gifted at social engineering for initial access.”
Over the past year, Alphv has continued to post numerous claimed victims to its data-leak site, suggesting it is one of the most prolific ransomware groups now in operation.
This isn’t the first major cybersecurity incident that MGM Resorts has suffered. In the summer of 2019, hackers stole data on 10 million customers from a “cloud server” operated by the company. In early 2020, attackers leaked the data, including people’s names, addresses and passport numbers, by publishing it on a hacking forum.
Nevada’s Cybersecurity Rules
MGM Resorts will need to detail precisely what happened with the latest attack to Nevada authorities.
Last December, the Nevada Gaming Commission adopted new cybersecurity rules. They include a requirement for all covered entities to inform the gaming board of any online attacks that “resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence,” as soon as possible, “but no later than 72 hours after becoming aware” of the attack.
At the board’s request, covered entities are also required to conduct a full investigation of the incident – using internal or external resources – and share all results. “The report must include, without limit, the root cause” of the attack, its full extent as well as “any actions taken or planned to be taken to prevent similar events that allowed” the attack to occur, the rules state.