Breach, Incident Response

Cyberattack causes MGM Resorts to shut down its systems

MGM Resorts

Editor's note: Updated 4:09 p.m. Pacific on Sept. 13.

MGM Resorts taken down by 10-minute phone call?

The ALPHV ransomware group is allegedly responsible for MGM Resorts shutting down some of its systems Monday at several major hotels in Las Vegas, which apparently left some with faulty door locks, slot machines and problems making reservations, among other issues.

According to a post on the X platform, formerly Twitter, vx-underground said APLHV used social engineering tactics to compromise the global hospitality and entertainment company with multi-billion dollar annual revenues:

"All ALPHV ransomware group did to compromise MGM resorts was hop on LinkedIn, find an employee, then call the Help Desk.

"A company valued at $33,900,000,000 was defeated by a 10-minute conversation."

Vx-underground claims to be "the largest collection of malware source code, samples, and papers on the internet," according to its description on its X account.

Original story posted Tuesday, Sept. 12:

Some security professionals have called Monday’s cyberattack that prompted MGM Resorts to shut down some of its systems at its properties nationwide potentially one of the most significant attacks in history on a U.S. gaming-hospitality company.

“What’s most revealing about this incident is how extensive the attack appears,” said Alex Hamerstone, advisory solutions director at TrustedSec. “Casino networks used to be seen as impenetrable. The fact that there are slot machines on the floor that are down because of this and people can’t get into their rooms is really alarming. That indicates a really substantial attack with deep penetration into the company’s systems.”

ABC News reported that several major hotels in Las Vegas were left with faulty door locks, inoperable slot machines, and other problems Monday. Bellagio guests were unable to charge anything to their rooms, make reservations, or use their digital room keys, according to ABC affiliate KTNV.

However, in a post on X late Monday, MGM Resorts indicated that the incident was under control, posting the following:

As of early Tuesday, the MGM Resorts website was still unavailable, leaving forwarding numbers to 19 properties nationwide, including the Bellagio and Mandalay Bay in Las Vegas, MGM National Harbor in Maryland, and the MGM Grand Detroit.

The FBI said it was “aware of the incident,” and added that because the event was “still ongoing” did not disclose any more details. The stock price for MGM Resorts International was taking a slight hit as of the late morning Tuesday, down 0.15 to $42.55 a share.  

Was the MGM incident a ransomware attack?

Considering the available intelligence and the trajectory of cyber threats this year, it strongly suggests ransomware as the probable perpetrator, said Chris Denbigh-White, chief security officer for Next DLP.

“Casinos, being both repositories of substantial wealth and repositories of vast volumes of personal and financial data that also harbor a minuscule appetite for operational downtime, renders them exceptionally enticing prey for cybercriminal syndicates on the hunt for financial gain,” said Denbigh-White.

Denbigh-White said although specific details are lacking, the initial repercussions of this incident are far from unclear: MGM Resorts has instituted a sweeping shutdown of a substantial segment of its infrastructure.

“This episode accentuates the paramount role of visibility in crafting effective containment strategies,” said Denbigh-White. “It compels businesses, irrespective of industry, to contemplate the depth to which they should be prepared to suspend or curtail their operations when confronted by such threats. The profound implications of this breach reverberate well beyond the walls of the casino, resonating as a stark reminder to senior leadership teams across sectors that the pursuit of resilience, protection of data and the preservation of digital trust are mandates of our digital age.”

Austin Berglas, former FBI Cyber Division Special Agent and global head of professional services at BlueVoyant, added that while it’s hard to speculate if this incident was caused by external actors or an internal issue, casinos remain a lucrative target for ransomware actors. Berglas said shutting down guest access, taking slot machines and games offline, and preventing credit card transactions could allow a criminal group to start negotiating for a significant extortion payment.

“MGM is a huge, global organization, including many casinos in Las Vegas,” said Berglas. “Shutting down systems that take slot machines offline, prevent guests from using their key cards to get into their rooms, and cease credit card processing will no doubt impact the overall business. Although potentially damaging, there’s a benefit to shutting off certain systems: a potential method to prevent threat actors from moving further into the network and expanding access. This will provide investigative teams the opportunity to do their job and identify the root cause, ensure the bad guys are out of the environment, harden systems and bring the network back online.”

The nature of the widespread outages and disruptions aligns most closely with a ransomware attack, said Callie Guenther, cyber threat research senior manager at Critical Start. Guenther said the breadth of affected systems and services suggests a concerted effort to disrupt operations, which is consistent with ransomware tactics.

While less likely, Guenther said a DDoS attack cannot be ruled out given the sheer volume of outages. However, the internal system disruptions do hint towards something more invasive: An advanced persistent threat (APT) targeted attack.

"Large corporations, especially those involved in sectors like hospitality and gambling, can also be targets for APTs," said Guenther. "These are sophisticated, prolonged cyber-espionage campaigns often sponsored by nation-states. The aim is to maintain long-term access to the victim's network, often for intelligence gathering. But the immediate and broad impact seems to lean more towards a ransomware-style disruption. Casinos, given their high financial turnover, are prime targets for cybercriminals seeking financial data such as credit card information. Personal Information is another lucrative target, as evidenced by MGM's previous breach in 2019."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.