The ALPHV/BlackCat ransomware group claimed responsibility for a breach that began, of all places, on LinkedIn.
More than 60 hours after a brazen cyberattack targeted the computer systems at one of the world’s largest casino-hotel chains, patrons trying to access the MGM Resorts website are still met by a splash page that apologizes for the inconvenience.
Prominent among MGM’s stable of 19 U.S. properties are a dozen of the most iconic casino hotels in Las Vegas—including the Bellagio, Mandalay Bay and the Cosmopolitan.
Since the attack was discovered on Sunday evening, it has wreaked havoc on MGM’s operations, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs and paid parking systems.
On Tuesday night, VX-Underground, a malware research group with nearly 229,000 followers on X, posted that ransomware-as-a-service group ALPHV, also known as BlackCat, claimed responsibility for executing the attack by using social engineering to identify on LinkedIn an MGM employee who worked in IT support. The next step was simply to call the MGM help desk. Astonishingly, the attack took about 10 minutes to execute.
“Imagine you save up all year to go to Vegas, and then you have this experience. It’s going to leave a bad taste in your mouth.”
“MGM is a huge company, but small- and medium-sized businesses get hit with ransomware countless times per week and it doesn’t usually make the news,” says Alex Hammerstone, advisory solutions director at TrustedSec, an Ohio-based cybersecurity firm.
One bright red flag was the high visibility of the disruption. “The fact that everything’s down,” Hammerstone says. “I mean, if you’re gonna go in stealthily and steal data and then do something with it, everything wouldn’t be down.”
ALPHV is an extremely well-known black-hat actor in the cybersecurity industry, thought to be responsible for attacks against Reddit and Western Digital, among others. In April 2022, CISA, America’s cyber defense agency, issued an alert based on an FBI flash report on ALPHV, noting the criminal group had “compromised at least 60 entities worldwide.”
Neither MGM nor the FBI has publicly characterized the nature of the breach, and MGM has not responded to Forbes’ multiple requests for comment.
While ALPHV’s responsibility for the attack has not been verified, cybersecurity experts say VX-Underground is a reliable source.
“VX-Underground is well respected in the cybersecurity community and often talks with threat actors,” says Martin Zugec, technical solutions director at Bitdefender, a multinational cybersecurity firm. “Their info is usually solid.”
“Absolutely,” Hammerstone agrees. “VX-Underground is a researcher that absolutely knows cybersecurity.”
But it’s clear that what the company called a “cybersecurity issue” will be extremely costly. In the quarter that ended on June 30, MGM reported that its Las Vegas Strip properties generated revenue of $1.2 billion just from hotel rooms and casinos. Based on those figures, MGM’s Vegas Strip properties bring in more than $13 million per day in revenue.
Once the MGM breach was discovered, Hammerstone says it was appropriate for the company shut down their systems. “If there is an incident, you want to stop it as quickly as possible and you want to stop access,” he says, adding that he is speculating based on reports. “It’s not uncommon for companies to shut down systems on their own to to prevent the spread.”
It’s still not clear exactly what the hackers have. “But based on incidents that we see,” says Hammerstone, “it’s oftentimes multifold. So if they’ve encrypted your system, they’ll want a ransom to give you the key or to give access back. But they’ll also oftentimes take data and then threatened to release it if you don’t pay them.”
The amount of the ransom is also unknown. “But you just have to remember that these are very sophisticated, very well-organized groups. They they do a lot of research, they have a lot of sophistication,” Hammerstone says. “We’ve seen that once attackers are in the system, they will sometimes look for your cyber insurance policy to see how much you’re covered for and then ask for that amount.”
Even after its systems are back up and running, MGM might suffer longer term reputational damage. “We’ve seen that different industries are affected differently reputationally by these types of things,” says Hammerstone. “With retail, the fact of the matter is oftentimes if people have their data breached, they’re going to continue to shop there. They like the prices or the products or whatever it is.”
“But imagine you save up all year to go to Vegas, and then you have this experience,” he says. “It’s going to leave a bad taste in your mouth.”