Ash Mcpherson's blog : Hacking of MGM took place after a failed attempt to rig slot machines, the "Scattered Spider" group claims.

When their plan was thwarted, the group reverted to a decade-old formula that has brought billions of dollars in profits to ransomware operators.

In an interview via the Telegram messaging app, a person claiming to represent the group described the techniques it used to evade detection in the systems of some of the world's largest casino operators.

One Must-Read

This article was featured in the One Must-Read newsletter. Sign up for the newsletter here.

While it is not possible to independently verify their claims, security researchers familiar with the group nicknamed "Scattered Spider" say that the technical description given to the Financial Times is consistent with attacks that have claimed at least 100 victims in the past two years The attack was carried out by the company's own security site gambleinvestigations.com, MGM, which has a market cap of $14.6 billion.

MGM, which has a market capitalization of $14.6 billion, did not respond to an e-mail seeking comment. The Nevada Gaming Control Board announced overnight that the state's governor, Joe Lombardo, is working with law enforcement on the hack.

The owners of several well-known casinos on the Las Vegas Strip, including Bellagio, Aria, Cosmopolitan, and Mandalay Bay, were forced to resort to "manual mode" gambling, including cash payments and handwritten IOUs, according to the company and social media reports.

The person declined to say how the group first accessed MGM's systems. In the past, Scattered Spider has made well-rehearsed phone calls to the help desk to obtain new passwords and generate multi-factor authentication codes for employees monitored through social media, and compromised company cell phone SIMs in a technique known as SIM phishing The company is known to have used a method called SIM phishing.

Members of the group calling themselves "Spider-1," "Spider-2," and "Spider-3" used common remote login software to access MGM's internal VPN and impersonate the digital footprint of employees to They evaded detection. They claim to have remotely executed malware, penetrated systems within five hours of launching their attack, and evaded detection for eight days.

They were successful because, unlike the Russian-speaking cybercriminals who dominate the ransomware industry, Scattered Spider members speak fluent English. Mandiant Consulting, a cybersecurity firm affiliated with Google, speculates that their members are based in the United States and Europe.

This group is one of the most common and aggressive threat actors affecting organizations in the United States today," said Charles Carmakal, Mandiant's chief technology officer.

While the members of this group may be inexperienced and young compared to many of the established ransomware groups and state-sponsored espionage actors, they are incredibly effective social engineers and serious threats, many of whom are native English speakers."

Like other hackers after a successful break-in, the person claiming to represent cybercriminals alternated between bragging and being discreet in his chats with journalists. The goal is to pressure MGM to pay up before any more embarrassing information is shared publicly.

Said the person, "After all, Scattered Spiders is a group of ethical pen testers."

This is a common refrain among cybercriminals, who proudly describe their activities and try to hide behind false claims of ethical behavior. If a company is infected by our ransomware and chooses to pay the ransom, we will help them improve their security."

MGM shut down most of its internal intranet to contain the hackers, a person familiar with the situation said. The safeguards triggered the disruption and have led to a tougher look at security measures throughout the casino industry.

Bloomberg News reported that MGM rival Caesars Entertainment recently paid a multi-million dollar ransom to a cybercrime group. Scattered Spiders was not behind that hack, a representative of the group said.

In a filing with the Securities and Exchange Commission on Thursday, Caesars revealed that hackers accessed personal information, including driver's license numbers and possibly Social Security numbers, of "a significant number of members in the database."

He added, "We have taken steps to ensure that the stolen data is deleted by the wrongdoers.

The plan to manipulate MGM's slot machines failed, probably because the attackers were unfamiliar with the code behind it, Israel-based Waterfall CEO, who provides cybersecurity to several casinos on the Las Vegas Strip, Lior Frenkel said.

Hackers are using a common toolkit designed to work for many companies, regardless of industry, he said.

Says a person representing Scattered Spider, "Any company that has the money and meets our requirements, whatever its field, we attack it." They avoid hacking hospitals "because it's a (prison) sentence waiting to happen," airports are "terrorism," and the gas industry has custom-built systems that are "hard to maneuver."

Most casino hacks are simpler, if effective, Frenkel says. 'They don't care that your business is gambling,' he says. They hack into every building management system, including HVAC and elevators, and shut them down."

In one instance he knows of, hackers gained access to the fire safety system and threatened to shut it down and force the casino to close. They were paid by the casino operator, he said, declining to name the victims.

Scattered Spider is already preparing for his next hack. Too busy to watch the 2007 George Clooney-Brad Pitt comedy heist film "Ocean's Thirteen" (in which thieves figure out how to rig a casino slot machine to instantly hit the jackpot).

Useful Info

The World’s Most Passionate Gambling Nations

Online Gambling Regulation: A Scandinavian and Baltic Perspective