Caesars admits it was hacked in second major Las Vegas casino breach: Company ‘paid $15M ransom’ to Scattered Spider gang that also crippled MGM’s hotels and casinos
Gaming giant Caesars Entertainment has confirmed it has been breached by hackers, in an attack apparently carried out by Scattered Spider, the same ransomware gang that disabled systems at rival MGM Resorts International.
In a regulatory submit On Thursday, Caesars said it identified the breach on September 7, just days before a separate ransomware attack on MGM took gaming machines offline and disrupted other systems.
Caesars said hackers accessed loyalty program member information, including driver’s license numbers and possibly Social Security numbers, from a “significant number of members in the database.”
Caesars agreed to pay about half of the $30 million ransom demanded by hackers to restore access to the company’s systems. Wall Street Journal.
In its public announcement, Caesars did not explicitly acknowledge paying the ransom but alluded to unspecified “steps” it has taken “to ensure the stolen data is deleted by the unauthorized actor.”
Gaming giant Caesars Entertainment has confirmed that hackers have breached it, in an attack apparently carried out by the same ransomware gang that targeted MGM
Slot machines were seen offline in an MGM building earlier this week. Four days after the breach, MGM is still experiencing disruptions
Caesars has not experienced any disruption to its customer operations, unlike MGM, which appears to have rejected all ransom demands and is still dealing with the fallout four days after the attack began.
“One company appears to have paid up, avoided disruption and had media attention so far,” Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told DailyMail.com on Thursday.
Referring to MGM, he added: ‘One company appears to have failed to pay and is facing significant and ongoing disruption, as well as a barrage of speculative media reporting, based almost entirely on criminal claims.
“It sends a clear message to future victims about what the least painful option is and could unfortunately make the job of all cybercriminals a little easier in the future.”
Neither Caesars nor MGM responded to multiple requests for comment from DailyMail.com this week. MGM has not acknowledged that a ransom demand was made.
Both breaches appear to be the work of a hacker gang known as Scattered Spider Bloomberg News report citing four people familiar with the matter.
The gang is believed to be mainly based in the US and Britain, but is a known part of the Russia-linked BlackCat/ALPHV ransomware group.
Scattered Spider relies primarily on social engineering to trick human targets into sharing their login credentials, for example by resetting fake passwords, security firm Crowdstrike said in a blog post in January.
Caesars said in its disclosure that the breach stemmed from “a social engineering attack on an outsourced IT support vendor” that the attack used to gain control of its systems.
Caesars agreed to pay about half of the $30 million ransom demanded by hackers to restore access to the company’s systems, the Wall Street Journal reported.
MGM, which appears to have rejected all ransom demands, continues to grapple with the fallout four days after the breach
Caesars added that it is still investigating the extent of the data breach, but so far has no evidence that member passwords/PINs, bank account information or payment card information was accessed.
Meanwhile, MGM continues to deal with disruptions from the breach, which the company first identified on Sunday.
In a statement on Thursday, the company said: “We continue to work hard to resolve our cybersecurity issue while quickly responding to the needs of individual guests.
“We couldn’t do this without the thousands of incredible employees who are committed to guest service and supporting our loyal customers. Thank you for your continued patience.”
The fallout for MGM has been extremely costly, almost certainly running into the millions, as the breach disrupts daily operations from guest reservation systems to paid parking.
The company could also see a negative impact on its credit rating as a result of the breach, making borrowing more expensive, Moody’s analysts warn.
The FBI told DailyMail.com on Wednesday that it is investigating the MGM incident, adding: “As this is an ongoing investigation, we cannot provide additional details.”
MGM is the largest employer in Nevada and owns a number of prominent casinos on the Strip, including ARIA, Mandalay Bay, the Bellagio, Luxor and MGM Grand.
Headquartered in Reno, Caesars owns a number of prominent hotels and casinos in Las Vegas, including Caesars Palace, Planet Hollywood, Flamingo and Horseshoe Las Vegas.
Who are the Scattered Spider hacker gang?
Members of the Scattered Spider group are mainly young adults, some as young as 19, living in the US and Britain, according to Bloomberg.
Scattered Spider uses the hacking tools developed by the Russia-linked group known as BlackCat and ALPHV, which could indicate a business partnership between the groups to share in ransom payments.
The gang, also known as UNC3944, has hit telecom and business process outsourcing companies in the past, but has also recently targeted critical infrastructure organizations, according to analyst reports.
In a post on LinkedIn, Charles Carmakal, chief technology officer at Mandiant Intelligence, called Scattered Spider “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.”
“Many members are native English speakers and are incredibly effective social engineers,” he wrote, referring to the tactic of misleading human targets, including over the phone.
“They are using tradecraft that is challenging for many organizations with mature security programs to defend against,” Carmakal says.
MGM Resorts’ main website remained offline Thursday morning, directing visitors to download the MGM Rewards app for dining reservations
Analysts say casinos are prime targets for financially motivated ransomware gangs like Scattered Spider.
Ransomware gangs operate by infiltrating target organizations and encrypting their IT infrastructure, demanding payments that can run into the tens of millions of dollars in exchange for the encryption keys to restore access.
But refusing to pay can also be costly to companies, costing many millions in lost business as well as remediation efforts to restore access and secure compromised systems.
“Casinos are an attractive target for cyber extortionists,” said Callow, Emsisoft’s threat analyst.
“They have the means to pay the ransom and because downtime is so expensive for them, they may also have the motivation to pay,” he added.
“MGM isn’t the first casino to be affected, and with ransomware numbers possibly at an all-time high, it most likely won’t be the last.”