What SMBs Need to Know About the MGM Hack by Scattered Spider

Home » Blog » What SMBs Need to Know About the MGM Hack by Scattered Spider

Protecting your company from cyberattacks is becoming more important and difficult every year. Hackers are constantly creating more sophisticated methods for manipulating their targets into giving them what they want. Even large corporations with a solid grasp of cybersecurity frequently fall victim to these attacks. And MGM is among the approximately 73 percent of businesses worldwide that experienced ransomware in 2023. In September 2023, the group known as Scattered Spider executed this attack, effectively halting the digital operations of the majority of the entire resort chain for over a week.

What Is Ransomware? 

Cybercriminals use ransomware to gain unauthorized access to a victim’s data, device, account, network, or other program. This blocks the owner’s access to that content until they pay a ransom. These attacks are a common result of phishing, or sending a harmful link in a suspicious email or text message that appears to be from a legitimate person, business, or other sender.

Cybercriminals utilize phishing links to install malware on the victim’s device or to gain unauthorized access to sensitive information. This information can include passwords, login credentials, bank account details, passport information, or social security numbers. These attacks create a sense of urgency to convince the victim to act without thinking the situation through.

For example, phishing links may attempt to convince targets that one of their real accounts will be deleted if a response is not received within a certain amount of time, that they made a large purchase (or their PayPal or credit card information was used to make one), or that sensitive or otherwise confidential information about them will be leaked if they do not immediately click on a link to dispute an issue. 

A malware attack notification shown on a computer screen.

What Is Scattered Spider? 

Scattered Spider is a cybercriminal group that primarily focuses on data extortion and similar methods, especially against major corporations. This group uses ransomware and social engineering to convince a victim to give them access to certain types of data or pay a ransom.

Hackers in Russia or other countries actively seek out many of its members, believed to be young adults or older teens, due to their fluent English skills and minimal accents. These characteristics make Scattered Spider members convincing vishing attackers because their voices sound like who they are attempting to impersonate. This makes targets believe that attackers are who they claim to be and feel less suspicious about revealing requested information.

Scattered Spider’s Attack on MGM Grand and Caesars Hotels & Casinos

Scattered Spider launched a major ransomware attack against MGM Resorts in September 2023. This cyberattack effectively crippled the majority of its systems for days, preventing most of its hotels’ digital elements from functioning. Digital room keys, slot machines, standard check-in systems, resort websites, and other digital tools that keep any modern hotel or resort up and running abruptly stopped working at each of the company’s 31 resorts. Once the company learned of the cyberattack, it was forced to take extreme measures against it. MGM had little choice but to pause all of its digital systems to keep data loss to a minimum. Its hotels also shifted to physical and manual versions of the majority of the digital operations they typically rely on. 

Rather than a common suspicious link, the catalyst for the MGM attack was a well-executed and highly believable phone call. This emphasizes the need for overall awareness of voice impersonation and better defense strategies. With this attack, Scattered Spider members pretended to be MGM employees by using data they found on LinkedIn and placed a phone call to the company’s IT help desk. During this conversation, the hacker gained access to credentials that allowed them to infect a significant percentage of MGM’s systems. This phone call utilized social engineering tactics to make the employee believe the caller was a legitimate MGM team member. Once done, they used ransomware to encrypt the company’s data to prevent actual team members from accessing it. 

Scattered Spider attack monitoring - Two male IT professionals using computers to monitor a business's cybersecurity defenses.

Scattered Spider’s Tactics, Techniques, and Procedures 

While Scattered Spider is a relatively new organization, its extremely sophisticated techniques and high success rate make it a group to pay close attention to when it comes to staying on top of modern tactics, spotting new hacker strategies, and incorporating them into cyber threat reduction training procedures. The MGM attack primarily consisted of social engineering, ransomware, and privilege escalation. 

Social Engineering 

Scattered Spider earns its reputation for its highly sophisticated utilization of social engineering, alongside its exceptional vishing skills. Social engineering uses a variety of strategies to manipulate its victims into giving them access to money or information. Hackers often use this with the help of effective voice impersonation that makes the claims more believable. 

Attackers use a variety of tactics to create effective social engineering strategies capable of successfully manipulating their targets. Voice impersonation scams are among these hackers’ most common methods. However, social engineering may also involve SMS and Telegram phishing, MFA fatigue, SIM swapping, and other techniques.

Scattered Spider employs a variety of these methods to strategize each attack, aiming for the highest likelihood of success against a specific company and its typical cybersecurity measures.

Specific known social engineering strategies that Scattered Spider has taken responsibility for in the past include:

  • Using phone calls or text messages to pose as a member of a company’s IT or helpdesk staff to gain credentials to access the company’s network
  • Posing as a member of the company’s helpdesk or IT staff to convince legitimate staff members to run remote access tools, which allowed them to hijack the unprotected network
  • Convincing employees to provide their MFA one-time access code by impersonating an IT team member
  • Persuading an employee to accept an MFA request by sending multiple consecutive requests 
  • Convincing cellular companies to transfer phone numbers to their SIM cards by impersonating the phone’s owner. This gave them remote access to the data on the target’s phone and their MFA requests 
  • Using extortion and similar techniques to convince targets to provide money in exchange for regaining access to their blocked networks 

Privilege Escalation 

Privilege escalation involves obtaining unauthorized access to data or devices by exploiting a specific vulnerability. In the case of the Scattered Spider attack, the hackers used this technique to gain unauthorized access to MGM’s network through a real MGM staff member with that privilege. 

Encryption and Ransomware 

Ransomware played another key role in the success of the MGM Scattered Spider attack. In this scenario, the attackers were seeking money rather than information. The ransomware they used prevented MGM staff members from properly accessing their networks without paying a monetary ransom. Ultimately, MGM successfully shut down its systems and declined to pay the ransom requested by Scattered Spider to regain access to their encrypted data. However, the company was unable to utilize its network for a significant period until the issue was resolved.

Effects of the MGM Scattered Spider Attack 

The full impact of the MGM Scattered Spider attack remains uncertain. However, the company expects approximately $100 million in losses due to ten days of reduced operations and efforts to mitigate the damage. The company also stated that this affected its third-quarter profits and did not influence the income for the full year. There has been no known use of customers’ leaked social security numbers or passport numbers at this time, but this could still occur and often does in similar scenarios. 

MGM Scattered Spider Attack Recovery 

MGM was able to resume normal operations within approximately ten days without paying Scattered Spider’s ransom. However, this outcome is not as common as inexperienced targets might hope. That said, we still have little information about the full extent of its damage many months later.

The cyberattack leaked customers’ social security numbers, passport numbers, and other data, and some of MGM’s systems may require complete rebuilding. This implies that unrecovered information can still potentially increase the overall extent of damage from the cyberattack.

Preventing Scattered Spider attacks - A female manager assisting her employees in an office.

Choose NetTech to Reduce Your Business’s Likelihood of Falling Victim to Phishing or Other Cyberattacks 

Choosing NetTech Consultants as your company’s managed IT provider can help you avoid attacks similar to what MGM experienced.

This Scattered Spider attack might have been less likely to succeed if the individual who communicated with the hacker had been more knowledgeable about identifying potential phishing, vishing, and other cyberattacks. Regular training can assist your team in adopting a more comprehensive approach to minimizing the risk of social engineering-related cyberattacks.

Our team members are experts in identifying and preventing a wide range of known cyberattacks, including phishing and ransomware. We also prioritize staying on top of the latest trends to continuously protect your company, data, customers, and money. Contact us today to learn more about the benefits of working with us!

Posted in

The NetTech Content Team

NetTech Consultants is a Jacksonville based managed IT services provider that serves SMBs and organizations in Southeast Georgia and Northeast Florida. NetTech publishes content discussing information technology and cybersecurity concepts and trends in a business context.