On Sept. 20, MGM Resorts officially announced on X, formerly known as Twitter, that their hotels and casinos are operating normally after 10 days of cybersecurity protocols responding to a cyberattack detected earlier this month. MGM was estimated to have lost $8 million each day while struggling with the attacks.
Rival company Caesars Entertainment informed federal regulators that it was also hit by cyberattacks this month. They first detected the attacks on Sept. 7, and it has been widely reported that the organization paid the hackers $15 million to cease further attacks.
Throughout the protocols’ duration, MGM properties were experiencing rolling computer shutdowns. Everything from slot machines to credit card processing systems were taken out of commission to help navigate through the crisis. Director of UNLV’s cybersecurity program Gregory Moody shed some light on the situation in an email interview with the Scarlet & Gray Free Press.
Hackers hit MGM with a “social-engineered attack,” meaning they manipulated MGM employees to exploit their security systems. Most people are familiar with this concept; cybersecurity firm AAG estimated 3.4 billion “phishing” emails are sent every day. These emails come in many forms; one example is a spam email with the sender pretending to be an Amazon representative, informing recipients a billing issue occurred and to call them at a provided phone number to resolve the payment.
However, the way hackers attacked MGM was more complex than that. Moody stated:
The attackers, after some initial reconnaissance of the MGM LinkedIn pages to identify workers and how they relate, identified one or multiple individuals to impersonate. They then called the internal help desk for employees with a request to help reset a password. Through their knowledge about MGM, the individual and the processes, they were able to convince the help desk to provide a reset, or email change, or provide a new password — unsure exactly what they did at this step as this has not been disclosed. But the end result is that the attacker had legitimate login credentials to access MGM resources as if they were an employee.
With the login credentials, hackers could access all of MGM’s computer systems, including databases and crediting systems. According to Moody, from here the hackers were able to conduct a ransomware attack by implementing a program that could essentially block all communications on any infected device within the MGM systems.
“Think of it as a digital wrapping paper which cannot be cut or broken and has a lock that can only be undone with the right combination,” Moody said. “Without the combination, the ‘stuff’ inside is simply not accessible.”
MGM’s cybersecurity protocols included “cleaning” the devices. Moody explained:
Their teams are combing through all of the devices to determine whether one is infected or not. [They] completely delete everything on the [infected] device and restore clean software and then perform a data restoration from available data backups, which have been tested to be free from the malware.
So finally, after 10 days of back-and-forth action, MGM seems to have cleaned all their infected devices. Moving forward, Moody assumes the company will emphasize cybersecurity for the near future. “This has raised the awareness to the company that risks can come from technical problems and from a cyberattack,” said Moody. “Any indication of negligent practices will result in some people being removed from their positions, and the company will likely increase its concern for, support of and funding for cybersecurity.” While it’s easy to see the scale of consequences for such a high-profile cyberattack, the threat is just as real to students on campus. Verizon’s 2023 Data Breach Investigations Report found 74 percent of breaches involved manipulating a “human element,” mostly through phishing attempts. So next time an unknown phone number messages you claiming your Netflix subscription has expired, think twice before you call them back.
