MGM Resorts and Caesars Entertainment were just the two latest gaming companies to become targets of digital blackmail . How can the industry fight these cybercriminals ?
UNDER
ATTACK
MGM Resorts and Caesars Entertainment were just the two latest gaming companies to become targets of digital blackmail . How can the industry fight these cybercriminals ?
BY ANDY GOLDBERG
As just about everybody knows by now , the two largest casino operators in the United States , Caesars Entertainment and MGM Resorts International , were both recently victimized by a malicious computer network intrusion . Although it is impossible to fully verify any of the reports and rumors surrounding these incidents , it does appear that both attacks were perpetrated by the same group , known by security insiders as UNC3944 , or more commonly , “ Scattered Spider .”
Who exactly is Scattered Spider ?
This is a difficult question to answer definitively , but they are believed to be an English-speaking group ( as opposed to Russian or Eastern-European ) that began intrusion campaigns in May or June 2022 , according to reports from security firms CrowdStrike and Trellix .
Wikipedia claims the group members range in age from 19 to 22 . Singapore-based cybercrime defender Group-IB appears to have been the first organization to connect cyberattacks at Twilio , Cloudflare and its own client base as all coming from the same group , which it dubbed “ Oktapus ,” based on the victims ’ common reliance on Okta , a separate company , to handle secure authentication and access management . Group-IB published its report in August 2022 , claiming the group had already compromised 130 organizations at that point .
Who else have they attacked ?
Twilio and CloudFlare both published post-mortems of the attacks against their networks on August 7 and 9 , 2022 , respectively . The Group-IB report on August 22 noted the similarities in these two incidents as well as others it was monitoring . Then in January and February 2023 , incident reports from video game publisher Riot Games , discussion forum Reddit , and cryptocurrency exchange Coinbase all identified similar attacks that were linked to Oktapus ( which by then was more commonly referred to as Scattered Spider ).
Riot Games confirmed that some source code of its popular game League of Legends was stolen , while Reddit and Coinbase prevented the attackers from gaining access to any customer data , though they both acknowledged that some employee contact information and internal documents were likely compromised .
Did they really break in via a 10-minute phone call with an employee ?
A widely circulated X . com post by @ vxunderground claimed the attackers simply needed to “ hop on LinkedIn , find an employee , then call the Help Desk ,” and were inside after 10 minutes . This is consistent , in fact , with the earlier attacks , which all relied heavily on “ phishing ,” that is , fooling a privileged employee into unwittingly providing credentials to an attacker , through a variety of methods .
However , the tweet ignores a large amount of prep work the attackers performed ahead of time to gather details about each company , including the names of key personnel , and a lot of work developing and placing malware inside of associated service providers . The tweet also glosses over the attackers ’ persistence . They might target dozens of employees , all of whom correctly refuse to interact , until finding one who gets fooled .
So how does the attack work ?
While we don ’ t know exactly how Caesars and MGM ’ s networks were initially compromised , earlier attacks relied on fake SMS messages sent to targeted insiders . Twilio produced screenshots of seemingly urgent text messages sent to employees with links to twilio-sso . com and twilio-okta . com .
Similarly , Coinbase suggested that domains combining the company name with -sso . com or -dashboard . com were originated by the attackers . Upon clicking these links , employees were redirected to login pages that
14 Global Gaming Business NOVEMBER 2023