In the latest blow to the casino industry's cybersecurity, Caesars, a major casino operator, reportedly paid a $15 million ransom to a cybercrime group just days before a cyberattack targeted MGM Resorts. Sources familiar with the situation revealed that the same group that attacked MGM had also demanded a $30 million ransom from Caesars, although the company negotiated to pay roughly half of that amount. While the costs will be partly covered by Caesars' cyber insurance, the incident was deemed a "material event," requiring disclosure in a U.S. Securities and Exchange Commission (SEC) filing.
These back-to-back high-profile attacks highlight the growing threat landscape faced by the gaming industry. The cybercrime group responsible for both incidents, identified as UNC3944 or Roasted 0ktapus, has been linked to other cyberattacks on companies like Cloudflare, Okta, and Twilio. Security experts warn that despite the group's relative lack of experience compared to established ransomware groups, they pose a serious threat, given their effectiveness as social engineers and native English-speaking abilities.
Caesars expressed confidence that the ransom payment and its aftermath would not significantly impact its bottom line, emphasizing its cyber insurance coverage. Drew Schmitt, Practice Lead, GuidePoint Research and Intelligence Team (GRIT) at GuidePoint Security, shared insights on the incident and the threat group: "Scattered Spider (aka Roasted 0ktapus, UNC3944) is well known for its affinity for large targets, and the victimization of MGM and Caesars proves that the group possesses the motivation and means to be successful in their operations targeting substantial organizations. Scattered Spider is well known for having very well-established social engineering capabilities that many groups do not, mainly because they are rumored to have a significant presence in the United States, a characteristic many other groups do not share. Scattered Spider is exceptionally persistent and technically competent at many techniques, including phishing, SMiShing, MFA bombing, and SIM swapping, which have all contributed to their successful social engineering campaigns. Recently, there have been increasing speculations that Scattered Spider has partnered with AlphV on several occasions to extort the organizations they have victimized successfully.
Regarding the MGM hack, there has been a lot of emphasis on the fact that a brief social engineering phone call resulted in widespread compromise within a huge organization. We currently do not have the complete picture, and although this method of intrusion highlights some potential gaps in cybersecurity processes, there is likely much more to this intrusion than meets the eye. Scattered Spider is highly determined and persistent in their operations; if it wasn't for this social engineering attempt, it could have been another that relied on more technical means. Sometimes attackers get lucky, and this could be one of those times.
The reality of this situation is that Caesars and MGM were enormous organizations that became victims of ransomware. Still, so far in 2023, there have been over 2,800 public ransomware victims posted across leak sites belonging to more than 52 different threat actors. This number doesn't include the victims that pay a ransom demand, a number which organizations like Caesars would belong to. The ransomware pandemic continues to be the most prolific threat that all industries and organizations, regardless of size, face. The Caesars and MGM hacks are a reminder that partnerships in intelligence sharing and investing in cybersecurity teams should be a significant topic of discussion for all organizations and that, as an industry, we need to continue moving fast to keep up with evolving threats."
The delay in Caesars' disclosure raises questions about reporting timelines and the forthcoming SEC cybersecurity disclosure rule, set to take effect by year-end. The rule will require companies to promptly file an 8-K report detailing cyberattacks and their impact on business. Despite this new requirement, the reasons for Caesars' delay in reporting the incident remain unclear, adding further scrutiny to the incident's handling.
These incidents serve as a stark reminder of the escalating cybersecurity challenges facing the gaming and hospitality sector, urging companies to adopt proactive security measures and strategies to safeguard sensitive data and operations.