The MGM Resorts Breach: Social Engineering Wins
Back to Blog
Social Engineering
Sep 11, 202311 min read

The MGM Resorts Breach: Social Engineering Wins

S
Shubham Singla

It sounded like a scene from Ocean's Eleven, but there were no lasers or acrobats. Just a phone call. The MGM Resorts breach of 2023 cost the casino giant $100 million and exposed the uncomfortable truth: You can't patch a human being.

Phishing Attack

Executive Summary

In September 2023, MGM Resorts International, operators of the Bellagio, Aria, and Cosmopolitan in Las Vegas, suffered a devastating cyberattack. Slot machines displayed error messages. Hotel room keys stopped working. Guests waited in line for hours to check in manually with pen and paper.

The attackers, a group known as Scattered Spider (an affiliate of the BlackCat/ALPHV ransomware gang), did not use a complex zero-day exploit. They found an MGM employee's information on LinkedIn, called the IT Service Desk, and impersonated them.

The Vishing (Voice Phishing) Playbook

Social Engineering is the art of manipulating people into performing actions or divulging confidential information. In this case, the attackers used a technique called Vishing.

The "script" likely went something like this:

"Hi, this is [Employee Name]. I'm locked out of my Okta account and I have a client presentation in 10 minutes. I lost my phone so I can't do the push notification. Can you reset my MFA to this new number?"

The helpdesk agent, wanting to be helpful (and likely lacking strict identity verification protocols for voice calls), complied. With the MFA reset, the attackers logged in, gained persistence, and moved laterally to the domain controller.

The Caesars Comparison: To Pay or Not to Pay?

Weeks prior to the MGM attack, rival casino giant Caesars Entertainment was hit by the same group. Caesars chose to pay the ransom—reported to be around $15 million USD. In exchange, they received a promise that the data would not be leaked and their systems were kept online.

MGM, in contrast, refused to pay. They took the "burn it down" approach, shutting down their own systems to contain the spread. This resulted in significant operational chaos but denied the attackers their payout. This tale of two casinos highlights the central ethical and financial dilemma of modern incident response.

Casino Chaos

Technical Deep Dive: The Attack Anatomy

Understanding the specific mechanics of the attack is crucial for engineers. Most advanced threats follow the Cyber Kill Chain model:

RECONNAISSANCE: The attacker gathers information on the target. This can be passive (OSINT) or active (port scanning).

WEAPONIZATION: Creating a deliverable payload (e.g., a malicious PDF or Office macro).

DELIVERY: Transmitting the weapon to the target (e.g., via Phishing or USB).

EXPLOITATION: Triggering the payload to exploit a vulnerability (e.g., CVE-2023-xyz).

INSTALLATION: establishing a backdoor or persistence mechanism (e.g., a scheduled task or registry key).

COMMAND & CONTROL (C2): The compromised system calls home to the attacker server for instructions.

ACTIONS ON OBJECTIVES: The attacker achieves their goal (encryption, extensive data exfiltration, destruction).

Identity Provider (IdP) Manipulation

Once inside, scattered Spider targeted the Identity Provider (Okta). They established persistence by creating "Federated Identity" trusts. This meant that even if MGM reset every password in the company, the attackers could still generate valid login tokens because they controlled a "trusted" external identity server.

Regulatory and Compliance Context

In the aftermath of such incidents, organizations must navigate a complex web of regulatory obligations. Failure to comply can result in severe fines and reputational damage.

GDPR (General Data Protection Regulation)

For organizations operating in or serving citizens of the EU, GDPR mandates strict breach notification timelines (usually within 72 hours). Article 32 requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

NIST Cybersecurity Framework

The NIST framework provides a standard for critical infrastructure. It is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. This incident highlights failures primarily in the 'Protect' and 'Detect' functions.

Local Legislation (Privacy Act 1988 - Australia)

Under the Notifiable Data Breaches (NDB) scheme, organizations must notify the OAIC and affected individuals if a data breach is likely to result in serious harm. This includes unauthorized access to personal information.

The Fallout

MGM reported a $100 million hit to its quarterly earnings. This implies that for a company of MGM's size, the cost of downtime far exceeds the cost of the ransom. However, paying the ransom funds future attacks and does not guarantee data safety.

Standard Incident Response Procedures

A robust Incident Response Plan (IRP) is the best defense against chaos. The SANS Institute outlines a six-step process:

  1. Preparation: Training, tooling, and dry runs (tabletop exercises).
  2. Identification: Detecting the deviation from normal behavior and determining the scope.
  3. Containment: Short-term mitigation (isolating the system) and long-term containment (patching).
  4. Eradication: Removing the root cause (malware, compromised accounts).
  5. Recovery: Restoring systems to normal operation and monitoring for recurrence.
  6. Lessons Learned: Post-incident analysis to improve future response.

Defending Against Vishing

The helpdesk is the new perimeter. Defending it requires:

  1. MFA for Resets: Agents should not be able to reset MFA without a secondary verification (e.g., a manager's approval).
  2. Visual Verification: Require a quick Zoom call where the employee shows their ID badge next to their face.
  3. FIDO2 Hardware Keys: YubiKeys are phishing-resistant. Even if the attacker tricks the user into visiting a fake login page, the hardware key will refuse to authenticate.

Comprehensive Mitigation Strategies

To prevent recurrence, a defense-in-depth approach is required. This involves layering security controls so that if one fails, another catches the threat.

  • Network Segmentation: Isolate critical assets in separate VLANs with strict firewall rules (East-West traffic inspection).
  • Endpoint Detection and Response (EDR): Deploy agents that can detect behavioral anomalies, not just file signatures.
  • Identity and Access Management (IAM): Enforce Least Privilege and MFA everywhere. Review access logs regularly.
  • Regular Audits: Conduct penetration testing and vulnerability scanning (using tools like Nessus or Burp Suite) at least quarterly.

The MGM breach proved that while we spend millions on firewalls and EDR, the most dangerous vulnerability is the helpful employee on the other end of the phone.