Netanel Azoulay


The MGM Hack

Don’t Gamble On Your Identities

In this era of advanced cyber threats, no organization is invulnerable, regardless of its size or reputation. The cyberattack on MGM Casino serves as a stark reminder of the evolving and intricate threats. It emphasizes the urge to shift to an identity-first security approach and the imperative for tools like ISPM (Identity Security Posture Management) and ITDR (Identity Threat Detection and Response) to address modern cyber challenges adequately.

A Synopsis of the Incident

  1. Onset: On September 11, 2023, MGM Resorts detected a notable “cybersecurity issue,” triggering a widespread shutdown.
  2. Business Impact: MGM faced operational challenges—digital access keys became redundant, slot machines halted, and digital platforms went silent. Guests reverted to traditional room keys amidst tedious check-ins. Despite the chaos, MGM’s communications vaguely alluded to a ‘cybersecurity issue’.
  3. Threat Actor: The Scattered Spider group, known for their “Vishing” (Voice Phishing) tactics, was identified as the culprit.
  4. Methodology of the Attack: Attackers targeted an MGM employee on LinkedIn and, through impersonation, deceived the MGM IT helpdesk into providing system credentials. The malefactors claimed their entry point was MGM’s Okta platform, specifically the Okta Agent.
  5. Ransomware & Demands: The ALPHV (or BlackCat) ransomware was activated. The attack, initially on slot machines, eventually encompassed data theft and encryption, with a ransom demand in cryptocurrency.
  6. Counternarratives: The group conceded their involvement but contested specific details about their methods and objectives. They later unveiled their expertise in breaching MGM’s Okta systems and password sniffing. David Bradbury, Okta’s chief security officer, affirmed the role of social engineering in the MGM breach, pointing out the culprits’ successful incorporation of their identity provider (IdP) and user database into the Okta system. Previous advisories from Okta about potential social engineering attacks underscore the urgency of previous advisories from Okta about potential social engineering attacks underscore the importance of rigorous employee training and proactive threat awareness.

Actionable Insights

The rise in cyber breaches targeting identities means that notorious threat actors like Cozy Bear (CrowdStrike 2023 report), Scattered Spider, and more now focus on the identity layer, employing phishing, vishing, and MFA Bypass tactics. Consequently, adopting identity-centric security solutions, like ISPM and ITDR, has become inevitable.

  1. Identity Security Posture Management – Drive consistent and proactive prevention with Mesh ISPM. It holistically augments identity security, focusing on prevention and risk reduction around your identity fabric.
  2. Identity Threat Detection & Response: Embrace the power of continuous, risk-based behavior detection with Mesh ITDR. This innovative tool stands as a sentinel, consistently monitoring identity activities in real time. Its primary role is to ensure the rapid detection of threats and facilitate swift responses, making it an indispensable element in modern cybersecurity strategies.
  3. Reinvent your IAM Program: As “identity is the new perimeter,” strengthening Identity and Access Management frameworks is crucial.
    1. Old Boundaries: Conventional firewalls, although essential, are becoming outdated in today’s digital landscape that requires advanced defensive mechanisms.
    2. Adaptive Frameworks: Modern security solutions should be consistent, continuous, and context-aware. New strategies should be as adaptable as the human immune system, with Mesh ITDR exemplifying this approach.
  4. Education: Regularly educate staff about voice phishing and ensure independent verification of unfamiliar requests.
  5. Regular Assessments and Updates: Ensure security protocols align with the evolving threat environment.
  6. Foster Cybersecurity Culture: Cultivate a setting where everyone acknowledges their role in cybersecurity. Being aware of current threats and reporting suspicious activities promptly is vital.

Why CISOs Need Zero Trust Against Ransomware

The increasing complexity of cyberattacks has led security professionals to advocate for a Zero Trust approach, especially in light of incidents like the MGM breach.

This incident accentuates the importance of an identity-driven security approach. Marrying identity-focused micro-segmentation with real-time behavior tracking can substantially mitigate potential damages. Zero trust, while not a cure-all, is a resilient cybersecurity approach.

Thus, the primary key takeaway is to operationalize Zero Trust holistically:

  1. Explicit verification: Every digital interaction or transaction should be explicitly verified.
  2. Least Privilege: Adopt a restricted access model.
  3. Assume Breach: Work under the assumption that any identity or system might be compromised.

UNC3944’s Web of Intrigue: From Credential Theft to Ransomware Dominance

  1. Group Evolution & Background:
    • UNC3944’s (AKA Scattered Spider) shift from merely stealing credentials to the actual deployment of ransomware.
    • The group’s evolution indicates that its targeted industries will continue to grow, including areas like retail, media, entertainment, and financial services.
    • The group was known by several other names, including Scatter Swine and 0ktapus, and started deploying ransomware in the middle of the year.
    • UNC3944 is believed to have members in Western countries, including the U.S. and U.K.
  2. Tactics & Tools:
    • They make use of texts and phone calls to help desks to reset passwords or gain MFA bypass codes.
    • Their strategy includes using legitimate software like remote access tools and searching through internal files to escalate privileges.
    • They attack through unmanaged virtual machines and target business-critical systems when deploying ransomware.
    • The group has at least three phishing kits associated with it and operates in underground communities to augment its operations.
    • They have targeted cloud environments, including Microsoft’s Azure and AWS.
  3. Association with BlackCat:
    • UNC3944 has recently collaborated with the BlackCat/AlphV ransomware operation, believed to be a successor of the Russia-linked REvil group.
  4. Specific Details about the Attacks:
    • There seems to be some discrepancy about which attacks UNC3944 was involved in, specifically regarding MGM and Caesars.
    • BlackCat claimed an affiliate was responsible for the MGM Resorts hack and mentioned the encryption of more than 100 ESXi hypervisors.
    • Details about MGM shutting down IT operations, affecting digital key cards, credit cards, and ATMs.
    • Information on Caesars’ SEC filing, where the attack happened after a social engineering scam on an outsourced IT support vendor.
  5. Group’s Future:
    • UNC3944 is expected to grow and diversify its monetization strategies. It may leverage underground communities for operations support.
    • The persistent threat of the sophisticated phishing campaigns UNC3944 uses and the increasing need for security awareness and system protection.
    • Phishers’ continuous attempts to find delivery paths and the inevitability of some users following the malicious links.


The MGM cyberattack offers invaluable lessons in the ever-evolving landscape of cyber threats.

The risk of identity breaches is escalating. As the adage “identity is the new perimeter” becomes more prevalent, enhancing Identity and Access Management (IAM) systems is imperative. ISPM and ITDR are reshaping how organizations tackle cybersecurity. With a thorough understanding of identity-related posture and incidents, security teams can counter even the most sophisticated cyber threats effectively.

Organizations need to be alert, adaptable, and preemptive to stay ahead. Adopting advanced identity-centric strategies and cultivating a proactive, cybersecurity-conscious culture can make a significant difference. The revelations from the MGM incident, especially those concerning Okta, emphasize the indispensability of a comprehensive security approach. In cybersecurity, gambling with identities is a risk we cannot afford; the stakes are too high.

5 2 votes
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Joel Leon
Joel Leon
5 months ago

Interesting read