MGM Resorts Cyberattack Hobbles Las Vegas Strip Operations

MGM Resorts is battling to recover its systems following a Sept. 10 cyberattack that left its hotel operations across the country in digital disarray. Experts suspect a ransomware attack is behind the outages.

The damage is most acute in Las Vegas, where MGM Resorts is the largest single employer, with several hotels on the famed Strip, including the MGM Grand, Mandalay Bay, Bellagio, Luxor, Aria. According to reports and social media posts, many MGM Resorts guests were locked out of their hotel rooms after the cyberattack interfered with key cards, requiring security to let guests into their room with old-fashioned keys. Slot machines on the casino floors were also down, according to local reports.

MGM Resorts has nearly 50,000 guest rooms on the Las Vegas Strip alone.

"MGM Resorts recently identified a cybersecurity issue affecting some of the Company's systems," the hospitality giant said in a statement acknowledging the incident. "Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems."

MGM Resorts websites were still offline Tuesday and directed customers to call by phone to make reservations. The company added the investigation is ongoing in cooperation with law enforcement.

"Our resorts, including dining, entertainment, and gaming, are currently operational, and continue to deliver the experiences for which MGM is known," the company said in a follow-up statement on social media on Sept. 11.

MGM Resorts Cyberattack Looks Like Ransomware

While the exact nature of the disruption hasn't been confirmed, experts see clear signs of a ransomware cyberattack.

"The nature of the widespread outages and disruptions aligns most closely with a ransomware attack," says Callie Guenther, cyber-threat researcher and senior manager at Critical Start. "The breadth of affected systems and services suggests a concerted effort to disrupt operations, which is consistent with ransomware tactics."

Guenther adds, however, at this early stage, a distributed denial-of-service (DDoS) cyberattack or an advanced persistent threat (APT) threat group can't be ruled out.

Other experts agree a ransomware attack is most likely behind the MGM Resorts outages.

"Considering the available intelligence and the trajectory of cyber threats this year, it strongly suggests ransomware is the probable perpetrator," Chris Denbigh-White, chief security officer for Next DLP said in an emailed statement. "Casinos, both repositories of substantial wealth and vast volumes of personal and financial data that harbor a minuscule appetite for operational downtime, render them exceptionally enticing prey for cybercriminal syndicates on the hunt for financial gain."

Piyush Pandley, CEO at Pathlock finds it notable the MGM Resorts awards program was targeted, providing threat actors with a massive amount of sensitive data on customers.

"The lateral movement the attackers have gained has appeared to give them a wide span of control over interconnected systems — ATM and slot machines, electronic room keys, [and] rewards programs" among other systems, Pandley says. "Given the wide range of systems affected, it's possible that a user account in a core application or system was compromised, that allowed for the lateral movement we're seeing."

Insider Threat Suspected

The theory of compromised user accounts leading to the MGM Resorts breach would be in line with past casino cyberattacks, according to Zane Bond, head of product at Keeper Security.

“The majority of successful casino attacks, based on history, have happened through insider threats," Bond says. "The fact that this affected casinos in multiple cities indicates this is a significant breach that may have come from an insider threat or a worm that has spread wildly."

And with MGM Resorts still grappling with the cyber incident days later, it's becoming more likely that MGM Resorts will pay the ransom demand, according to Fergal Lyons, cybersecurity evangelist with Centripetal.

"If past performance in this industry is an indicator, then we could anticipate MGM paying the ransom if they see no other option," Lyons said in an emailed statement. "Cybercriminals are finding ransomware to be a lucrative industry, capitalizing on vulnerabilities and exploiting careless employees. The methods employed are diverse, tailored to the specific companies they target."

Recovery is now in the hands of the MGM Resorts security teams.

"The MGM Resorts IT and security teams are going through security professionals' worst fears and nightmares right now, which all security professionals can empathize with,” says Joseph Carson, chief security scientist and advisory CISO at Delinea. “I have seen many serious incidents in the past and can only hope that MGM Resorts have a solid incident response plan, have practiced and simulated it, and are prepared and ready to handle this incident.”