MGM Resorts breached by 'Scattered Spider' hackers: sources

By Zeba Siddiqui and Christopher Bing

SAN FRANCISCO/WASHINGTON (Reuters) - A hacking group named Scattered Spider brought down the systems of the $14 billion gaming giant MGM Resorts International this week, two sources familiar with the matter said, as U.S. law enforcement officials started a probe into the breach.

Several MGM systems remained paralyzed for a third straight day after it said on Monday it had shut some of them to contain a "cybersecurity issue." The company, which operates over 30 hotel and gaming venues around the world including in Macau and Las Vegas, said it was investigating the incident.

A Bloomberg report separately said another casino operator, Caesars Entertainment, had been hacked and paid ransom to hackers who threatened to leak its data in recent weeks, citing two people familiar with the mater.

Shares of Caesars Entertainment and MGM both fell on Wednesday.

The cause and the full impact of the breaches was not immediately clear, although social media posts showed slot machines and systems down at MGM venues in Las Vegas.

Two sources familiar with the matter told Reuters the hacking group Scattered Spider was behind it. Identified by analysts last year, this group uses social engineering to lure users into giving up their login credentials or one-time-password (OTP) codes to bypass multi-factor authentication, the security firm Crowdstrike said in a blog post in January.

It is "one of the most prevalent and aggressive threat actors impacting organizations in the United States today," Charles Carmakal, chief technology officer at Alphabet Inc's Mandiant Intelligence said in a post on LinkedIn on Wednesday, following reports about the MGM breach.

"Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the U.S.," he added.

Scattered Spider, also known as UNC3944, has hit telecom and business process outsourcing (BPO) companies in the past, but more recently also targeted critical infrastructure organizations, according to analyst reports.

"They leverage tradecraft that is challenging for many organizations with mature security programs to defend against," Carmakal said.

The FBI said on Wednesday it was investigating the incident, but did not elaborate. The rating agency Moody's warned the breach could negatively impact MGM's credit rating.

Such attacks are typical hallmarks of ransomware incidents in which extortionists encrypt victims' computer systems and demand ransoms in digital currency.

Analysts say casinos are prime targets of financially-motivated cybercrimes.

"They're more likely to get paid because they're disrupting casino operations," said Allan Liska, intelligence analyst at the security firm Recorded Future.

"Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats."

Moody's analysts said in a report that the incident "highlights key risks related to (MGM's) business operations' heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable."

Messages seeking further comment from MGM and the U.S. cybersecurity watchdog agency CISA were not immediately returned. MGM Resorts' website was "currently unavailable," according to a holding message posted to the group's homepage.

"Our investigation is ongoing and we are working diligently to determine the nature and scope of the matter," MGM said in a post on the social media website X on Monday.

(Reporting by Raphael Satter, Zeba Siddiqui and Christopher Bing; Editing by Daniel Wallis and Stephen Coates)