Deciphering Shadows: Insights and Observations from the MGM Breach


On September 12, 2023, the world woke up to the news of another significant cyber-attack, this time on MGM Resorts International, a renowned name in the hotel and casino industry. The incident affected their operations across various locations, including iconic Las Vegas.

MGM was quick to assure its customers and stakeholders that the attack did not compromise any credit card information or other sensitive data. In a report to the SEC (Securities and Exchange Commission) on Tuesday, they emphasized their commitment to security and privacy, stating that they had engaged with law enforcement and cybersecurity experts to investigate the breach thoroughly. According to their disclosure, the impact on operations was a result of a decision to shut down some systems once the attack was detected.

While MGM’s official statement provided a broad overview of the incident there are still many questions unanswered. The specifics of the breach, the extent of the data accessed, and the potential ramifications remained unclear, which is to be expected given its ongoing nature. However, this lack of clarity inevitably paves the way for a plethora of rumors and speculations.

Among these rumors, a very interesting statement, published on September 15 allegedly by the attackers themselves, stands out. According to the statement, the cyber-attack on MGM resorts international was executed by the ALPHV ransomware gang. ALPHV, also known as BlackCat, is one of the most active and dangerous ransomware groups in the world, and it is known for its aggressive tactics and its willingness to target high-profile victims.

 In their public statement, ALPHV detail their actions, MGM’s responses and their perspective on the entire incident. Here are some highlights of the statement:

  1. The attacker gained access to MGM’s domain controller, looking for hash dumps to crack passwords
  2. The attacker also accessed Okta Agent servers, where they were sniffing passwords
  3. The attacker was eventually able to have MGM’s Okta super administrator privileges and global administrator privileges for MGM’s Azure tenant.
  4. ALPHV launched ransomware attacks against more than 100 ESXi hypervisors in MGM’s environment on September 11th.
  5. ALPHV claim to have acquired 6TB of data from MGM’s systems. While they haven’t released any data yet, they’ve threatened to do so unless a ransom is paid.

The veracity of the information released by the attacker remains uncertain. It is entirely possible that this disclosure is part of a calculated psychological campaign aimed at exerting added pressure on MGM. Such tactics can be employed to sow doubt, create internal discord and further the attacker’s agenda, making it imperative to approach such claims with caution and skepticism.

However, even if the statement does not describe the true story, it sheds some light on how attackers can leverage the inherent complexity of hybrid environments with on-premises data centers, Cloud and SaaS (Software as a Service). We at Mitiga see this approach expanding and are closely monitoring publications related to this attack and others, looking for new or updated Cloud Attack Scenarios and TTPs (tactics, techniques, and procedures). As we identify such TTPs, we use our expertise in Cloud and SaaS forensics to uncover the traces that these attacks leave in Cloud and SaaS forensic data. The insights are then codified and added to our library of indicators of attacks (IOAs). We use this Cloud Attack Scenario Library (CASL) to continuously scan the forensic data lakes we amass for our customers in order to uncover ongoing or past attacks. As attacks like the one that affected MGM become increasingly common, this is an approach more organizations will be turning to strengthen their investigation capabilities and build greater cyber resilience. 

We’ll keep updating.

Don't miss these stories:

Want to see the future of IR for cloud and SaaS? Request a demo of IR2