A full timeline of the MGM Resorts cyber attack

Two separate hacking gangs have been implicated in the cyber attack

Add bookmark
Olivia Powell
Olivia Powell
09/15/2023

The exterior of the MGM Grand in Las Vegas at night. It is lit by an array of neon signs

Note: This article is being continously updated to add further information and dates to the timeline.

Hospitality and entertainment company, MGM Resorts, recently suffered a cyber attack that severely impacted its business operations.

The cyber attack was discovered on September 11, when MGM Resorts put out a statement via X (formerly Twitter) that a “cyber security incident” was impacting some of its systems. MGM Resorts reassured customers that it had contacted law enforcement regarding the cyber attack, and that an investigation into it had been launched.  

The company also said it was “working diligently to determine the nature and scope of the matter”.

On September 12, MGM Resorts made a second statement via X, reporting that all its “resorts including dining, entertainment and gaming” were “still operational”, and that its guests “continue to be able to access their hotel rooms and [its] Front Desk is ready to assist our guests as needed”. 

Despite this, from September 12 to 13, customers reported a number of issues linked to the cyber attack. This included slot machines and online booking systems of several of MGM’s Las Vegas properties being impacted by the attack, meaning guests could not check in, make card payments to book rooms or cancel their reservations. Digital keys were also reported to not be working, leading to staff having to hand out physical keys. Other guests said they were unable to log into their MGM accounts. 

MGM Resort's main website, which is used by guests to book at all MGM properties, was reportedly down as of September 13. The site displayed an error message and urged customers to contact the resort either via third-party sites or via a phone call. 

Also on September 13, it was revealed that the malicious actors behind the cyber attack may have been ransomware gang ALPHV (also known as BlackCat). The host of “one of the largest collection of malware source code, samples, and papers on the internet”, VX Underground, made a post on X detailing how the hack took place. According to VX Underground, who cited “the threat actors themselves” as its source, said that the cyber attack started with a successful vishing attempt. Vishing sees malicious actors attempt to gain access to networks and/or personal information via a phone call where they pose as a trusted source.

VX Underground said: “All ALPHV ransomware group did [sic] to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.”

Other news sites including Reuters, however, reported that “two sources familiar with the matter” said that hacking group Scattered Spider were responsible for the attack. This is due to Scattered Spider relying on social engineering tactics to gain access to organization’s networks. 

It has also been suggested that Scattered Spider and ALPHV were working together on the hack. Threat analyst for cyber security company Emsisoft, Brett Callow, said to Danville Register & Bee on September 18 that Scattered Spider "appear to be native English speakers under the umbrella of a Russia-based operation called ALPHV or BlackCat".

The cost of the cyber attack for MGM is currently unknown, however financial services company Moody’s noted that it could have a negative impact on MGM’s credit. The financial services company also shared that the cyber attack “highlights key risks related to (MGM's) business operations' heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable”. Additionally, MGM Resort’s share prices have, as of the time of writing, dropped by 6 percent since September 11. 

In September of this year, a social engineering attack on another casino operator and hotelier, Caesar’s Entertainment, saw the company pay around US$15 million to hackers. The malicious actors were able to gain access to and steal customer data including driver's license and potentially social security numbers by targeting the IT support vendor Caesar's Entertainment employs.

In a regulatory filing on the attack, the company said: "We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter."

It was also reported that Scattered Spider was responsible for the hack, leading to the suggestion that Scattered Spider are similarly responsible for the cyber attack on MGM Resorts.

A timeline of the MGM Resorts hack

September 7: A social engineering attack is launched against the IT support vendor employed by Caesar’s Entertainment by hacking gang Scattered Spider. The hotelier pays around half of the $30 million ransom to the hackers. This gang is later linked to the MGM Resorts cyber attack.

September 11: MGM Resorts puts out a statement saying a “cyber security incident” has affected some of the company’s systems. An investigation into the cyber attack is launched and the relevant authorities contacted.

September 12: MGM Resorts makes a second statement reporting that all “resorts including dining, entertainment and gaming are still operational” and that its guests “continue to be able to access their hotel room and [its] Front Desk is ready to assist our guests as needed”.

September 12: Guests report a number of issues with MGM Resorts’ online booking system and casino. The company's main website is reported as being down.

September 13: VX Underground, host of “one of the largest collection of malware source code, samples, and papers on the internet”, makes a post on X saying the MGM cyber attack was the result of vishing. VX Underground also reports that ransomware gang, ALPHV, were responsible for the attack.

September 13: Sources close to the cyber attack say that the hacking group, Scattered Spider, are responsible for the hack.

September 13: Financial services company Moody’s says the cyber attack may negatively impact MGM’S credit. The company also notes that the cyber security incident highlights “key risks” in MGM’s reliance on technology.

September 18: Cyber security experts suggest that ALPHV and Scattered Spider were working together to launch the attack.

September 18: IT service management company Okta confirms that five of its clients, including MGM and Caesars' Entertainments, have been the victims of hacking groups ALPHV and Scattered Spider since August of this year. The companies affected have not been named, but they are allegedly within the manufacturing, retail, and technology sectors.


RECOMMENDED