Initial reports pointed to an ALPHV sub-group called Scattered Spider as the culprits, after the same group was linked to an attack on MGM’s US casino rival Caesars Entertainment.
ALPHV is a widely recognised black-hat actor in the cybersecurity sphere, suspected of orchestrating cyberattacks on notable targets, including Reddit and Western Digital, among others.
“We have made multiple attempts to reach out to MGM Resorts International. As reported, MGM shut down computers inside their network as a response to us. We intend to set the record straight,” the organisation said in a lengthy statement that was shared online.
ALPHV claims it didn’t deploy ransomware on MGM’s systems initially but had infiltrated their Okta Agent servers to access passwords.
When detected, MGM shut down Okta Sync servers but failed to fully remove ALPHV from its network, leaving the group with admin privileges.
MGM has relied on Okta, an identity management solution, since 2013. Okta is a “secure identity cloud” offering a single sign-on security solution.
Timeline
ALPHV’s timeline is unclear, but it reports that MGM went offline on a Sunday (10 September), following network access issues on Saturday (9 September).
The group claimed the ransomware attacks occurred only on Monday (11 September), after MGM failed to respond to ALPHV.
The group provided a new password for accessing exfiltrated data, only recognisable to specific MGM executives.
ALPHV mentioned mixed responses from MGM during negotiations, involving a mysterious user in their chat who did not respond to their messages.“We are unsure if this activity is automated but would likely assume it is a human checking it.”
Stolen data
Regarding the breached data, ALPHV is uncertain if it contains personally identifiable information.
If not, they plan to share it responsibly with Microsoft regional director and web security expert Troy Hunt.
Hunt is known for creating HaveIBeenPwned.com, a free resource that allows individuals to promptly check if their online accounts have been compromised or “pwned” in a data breach.
ALPHV also criticised MGM for a lack of customer concern, questioned reporting by the Financial Times, debunked rumours around the involvement of teenagers, and raised doubts about claims made by cyber security firms in the media.
The group emphasised that it had not “privately or publicly claimed responsibility for an attack before this point”.
ALPHV also criticised media outlets for erroneously reporting that they had taken credit for the attack before they actually did.
Finally, ALPHV stated it still has access to MGM’s network and threatened further attacks if a deal isn’t reached.
“We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.”
The full statement can be read here.
