Because now YOU’RE gambling with cybersecurity
Two years ago, in September 2023, MGM Resorts in Las Vegas fell victim to a major cyberattack orchestrated by the hacking group Scattered Spider, linked to the infamous Russian BlackCat ransomware gang.
Guardian’s own Jim Mangus, senior vice president, operations and delivery, was staying at MGM for a tech conference when the events occurred. We asked him about his Las Vegas experience, the cyberattack, and what small and medium businesses can learn from a large-scale attack.
Guardian: Tell us about your MGM experience.
Jim: I was in Vegas for a conference, staying at the MGM, and the sessions were in their convention center. One morning I grabbed a coffee and started walking through the casino, and I noticed a bunch of slot machines with blue screens. At first, I figured it was just early-morning maintenance. But as I kept going, more and more machines were down, and I thought, wow, they’re taking a lot offline.
Later, when I went to grab lunch, I tried to charge it to my room, and the guy told me he couldn’t do that. So, I pulled out my card, but he said he couldn’t take credit cards either. I offered to get cash, but then he said the ATMs were down too. At that point I’m thinking, what is going on here? He ended up writing the charge down old-school style on a slip of paper with my room number.
Back in the exhibit hall, I talked to some of the conference organizers, and they told me MGM was completely down, system wide. Then I heard people whispering about a cyberattack. I even joked with the conference guys, asking if they were behind it since they are a big provider of security products. Sort of like the saying, “Same ones who sell the panic sell the cure.”
Even days later, when I was checking out, the systems still weren’t back up – they just said they’d send me my bill later.
Guardian: It’s been two years since the attack. MGM is obviously a huge enterprise. Do you hear small and medium sized businesses say they’re not worried because hackers only go after the big guys?
Jim: That’s the fight – with the smaller guys, who don’t think it’s going to happen to them. Or if it does happen to them, they may pay the ransom and still not enact proper cybersecurity. What they fail to realize is that everybody – and I mean everybody – is part of a supply chain. Cyber criminals will attack the weakest link in that supply chain and head upstream from there. That huge enterprise may have its own best security, but then the attack comes in through the portal of a supplier with lax security controls.
We talk about this with the folks out in West Texas. That whole industry out in the Permian Basin is there for nothing more than to serve the oil and gas guys, the big guys. And you know, what we haven’t seen quite yet is a big push from the big end customers to really validate their supply chain and provide mandates that say if you want to do business with us, then you have to do this, this and this. But it’s a fight, right? It’s an educational fight. And a lot of them still just don’t care, which is shocking to me.
Guardian: Do some small and medium sized companies not care – and forego security expenses – because they believe their insurance company will bail them out after an attack?
Jim: Well, more and more insurance companies are starting to realize that they need to push their customers to implement at least a baseline set of security tools and have them at least try to protect themselves. I’m sure the insurance companies got tired of paying for a lot of these things before they decided that they really have to put some teeth into it. They won’t sign somebody if they don’t have at least the baseline stuff. The insurance providers are just trying to protect themselves and I get that. I think they should, because otherwise all it’s going to do is raise the rates for all the folks that are doing what they’re supposed to be doing.
Guardian: The MGM attack was done through “social engineering.” Can you explain that term and how it worked at MGM?
Jim: Social engineering is basically getting people inside the target to do what you want instead of hacking the target system directly. From what I saw with MGM, it wasn’t some ultra-sophisticated technical exploit so much as someone calling the helpdesk and pretending to be a bigwig who needed access right away. If the helpdesk person is following their protocol, well, they’re not letting them in and they’re not giving them anything. But unfortunately, helpdesk folks aren’t highly paid rock stars — many are based overseas, following scripts, and if someone gets irate or drops names, they may eventually cave and bypass protocol.
So, at MGM the attack looked like social engineering at scale: target the human weak points, like phone agents, and get them to ignore protocol and allow authorization, and boom — systems get compromised or taken offline.
Once inside, Scattered Spider took control of critical operations across MGM properties – shutting down almost everything. It was reported that the hackers demanded a $30 million ransom, which MGM refused to pay. Yet, the financial fallout was still horrific, with MGM announcing around $100 million in losses due to business disruptions and recovery efforts. Full restoration of services took nearly 10 days.
Groups like Scattered Spider go after that because downtime causes chaos and gives them the opportunity to make quick money. What’s scarier is that now with AI, attackers can clone voices from earnings calls or other public speaking and make it sound like the CEO is phoning, which makes it even easier to trick people.
Guardian: At the time, MGM didn’t have multi factor authorization (MFA) – something to verify someone’s identity, like a verbal password, a phone on file, or biometric data. Now, would that help stop a social engineering situation? For example, the pretend bigwig would not have had the real exec’s phone.
Jim: Yes, MFA definitely helps — but it’s just one piece of the puzzle. At this point MFA is really “table stakes” – the minimum starting requirement to even be considered credible. But a lot of companies still don’t have it, which blows my mind because it’s so easy to set up. I saw a breach just a couple of weeks ago where there was no MFA in place, and I thought, how does that even happen?
Guardian offers a solution in which enrolled users have a phone app (or desktop option) where we send them a push notification they have to approve, or go through verbal checks. And if someone calls the helpdesk saying they don’t have their phone or desktop, then what are they even using to try to get into the system? That’s when the red flags go up. So, MFA isn’t perfect, but it’s the baseline defense against this kind of social engineering. Without it, you’re basically leaving the door wide open.
Jim Mangus is Senior Vice President Operations & Delivery at Guardian. He helps organizations of all sizes and industries strengthen their security posture and navigate complex cyber threats. With more than 20 years of experience in tech and security, Jim is known for delivering innovative and tailored cybersecurity solutions that are unmatched in the service provider space. He is proud to have served over 24 years in the Marine Corps and the Army National Guard as an all-source intelligence analyst and officer, with deployments in Iraq and Afghanistan. You can connect with him at Jim Mangus | LinkedIn.