MGM Resorts Scattered Spider: Social Engineering as a Weapons Platform

Incident summary

MGM Resorts International operates 31 hotel and casino properties globally, including the Bellagio, MGM Grand, Aria, and Mandalay Bay on the Las Vegas Strip. On September 11, 2023, customers reported widespread system outages affecting hotel check-in, room keys, slot machines, ATMs, and the MGM Rewards mobile app.

MGM disclosed in its October 5, 2023 SEC 8-K filing that the incident produced approximately $100 million in financial impact in Q3 2023 alone, primarily through reduced occupancy and gaming revenue. The 10-day operational disruption affected properties across Nevada, Mississippi, Maryland, Massachusetts, Michigan, New Jersey, New York, and Ohio.

Mandiant and CrowdStrike attributed the incident to Scattered Spider (also tracked as 0ktapus, UNC3944, and Scatter Swine), a financially motivated group that primarily targets identity providers and SaaS applications. The group is unusually English-speaking, with native fluency that supports the social engineering approach.

Attack technique

MITRE ATT&CK maps initial access to T1566.004, Phishing: Spearphishing Voice. Per multiple security industry reports including Mandiant and CrowdStrike, Scattered Spider operators called the MGM IT helpdesk impersonating an employee whose name and basic identity attributes had been gathered from public sources. The helpdesk reset the employee's credentials and registered a new MFA device under the attacker's control.

Once authenticated, the attacker pivoted to MGM's Okta identity provider. Scattered Spider has a documented playbook for Okta abuse: enumerate single sign-on assignments, target the most privileged users, and use Okta admin access to grant the attacker persistent access across all federated SaaS applications. CISA AA23-320A details the technique under T1556.006 (modifying the MFA configuration of legitimate accounts).

After identity compromise, Scattered Spider partnered with the ALPHV/BlackCat ransomware-as-a-service operation. ALPHV operators encrypted MGM systems including the back-of-house servers powering room keys, slot machines, and reservation systems. The casino floor disruption traced to network segments that should have been isolated from corporate IT but shared identity provider trust.

Impact and consequences

MGM disclosed in its 8-K that approximately 6.5 million customer records were exfiltrated, including names, contact information, dates of birth, drivers license numbers, and for some customers, Social Security numbers and passport numbers. The financial impact reached approximately $100 million for Q3 2023 plus an additional approximately $10 million in remediation costs.

MGM did not pay the ransom. Caesars Entertainment, hit by the same actor in late August 2023, did pay roughly $15 million per Bloomberg reporting. Caesars disclosed a comparable but less operationally disruptive incident in its September 2023 8-K filing. The contrast became a public study in ransom decision economics.

Industry response included rapid hardening of helpdesk verification procedures across Fortune 500 environments. The Identity Defined Security Alliance (IDSA) published updated guidance in November 2023 calling for callback verification to a known-good number, supervisor approval for high-privilege MFA resets, and break-glass workflows that do not depend on helpdesk paths.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Helpdesk verification needs callback to a known-good number. Scattered Spider exploits the helpdesk's incentive to resolve tickets quickly. Mandatory callback to the phone number on file (not a number provided by the caller), supervisor approval for any privileged-user MFA reset, and out-of-band verification for high-risk identities defeat this technique.

Identity provider compromise is your worst day. When Okta or Azure AD admin access falls to an attacker, every federated SaaS application is now reachable. Treat IdP admin access as tier-zero, with hardware-backed MFA, dedicated admin accounts, just-in-time elevation, and IP allowlisting to corporate egress points only.

Segment identity trust between IT and OT. MGM's casino floor systems trusted the same IdP as corporate email. Network segmentation alone is not enough when identity federation spans the boundary. Mature OT environments use separate identity stacks for OT control systems with independent authentication and dedicated administrative access.

Practice the 'attacker has helpdesk access' scenario. Tabletop exercises that assume a successful helpdesk social engineer expose where the next defensive layers actually fire. Most organizations discover during the tabletop that no second layer exists, which is the exercise's value.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/soc-analyst
• /cybersecurity/careers/grc-analyst

Related Decipher Files

• Colonial Pipeline DarkSide: When OT Met Ransomware-as-a-Service

Frequently asked questions