Decipher Files: MGM Resorts and the Vishing Call That Stopped a $7 Billion Casino

MGM Resorts disclosed the cybersecurity incident on September 11, 2023 (MGM Resorts 8-K filing). The actor, identified as Scattered Spider (also tracked as Octo Tempest by Microsoft, UNC3944 by Mandiant), gained initial access through a vishing call to MGM's IT help desk on or around September 9, 2023. The actor researched a senior MGM IT employee on LinkedIn, called the help desk impersonating that employee, and convinced the help-desk technician to reset the employee's Okta-protected credentials. From that initial access, the actor escalated to Okta administrative privileges and deployed ALPHV/BlackCat ransomware across MGM's environment.

MGM's October 5, 2023 8-K/A filing quantified the impact: approximately $100 million in adjusted EBITDAR loss in Q3 2023 directly attributable to the incident, plus approximately $10 million in incident-response costs. Customer-facing systems including hotel room keys, slot machines, and reservation systems were offline for an estimated 10 days at MGM properties on the Las Vegas Strip and at company-operated regional casinos. The 8-K/A explicitly acknowledged that MGM did not pay a ransom; the company's recovery relied on backup restoration and infrastructure rebuild rather than decryption.

The technical anatomy was reconstructed primarily from Mandiant's UNC3944 research publications, Microsoft's Octo Tempest blog (October 25, 2023), and CISA-FBI joint advisory AA23-320A (November 16, 2023, on Scattered Spider specifically). Five elements compounded:

1. OSINT on the target: Scattered Spider's tradecraft consistently includes LinkedIn-driven enumeration of senior IT staff at the target organization. The pretext call uses information from the target's professional profile, internal-system terminology gleaned from public job postings, and recent corporate announcements. 2. Help-desk social engineering: the call exploits two structural weaknesses in most enterprise help desks. First, the help desk is typically optimized for speed and customer-satisfaction metrics that reward credential resets without strong identity verification. Second, the help desk often has the technical capability to reset credentials for privileged accounts, even when the requester is impersonating those privileged accounts. 3. Okta administrative escalation: once the actor obtained the senior IT employee's credentials, the actor used Okta administrative APIs to enroll new authenticators, reset passwords for additional privileged accounts, and pivot through the IdP to the broader environment. 4. Lateral movement and exfiltration: ALPHV/BlackCat's standard operational pattern includes data exfiltration before encryption. Approximately 6 TB of MGM data was exfiltrated; subsequent extortion attempts referenced this data even after MGM declined to pay. 5. Encryption deployment: the actor encrypted approximately 100 ESXi hypervisors, taking out the vast majority of MGM's virtualized infrastructure simultaneously.

The companion incident at Caesars Entertainment (disclosed September 14, 2023, 8-K filing) is structurally similar, same threat actor, same vishing-against-help-desk initial access, same blast radius pattern, but Caesars paid an estimated $15 million ransom (Wall Street Journal, September 13, 2023) and the operational impact was substantially smaller. The cybersecurity-program comparative case study (MGM did not pay, took 10 days; Caesars paid, was operational within days) is one of the most discussed in the post-incident analysis literature.

Five lessons that compound for cybersecurity practitioners:

First, help-desk identity verification is now an attack surface that requires its own controls. The cybersecurity industry's Identity Verification Standard (IDVS) work, the FIDO Alliance's Identity Verification specifications, and CISA's January 2025 guidance on help-desk security are all direct downstream outputs of MGM and Caesars. Cybersecurity-program implications: every help desk that can reset credentials for privileged accounts requires at minimum multi-channel verification (out-of-band callback to a known phone number on file, video confirmation, or in-person re-enrollment for the highest-privilege accounts).

Second, Okta administrative scope is dangerous. An Okta administrator can reset MFA, modify access policies, and provision new authenticators for any account in the tenant. Okta's October 2023 security advisory (and the subsequent BeyondTrust, 1Password, Cloudflare incidents arising from a different Okta-support compromise) demonstrate that Okta administrative compromise has the highest blast radius of any identity-provider role. Cybersecurity-program implications: Okta administrative access requires hardware-key-only authentication, IP-restricted access, and time-bound elevation rather than standing privilege.

Third, the ransom-payment economics depend on backup integrity. MGM's decision not to pay was operationally feasible because the company's backup posture supported restoration without unacceptable data loss. Caesars's payment decision is harder to second-guess without complete visibility into their backup posture, but the comparative case demonstrates that ransom-payment-vs-restoration decisions are downstream of the pre-incident backup investment. CISA's #StopRansomware guidance prioritizes immutable backups specifically for this reason.

Fourth, ESXi mass-encryption is now a reliable tradecraft component. The actor's ability to encrypt approximately 100 hypervisors simultaneously implies privileged access to the virtualization management layer. VMware's vCenter compromise patterns (CVE-2021-21972, CVE-2021-21985, multiple 2022-2023 vCenter vulnerabilities) all enable this kind of deployment. The cybersecurity-program implication is that vCenter administrative access requires the same hardening posture as domain-controller access, with isolated jump-host architectures and tier-zero administrative discipline.

Fifth, executive-public-communication during a major incident is structurally hard. MGM's CEO Bill Hornbuckle's September 14, 2023 customer-letter response set a template of substantive, candid disclosure. Caesars's contemporaneous handling of its own incident was more circumspect. The cybersecurity-disclosure-practitioner lesson is that the early-stage communication anchors customer perception across the recovery; the framework MGM used (acknowledge, commit to specific operational milestones, decline to ransom-shame the company that paid) has been adopted as informal best practice across the casino-and-hospitality industry.

For careers: incident responders, IAM engineers specializing in Okta administrative-privilege design, threat-intelligence analysts tracking Scattered Spider, and cybersecurity consultants advising on help-desk security controls all reference MGM as core curriculum.