Casino résultats

The break-in began on an otherwise typical Las Vegas Friday night.

Step one was a phone call to MGM Resorts’ tech support. The person on the line said they were an employee, but had forgotten their password and were locked out of their account.

They gave some personal information over the phone. It all checked out.

What tech support didn’t realize was that the caller was a hacker.

A few minutes later, the real MGM employee received a notification that his password had been reset and reported this to the IT department.

By then, it was too late. The hackers were in.

MGM fought back, throwing its hotels and casinos into chaos in the process.

The hack, in early September, put corporate America on notice. The gang had broken into an industry that prides itself on vigilance—where security teams watch over every dice roll and slot pull. Now the world knew a group of elusive young hackers was on the prowl and capable of doing grave damage.

The gang behind the MGM hack call themselves Star Fraud, and investigators say they sprung out of a sprawling online community called the Com. Virtually unheard of five years ago, the Com has become one of the top cybersecurity problems facing the U.S.

Com hackers have stolen millions of dollars in cryptocurrency heists. They have driven teenagers to despair with sextortion schemes. They have successfully masqueraded as FBI agents to trick Apple and Meta into revealing the home addresses and phone numbers of their users. They have hired criminals to throw Molotov cocktails or even fire guns at the homes of rivals. They’ve hacked into Microsoft, Nvidia, Uber and Samsung. They’ve stolen the source code to an unreleased version of the videogame “Grand Theft Auto,” and tried to extort millions from dozens of companies around the world.

They’re videogamers and braggarts and con artists and criminals. And they’re often teenagers from English-speaking countries including the U.S., Canada and the U.K. “They’re basically children who grew up in online communities that groom children to do cybercrime,” said Allison Nixon, a researcher with the cybersecurity firm Unit 221B, who has tracked the Com since its inception.

Unlike previous generations of young hackers, who relished breaking into computer systems to show off their prowess, she said, Com kids are primarily motivated by status and money. “They are not driven by a love of technology,” she said.

This account is based on court filings on cases related to the Com, interviews with cybersecurity analysts, law enforcement officers and MGM executives, and an online chat with an anonymous person identified as an associate of the hackers.

Saturday: Whac-A-Mole

On the surface, it was business as usual at MGM Resorts the morning after the hack, Saturday, Sept. 9.

Star Fraud had targeted a widely overlooked and hard-to-fix weakness in technology—the tech support systems that help people get into their online accounts when they’re locked out.

Like many gangs plotting a casino heist, they had cased the joint in advance—this time, digitally. The anonymous associate of the gang later told The Wall Street Journal the group had obtained information on the MGM employee they impersonated by mining the vast troves of stolen and illegally available data on the internet.

MGM declined to release communications from the hackers.

In other cases, Star Fraud has also pressured individuals directly to share their credentials to gain company access. In one set of text messages sent to a different victim by Star Fraud, they sent a stream of threatening messages.

“If we don’t get ur…login in the next 20 minutes, were sending a shooter to your house,” said one, followed by, “ur wife is gonna get shot if you dont.”

The hackers were busy on Saturday, burrowing into MGM’s corporate networks and trying to steal secrets and customer data. The company brought in a cyber investigation firm, which said they were dealing with a particularly tenacious and dangerous hacking group.

Some of the gang’s activity was more juvenile. They renamed files on the network with racist terms and crude labels. The hackers liked to use the eggplant emoji as a phallic stand-in.

That evening, Chief Executive Bill Hornbuckle went to a gala event at the Wynn Las Vegas, where his wife, Wendy Hornbuckle, was being honored for her philanthropic work. A top lawyer for MGM, Ashley Eddy, was also there.

Hornbuckle and Eddy swapped messages as increasingly worrisome updates came in from tech staff. Late in the night, Hornbuckle and some of the incident-response team decided to stop using email, worried that the hackers might have gained access.

The hackers were moving from one computer system to another, getting the kind of access to systems that normally only IT staffers would get. MGM’s technology staff shut down accounts that had been penetrated by the hackers—only to see them pop up somewhere else.

By midnight, executives knew they were in a full-scale crisis.

Sunday: Fallout

Around 5 a.m., Hornbuckle gave the order. It was time to start shutting down some of the company’s systems.

The shutdowns, including its email, would lock out the hackers, the company figured, and the tech team could clean up anything the gang had left behind. It would make communications between employees and online bookings more difficult, but it wouldn’t cause a catastrophe.

Communication had already become difficult. When a member of the incident response team tried to use Microsoft Teams to call an employee whose password had just been reset, one of the hackers answered.

That day, Gail and Bob Parnell traveled to Las Vegas from the Dallas-Fort Worth area on a long-planned vacation to celebrate his 65th birthday. They’re top customers with MGM, and the company sent a limo to pick up the couple from the airport for their stay at the Delano, part of the MGM-owned Mandalay Bay casino.

Everything seemed normal until Monday, Gail said—then “all hell broke loose.”

Monday: Grand Theft Casino

By Monday, MGM’s troubles were visible to casino visitors—and the world. The company released a statement that it was investigating a cybersecurity issue, and the news made global headlines.

Bob Parnell couldn’t cash out his winnings at a slot machine. He asked for help by pressing a call attendant button, but 45 minutes went by without anyone showing up. They asked a security guard for guidance, but no one seemed to know what was happening.

“We started seeing all the machines were flashing: shut down,” Gail said. “People were just wandering around. Nobody wanted to play anything…. There was a line a mile long to try to talk to people about what was going on.”

MGM Resorts scrambled to operate in manual mode, including more than 37,200 hotel rooms and one million square feet of casino floors on the Strip.

Long lines stacked up at hotel front desks, where guests had to be welcomed with pen-and-paper check-ins. Usually, about a third of MGM’s guests check in on their phones and use the mobile app as their hotel key. Suddenly, those apps no longer worked.

Other employees were assigned to each of the elevators with walkie-talkies to operate the elevators manually.

Tuesday: Counterstrike

The first email with Star Fraud’s demands finally came at 2 a.m.

The hackers emailed Hornbuckle a standard ransomware note saying they’d installed devastating software that would freeze systems across MGM’s network. They wanted more than $30 million for the cryptographic keys that would allow MGM to get things up and running again.

MGM’s response: silence. With MGM’s email down, Hornbuckle didn’t have direct access to his messages. Security investigators didn’t see it until 12 hours later.

Adam Meyers, senior vice president of counter adversary operations with CrowdStrike, which has looked into more than 50 cyber break-ins by Star Fraud, hesitates to even call the Com hackers. “They’re just criminals and ne’er-do-wells,” said Meyers.

When Nixon of Unit 221B first started working in cybersecurity in 2011, she found herself studying an online criminal underworld mostly made up of young men. Many of them were obsessed with boosting their internet credibility by defacing websites and buying and selling hacking tools.

Over the years they expanded to sharing stolen data, seizing control of Instagram and online gaming accounts, and causing pain to their online rivals in the real world. Sometimes they did this by tricking law enforcement into thinking there was a shooting at a rival’s house, prompting officers to send a SWAT team to kick in the doors.

Com hackers became masters of the SIM swap—a technique for taking control of someone else’s mobile phone number. Sometimes they would bribe phone company employees to do this. Other times, they’d trick the employees into visiting fake websites, where the hackers would steal the login credentials, or get employees to install software that would do the same thing.

When a particular con worked, they would write it down as a script and share it in private discussion groups.

“Hi this is Owen calling from T Mobile’s HelpDeskTeam,” reads the beginning of one script. “The ticket your team put in couldn’t be processed because we didn’t have enough information.”

Scripts like this helped Com members take over cryptocurrency accounts and steal millions of dollars. For years they operated on the fringes of the internet.

Things changed on Jan. 21, 2022. That’s when the online identity management company Okta was hacked by a group that cybersecurity analysts say had cut its teeth in the Com. The group called itself Lapsus$, and over the next months, they broke into Samsung, Nvidia and Microsoft.

One of their leaders, a U.K. teenager named Arion Kurtaj, had been arrested a month earlier. After his release, while still under investigation, Kurtaj continued to hack, according to Kevin Barry, the British barrister who prosecuted him.

Last year, a British court found Kurtaj, who is autistic, unfit to stand trial and ordered him to be held indefinitely at a medical facility until he is no longer deemed a danger to the public, Barry said. Kurtaj’s lawyer didn’t return messages seeking comment.

Other Com hackers were starting to extort corporations. Sometimes they formed splinter groups, such as Star Fraud.

Last year, it partnered with a Russian group called Alphv, which the FBI described as one of the most active hacking operations around. Star Fraud planned to use Alphv’s ransomware to encrypt thousands of MGM’s computer systems, rendering them unusable until Hornbuckle and his team paid up.

To Hornbuckle and Eddy, the hackers’ request was preposterous. Their computer systems had already been down for two days, and they had no reason to trust Star Fraud. The company ignored the hackers’ messages, which grew angrier. As the hackers were booted from the network, they threatened to break into MGM all over again.

The company’s task had become more daunting. Instead of simply cleaning up infected parts of the computer systems, now they’d have to rebuild the thousands of servers the company used from scratch, installing clean versions of the operating system and other software. The cost would far exceed the ransom request. MGM decided to do it anyway.

One person who claimed to be a member of the group reached out to the press, including the Journal, through a cybersecurity researcher. In Telegram chats, the person said that MGM’s cybersecurity was subpar.

Soon after, an Alphv site on the dark web claimed the person who had contacted reporters wasn’t involved in the hack.

On casino floors, players still couldn’t use tickets to cash out their winnings. Executives with fanny packs of cash walked around to help stranded slot players waiting for their money. Some people waiting on just a few dollars walked away instead. The company served up cocktails to hotel guests waiting in long lines to check in via paper.

Thursday: Game over

MGM’s guest-facing operations had returned mostly to normal six days after the hackers first called, though some guests still faced long check-in lines at hotels. The behind-the-scenes work took weeks longer. That same week, the Journal reported that Caesars Entertainment, MGM’s biggest rival on the Strip, had paid about half of a $30 million ransom demand over the summer to make a group of hackers go away—part of a wave of increasing attacks on gaming companies.

The FBI advises companies not to pay these ransoms. Nearly 30% of victims opted to pay them in the fourth quarter last year, down from 72% four years earlier, according to ransomware negotiator Coveware. The average ransom was nearly $569,000.

The hackers were able to steal names and contact information for an unspecified number of customers before March 2019. Their credit card and bank information remained secure, MGM says.

The hack cost the company about $100 million in lost hotel and casino revenues. The company also reported a one-time expense of less than $10 million for the cybersecurity response, including tech consulting and legal fees, as the company brought in an army of technology workers to reformat its thousands of servers. Hornbuckle said it was worth it to protect sensitive customer data and thwart the hackers. The company expects cybersecurity insurance to cover the costs.

“They didn’t get what they were looking for,” he said.

Sarah Krouse contributed to this article.

Write to Robert McMillan at [email protected] and Katherine Sayre at [email protected]