Privilege Escalation

Okta Super Admin Takeover

Using the compromised employee credentials attackers gained access to MGM's Okta identity platform and escalated privileges to Super Administrator level. This gave them the ability to authenticate as any employee across every connected system in MGM's environment.

Lateral Movement

Azure Active Directory Domain Compromise

From Okta the attackers moved into MGM's Azure Active Directory domain controller exploiting weak MFA implementations. This gave them unrestricted movement across MGM's internal network including access to critical casino infrastructure, hotel systems, and financial platforms.

Collection

6 Terabytes of Data Exfiltrated

Scattered Spider exfiltrated approximately 6 terabytes of sensitive data from MGM's systems including customer personal information, employee records, and internal documents before triggering the ransomware deployment.

Execution

BlackCat ALPHV

After establishing full network control Scattered Spider deployed BlackCat also known as ALPHV ransomware across MGM's critical systems. Casino slot machines went offline. Hotel room digital keys stopped working. ATMs across MGM properties went dark. The attack caused an estimated $100 million in operational losses over ten days.

Actions on Objectives

Ransom Demand and Public Extortion

Scattered Spider demanded a ransom from MGM threatening to publish the stolen 6 terabytes of data. MGM refused to pay and worked with law enforcement and the FBI instead. The disruption lasted approximately ten days before operations were restored. Caesars Entertainment faced the same group days earlier and reportedly paid a $15 million ransom to prevent data publication. Caesars quietly restored operations while MGM's refusal played out publicly.

Context

Scattered Spider Identity and Arrests

Scattered Spider also known as UNC3944 is a loosely organized cybercrime group primarily composed of English speaking young adults some as young as 19 years old operating from the United States and United Kingdom. The group specializes in social engineering and help desk manipulation. Several members were arrested by the FBI in 2024. The group successfully compromised both MGM and Caesars within days of each other demonstrating that the hospitality sector had systemic security weaknesses beyond any single company.