In September 2023, two of the largest casino and hospitality companies in the world were brought to their knees by a group of hackers whose primary weapon was a phone call. MGM Resorts International and Caesars Entertainment both fell victim to the Scattered Spider threat group, a loosely organized collective of young, English-speaking hackers who had perfected the art of social engineering.
MGM's Las Vegas Strip properties went dark. Slot machines stopped working. Hotel room keys failed. Guests could not check in or out. Reservation systems went offline for over a week. The attack cost MGM an estimated $100 million in lost revenue and remediation expenses. Caesars, hit slightly earlier, chose to pay approximately $15 million of a $30 million ransom demand to avoid similar operational chaos.
Who Is Scattered Spider
Scattered Spider, also tracked as UNC3944 by Mandiant and as Octo Tempest by Microsoft, is not a traditional nation-state APT group. Its members are predominantly young adults and teenagers based in the United States and the United Kingdom. They operate within a broader cybercriminal community sometimes referred to as "the Com," coordinating through Telegram and Discord.
What makes Scattered Spider dangerous is not technical sophistication in the traditional sense. They do not rely on zero-day exploits or custom malware. Instead, they are exceptionally skilled at social engineering, specifically at impersonating employees on phone calls to IT help desks. They combine this with SIM swapping, MFA fatigue attacks, and credential phishing to gain initial access.
By mid-2023, the group had affiliated with the ALPHV/BlackCat ransomware-as-a-service operation, giving them access to a mature ransomware payload and negotiation infrastructure. This partnership combined Scattered Spider's access capabilities with BlackCat's encryption and extortion toolkit.
The MGM Attack: A 10-Minute Phone Call
The MGM breach reportedly began with a single phone call to the company's IT help desk. The attackers had performed reconnaissance on LinkedIn to identify an MGM employee, then called the help desk posing as that employee and requesting a password reset. The help desk complied.
With valid credentials in hand, the attackers moved quickly. They accessed MGM's Okta identity management environment and then pivoted to the company's Azure cloud infrastructure. Within hours, they had established persistence across multiple systems and began exfiltrating data.
On September 11, 2023, MGM detected the intrusion and began shutting down systems to contain it. This decision, while tactically sound from a containment perspective, resulted in the massive operational disruptions that played out publicly across the Las Vegas Strip.
MGM's entire property management system went offline. The company reverted to manual processes for hotel check-ins, using paper forms and physical keys. Casino floors at the Bellagio, Aria, MGM Grand, Mandalay Bay, and other properties operated at reduced capacity. The MGM Resorts website and mobile app were taken down. Restaurants could only accept cash.
The attackers had also exfiltrated personal data belonging to an undisclosed number of customers, including names, contact information, dates of birth, driver's license numbers, and for some customers, Social Security numbers and passport numbers.
The Caesars Attack: Pay and Stay Quiet
Caesars Entertainment was hit by the same group slightly before MGM, though the company disclosed the breach after MGM's incident became public. Caesars' SEC filing on September 14 revealed that the attackers had accessed the company's loyalty program database, compromising Social Security numbers and driver's license numbers for a "significant number" of members.
Caesars took a different approach than MGM. The company paid approximately $15 million in ransom, reportedly half of the initial $30 million demand. By paying, Caesars avoided the prolonged operational disruption that MGM experienced. The company's casinos continued operating normally, and few customers noticed anything amiss.
This created an uncomfortable public comparison. MGM, by refusing to pay and fighting through the disruption, suffered over $100 million in losses and weeks of degraded operations. Caesars, by paying, kept business running but funded criminal operations and had no guarantee that the stolen data was actually deleted.
The Help Desk Problem
The MGM-Caesars attacks exposed a systemic weakness in enterprise security: the IT help desk. Help desks are designed to be helpful. Their metrics reward speed and customer satisfaction. They are staffed by people trained to solve problems quickly, not to interrogate callers.
Scattered Spider exploited this by calling help desks with enough personal information, gathered from LinkedIn, social media, and previous data breaches, to pass basic identity verification. In many organizations, verifying identity on a help desk call means confirming a name, employee ID, date of birth, or manager's name. All of this information is readily available through OSINT.
After the MGM attack, multiple security researchers noted that the attack vector was not new. Scattered Spider had been using the same techniques against technology companies throughout 2022 and 2023, successfully breaching companies including Twilio, Mailchimp, and multiple cryptocurrency firms.
The lesson was clear: phone-based social engineering against help desks is one of the most reliable initial access vectors in enterprise environments, and most organizations have no meaningful controls to prevent it.
MFA Is Not Enough
Both Caesars and MGM had multi-factor authentication deployed. It did not save them. Scattered Spider has developed several techniques for bypassing MFA:
MFA fatigue: Repeatedly triggering push notifications to a target's phone until they approve one out of frustration or confusion. This technique works particularly well when combined with a pretextual phone call or text message claiming to be from IT support.
SIM swapping: Porting a target's phone number to a SIM card controlled by the attacker, allowing them to receive SMS-based MFA codes. Scattered Spider has demonstrated the ability to social engineer telecommunications providers to execute SIM swaps.
Help desk resets: Convincing help desk staff to reset MFA enrollment, then enrolling the attacker's own device. This was reportedly the technique used in the MGM attack.
Session hijacking: Using phishing toolkits like EvilProxy or evilginx2 to capture session tokens after a user completes legitimate MFA, then replaying those tokens.
The takeaway is that MFA is a necessary but insufficient control. Organizations need to layer identity verification with phishing-resistant methods like FIDO2/WebAuthn hardware keys and implement strict help desk verification procedures that cannot be bypassed with publicly available information.
The Regulatory Fallout
Both MGM and Caesars filed 8-K disclosures with the SEC under the new cybersecurity incident reporting rules that had just taken effect. The attacks became a case study in how the new SEC requirements would play out in practice.
The Nevada Gaming Control Board launched investigations into both companies' cybersecurity practices. Several state attorneys general opened investigations into the handling of customer data. Class-action lawsuits were filed against both companies within days of the disclosures.
The Federal Trade Commission and FBI issued joint advisories about the Scattered Spider group, and the FBI reportedly struggled to build cases against the group's members due to jurisdictional challenges and the difficulty of attributing actions within a loosely organized collective.
Operational Resilience Gaps
The MGM incident revealed how deeply dependent modern hospitality operations are on interconnected IT systems. When MGM shut down its property management system, the cascading effects were far-reaching:
- Room keys are generated digitally and tied to the reservation system
- Casino loyalty programs track and comp players in real-time
- Restaurant and entertainment reservations flow through centralized platforms
- Revenue management and pricing systems adjust dynamically
There was no manual fallback that could replicate these functions at scale. The operational continuity planning had not accounted for a scenario where all digital systems would be simultaneously unavailable for an extended period.
What Changed After the Attack
In the months following the attacks, MGM invested heavily in rebuilding its security infrastructure. The company reportedly overhauled its help desk verification procedures, implemented hardware-based MFA for privileged access, and segmented its network to limit lateral movement.
The broader hospitality industry took notice. The American Gaming Association issued updated cybersecurity guidelines. Several major hotel chains reportedly conducted tabletop exercises specifically modeling Scattered Spider-style attacks.
Caesars' decision to pay ransom drew scrutiny from law enforcement and policymakers, renewing the debate about whether ransom payments should be legally restricted or banned. No legislation resulted, but the discussion intensified.
How Safeguard.sh Helps
The MGM and Caesars breaches were fundamentally about identity and access management failures amplified by insufficient visibility into the software and systems running across the enterprise. Safeguard.sh addresses the supply chain and visibility dimensions of this problem:
- SBOM-driven asset inventory provides a complete map of every software component running across your infrastructure, so when you need to shut down systems during an incident, you know exactly what depends on what and can make informed containment decisions.
- Vulnerability correlation continuously matches your deployed components against known CVEs and exploited vulnerabilities, ensuring that the identity management platforms and help desk tools in your environment are patched against known attack vectors.
- Policy enforcement lets you define and enforce security requirements across your software supply chain, including mandating phishing-resistant MFA configurations and help desk verification standards as part of your governance framework.
- Third-party risk monitoring tracks the security posture of vendors in your supply chain, helping you assess whether your identity providers, cloud platforms, and managed service providers meet your security requirements before an attacker tests them for you.
The Scattered Spider attacks proved that the most expensive security stack in the world is worthless if an attacker can talk their way past the front door. Visibility, governance, and supply chain control are what close that gap.