Caesars Entertainment, operator of the venerable Las Vegas casino Caesars Palace, has revealed that it paid a significant sum of money to its attackers following a recent ransomware attack, which was possibly the work of the same threat actor that breached competitor MGM Resorts using the ALPHV/BlackCat ransomware.
In a filing made to the US Securities and Exchange Commission (SEC), Caesars Entertainment said it initially became aware of the incident after identifying suspicious activity on its network. The subsequent investigation, which concluded on 7 September, found that the organisation was breached via a social engineering attack on an outsourced IT support supplier.
Its customer-facing operations, hotels, and online and mobile gaming services were not affected, however, Caesars Entertainment found that its attacker was able to purloin a copy of its loyalty programme database, including driver’s licence and social security numbers of thousands of guests and gamblers, although there is currently no evidence that any financial data was stolen. It is in the process of notifying victims.
Caesars Entertainment went on to make a statement that strongly implies it negotiated and paid at least part of the ransom demanded by its attacker.
It said: “We have taken steps to ensure that the stolen data is deleted by the unauthorised actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
According to reports, the ransom paid may have been as much as $15m, negotiated down from $30m, although this is unconfirmed.
Nevertheless, the apparent admission of ransom payment, which runs contrary to all accepted best practice, may store trouble for the entertainment giant, given strict regulatory policies implemented by the US government’s Office of Foreign Assets Control (OFAC) three years ago, which made making or facilitating ransomware payments a potential sanctions risk under US law.
High-rolling threat actor
Caesars Entertainment did not disclose any details of the group that extorted it, but given the near-simultaneous incident affecting its neighbours at MGM Resorts – and the fact that both incidents appear to have begun via social engineering – the attack is being widely linked to a threat actor tracked by Google Cloud’s Mandiant as UNC3944, using the ALPHV/BlackCat locker.
Also known as 0ktapus, Scattered Spider and Scatter Swine, UNC3944 made a name for itself in 2022 via an audacious series of social engineering attacks exploiting the trust that customers of identity and access management (IAM) specialist Okta placed in the brand.
Note that there is no firm evidence that implicates Okta in the incidents at either MGM Resorts or Caesars Entertainment, although a new wave of social engineering attacks against its customers was reported earlier this month and an as-yet unsubstantiated claim has been made in this regard by those claiming to be behind the MGM attack. Computer Weekly has contacted Okta for comment.
The high-rolling UNC3944 gang got its start conducting phone-based social engineering and SMS phishing (smishing) attacks, but according to Mandiant’s latest intelligence, it pivoted to deploying ransomware in summer 2023, and in the process expanded its targeting beyond the tech industry to include firms in the entertainment, hospitality, media and retail sectors.
It has also become more tightly focused on stealing sensitive data for extortion purposes, and in a change to the scheduled programme, may not actually be based in Russia – it demonstrates a competent understanding of Western business practices and many members are likely native English speakers.
Mandiant said the group works to “an extremely high operational tempo”, accessing critical systems and stealing large volumes of data very fast. This factor may be designed to “overwhelm” security response teams.
After gaining initial access via social engineering, UNC3944 enlists commercial residential proxy services to access their victims from the same geographical area, an attempt to fool monitoring tools looking out for suspicious traffic from elsewhere, and legitimate software including remote access tools.
Its operatives also dedicate significant resource to rooting out information that may help them escalate their privileges and maintain persistence, often targeting password management tools and privileged access management (PAM) systems to do so.
It has been frequently observed creating unmanaged virtual machines (VMs) in victim environments to launch attacks – in some cases these VMs are created inside victims’ cloud environments and are internet-accessible.
When it’s time to deploy a ransomware locker, UNC3944 likes to target business-critical VMs and other systems to cause as much pain as possible, and ramps up the pressure by leaving threatening notes on compromised systems, bombarding executives with text messages and emails, and infiltrating internal comms channels used for incident response.
“UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetisation strategies,” said Mandiant’s researchers.
“We expect that these threat actors will continue to improve their tradecraft over time and may leverage underground communities for support to increase the efficacy of their operations.
“UNC3944’s initial successes likely emboldened it to expand its TTPs to more disruptive and profitable attacks, including ransomware and extortion. It is plausible that these threat actors may use other ransomware brands and/or incorporate additional monetisation strategies to maximise their profits in the future.
“We anticipate that intrusions related to UNC3944 will continue to involve diverse tools, techniques and monetisation tactics as the actors identify new partners and switch between different communities,” they added.