Teenagers Took Down Las Vegas

What happened

In September 2023, MGM Resorts had to shut down systems across its U.S. properties after a cyberattack. Guest-facing systems were disrupted. Check-ins, digital room keys, ATMs, payment flows, and other casino and hotel operations were affected. MGM later told the SEC the issue had an estimated negative impact of about $100 million.

The uncomfortable part is how the attack began. Scattered Spider did not need to start with a firewall exploit. The group used social engineering. They found people, called help desks, sounded plausible, and pushed identity systems until access opened.

The malware mattered. The ransomware mattered. But the most sophisticated part of the attack was the conversation.

The help desk was the attack surface

The attack had two human routes.

In one route, attackers contacted employees while pretending to be IT support. The goal was to get credentials, remote access, or approval for something that sounded routine.

In the other route, attackers contacted the real help desk while pretending to be an employee. Public information from LinkedIn and company websites helped them sound legitimate. If the help desk reset a password or MFA factor, the attacker did not have to break in. The door was opened for them.

This is why help-desk procedure matters. If the reset process trusts public information, the reset process becomes the vulnerability.

MFA was part of the target

Multifactor authentication helps, but not all MFA is equal.

SMS-based MFA depends on control of a phone number. If an attacker can socially engineer a carrier into moving that number to a SIM they control, they can receive the codes. That is SIM swapping.

Push-based MFA can fail differently. Attackers can trigger approval requests again and again until the target gets tired and taps approve just to make the prompts stop. That is MFA fatigue.

The stronger answer is phishing-resistant MFA: passkeys, hardware security keys, and authentication flows that cannot be approved by accident or moved with a phone-number reset.

Once they were in

After attackers control identity, the attack becomes much harder to contain. They can register their own MFA token, add persistence to the single sign-on environment, and keep access even after a password changes.

They can also watch the response. Scattered Spider actors have been reported to monitor channels such as Slack, Teams, and email so they can see how defenders are investigating them. In some cases, attackers join incident-response calls and adjust while the defenders are talking.

That is the part that should make teams uncomfortable. If an attacker owns identity and communications, they are not only inside the building. They may be listening to the evacuation plan.

Boring tools, serious damage

Scattered Spider is known for using legitimate tools where possible: remote-access software, tunneling tools, and common administration utilities. That makes detection harder because the tools are not always malicious by themselves.

This is the problem with allowlisted tools. A tool can be legitimate and still be dangerous in the wrong hands. Tailscale, TeamViewer, ScreenConnect, and similar tools can be useful for real work. They can also become quiet paths through a network when identity has already been compromised.

Do not ban every tool by default. Know which tools are allowed, who can use them, where they can connect, and what should happen when they appear in the wrong place.

Ransomware-as-a-service changed the job

Scattered Spider did not need to build every piece of malware themselves. They could focus on social engineering and access, then use ransomware-as-a-service partners for encryption and extortion.

That division of labor matters. One group can specialize in getting in. Another can specialize in encrypting systems. Another can specialize in pressure, leaks, and payment.

In the casino attacks, the pressure was not just “pay us or your files stay encrypted.” It was also “pay us or the data goes public.” That is double extortion: encryption plus exfiltration.

What would have stopped it

Start with stronger MFA. Remove SMS from important accounts. Use passkeys or hardware security keys for privileged access. If you still use username and password, the second factor must be harder to steal than a phone number.

Then fix the help desk. Password and MFA resets need callback rules, known internal numbers, shared verification phrases, and a process that lets support staff slow down when something feels wrong.

Limit the blast radius. Segment networks. Keep ordinary workstations away from sensitive systems. Do not let one compromised identity see the whole company.

Allowlist remote-access tools. Decide what is allowed, where it is allowed, and who is allowed to launch it.

Finally, keep immutable offline backups. If ransomware encrypts production and can also encrypt the backup, you do not have a backup. You have a second copy of the problem.

The human perimeter

The old lesson would be “train people not to fall for scams.” That is too small.

The better lesson is that identity, help desks, and internal trust are part of the perimeter. The person answering a support call needs a process that protects them. The employee receiving an MFA prompt needs an authentication system that does not make tired approval the last line of defense.

Scattered Spider made a casino problem out of a conversation. That is why the conversation has to be secured too.