All MGM Resorts hotels and casinos are back up and running as normal, nine days after a cyberattack shut down systems across the company, the company said in an X post on Wednesday. MGM Rewards accounts will be updated "at a later date," and some promotional offers could still be unavailable. This is the biggest system wide restoration the company has experienced since websites went offline, slot machines went down and some transactions became cash only on September 11.
The ALPHV ransomware group took credit for the attack shortly after systems went offline. The group claimed it used social engineering tactics, or gaining trust from employees to get information, to access systems. Once a group gains access, they usually demand a sum of money in exchange for access or information.
After the MGM attack went public, reports started surfacing that competitor Caesars Entertainment, which also owns casinos across the Las Vegas strip, recently suffered a similar attack. But unlike MGM, Caesars reportedly paid "tens of millions of dollars" to the hackers that threatened to release company data to avoid damage. Another ransomware group, Scattered Spider, took credit for that attack. Scattered Spider also took credit for the MGM attack, but responsibility is notoriously difficult to verify without security researchers because hackers are motivated to claim as much damage as they can.
The attacks both started through identity management vendor Okta. MGM and Caesars both use the service, and the company confirmed hackers were able to use its tech as an access vector. The full extent of the damage remains unclear. At least three other Okta clients have been hit by cyberattacks, David Bradbury, chief security officer of the company, told Reuters.
"There has been no compromise or breach of Okta systems and the Okta service remains fully operational and secure. We are available to assist MGM in any way we can," an Okta spokesperson told Engadget. "We have seen social engineering attacks involving a threat actor calling an organization's help desk, impersonating an employee, and persuading the help desk to reset MFA for a highly privileged account. The Okta blogs provide preventative measures along with our threat intelligence and we encourage our customers to review the posts and take appropriate action."
MGM did not respond to a request for comment on any data leak implications possibly stemming from the attack or whether backend systems such as employee accounts are back up and running.