Axios Codebook

MGM Resorts International is struggling to contain the public impact of an apparent cyberattack that has continued to snarl business all week at one of the U.S.'s largest casino operators.

What's happening: Roughly five days into the incident, slot machines are still out of order, digital room keys are offline, and resort guests are slamming the company on social media for its seeming lack of customer support.

• MGM, which operates several high-profile casinos across the country, is also expected to take a financial hit: The company is facing potential revenue losses, litigation and reputational risks, credit rating firm Moody's warned (paywall).
• Meanwhile, MGM has been hush on the details in its public communications throughout the week. The company has yet to confirm what kind of attack it's facing or what customer data, if any, was stolen.
• MGM did not respond to requests for comment.

Why it matters: The fallout from the apparent cyberattack on MGM provides a rare glimpse into how damaging these incidents can be to businesses and consumers.

• Typically, either the impact of a hack is limited to stolen personal data or the victim organization sweeps the full scope of the attack under the rug.

The big picture: Casinos and hospitality firms have become targets for cyberattacks in recent years.

• Caesars Entertainment, which operates several major casinos in Las Vegas, confirmed on Thursday that it also faced a cyberattack a few days before the MGM hack began.

Details: The IT outages are impacting MGM properties across the country — not just in Las Vegas.

• I visited MGM National Harbor outside Washington, D.C., on Thursday afternoon and found a handful of slot machines on the second floor were still offline, as were a few ATMs in the casino.
• All of the MGM Rewards kiosks — where members can print rewards cards so they can use their points to play games — were also down, forcing people to cash out their winnings in person.

Of note: Throughout the week, confused and frustrated customers have flooded MGM's social media feeds with online reviews and comments trying to figure out if they can get a refund or if computer systems will be up in time for their weekend trips.

• "Terrible customer service for a large customer like myself and my team," one person wrote in a Google review for the Aria Resort & Casino in Las Vegas. "We will be taking our business elsewhere after the cybersecurity attacks."

Yes, but: The website for BetMGM, the company's online betting site, appears to have been unaffected and remains functional.

Zoom in: A former MGM employee who left the company this year told Axios that the company restructured roughly 75% of its corporate IT teams in April, resulting in layoffs, and outsourced another IT team in July.

• Caesars said in an SEC filing that its cyberattack started with a social engineering attack targeting an outside IT vendor.

Between the lines: Public statements about a cybersecurity incident run up against legal obligations and regulatory scrutiny — making it difficult to communicate what's happening with the public.

• Once a company uses the term "data breach" or "data leakage," the clock starts ticking for the organization to comply with state-level data breach notification rules and other compliance, Alex Waintraub, a cyber crisis management expert at Cygnvs, told Axios.
• It takes days, sometimes weeks, to determine the impact of a cyber intrusion, including what data was stolen or accessed.
• "This is going to become a legal battle," Waintraub said. "We do not say ['data breach'] in writing until forensics confirm that there is data leakage."

Exactly who is behind the apparent cyberattack on MGM this week isn't clear yet — but two cybercrime gangs are arguing they were involved.

Driving the news: Members of hacking group Scattered Spider told news outlets Thursday that they were the ones who first targeted MGM's networks last week.

• However, ransomware gang Alphv, also known as Black Cat, posted a long statement Thursday to its dark-web site claiming it was actually responsible.
• While Alphv claimed responsibility for the attack, the statement did not address whether Scattered Spider was acting as an Alphv affiliate, or a group that carries out an attack using ransomware developed by Alphv.

Why it matters: The dueling narratives are adding to an already chaotic news cycle that's been filled with social media-fueled speculation.

• No one will know for sure who targeted MGM until the company or law enforcement provides public details about the incident.

Threat level: Both groups are seen as major cybercrime threats in their own right, experts say.

• Scattered Spider is believed to be a group of young adults based in the U.S. and the U.K. who are well known for using social engineering to launch attacks, according to Bloomberg.
• They've also been seen deploying Alphv's encryption in recent months, Charles Carmakal, chief technology officer at Google Cloud's Mandiant, wrote on LinkedIn this week.
• Scattered Spider is well known for an attack that hit more than 130 organizations last year and stole more than 10,000 employees' login credentials.

Meanwhile, Alphv has its own reputation for dangerous, widespread attacks.

• The group, which is believed to be based in Russia, is known for its ruthless extortion techniques. Its members released stolen photos from breast cancer patients' examinations while extorting the Lehigh Valley Health Network earlier this year, for instance.
• Other victims have included Western Digital and Sun Pharmaceuticals.

The big picture: Identities in the ransomware world are obfuscated on purpose to make it more difficult for law enforcement to pinpoint who's behind an attack.

• Not only is it typical for a larger ransomware operator to claim credit for an attack that an affiliate launched, but it's also possible for a larger group like Alphv to launch an entire attack on its own, in house.

Be smart: MGM, the FBI and third-party cyber incident response firms will have the most reliable information for who's behind the attack and how it happened.

Iranian hackers have hacked dozens of companies in the defense, satellite and pharmaceutical sectors this year using a fairly unsophisticated, blunt hacking technique, Microsoft warned in a new report.

Why it matters: Many of these companies are based in the U.S., and the breaches come amid heavy U.S. sanctions targeting Iranian oil and petrochemical sales.

Details: Microsoft said Thursday that Iranian hacking group Peach Sandstorm — which other firms also refer to as APT33, Elfin or Refined Kitten — has been breaking into these companies by trying to guess multiple user accounts' passwords.

• The password-spraying campaign took place between February and July this year, Microsoft found.
• In some cases, the hackers were able to exfiltrate data, and in others, they just lurked on the networks to see what intelligence they could gather.

Yes, but: The Iranian group targeted thousands of companies as part of this monthslong campaign — but was able to access only a small percentage of those organizations, Microsoft said.

The big picture: Peach Sandstorm's past campaigns are known to have targeted aviation, construction, defense, education, energy, financial services, health care, government, satellite and telecommunications companies.

What they're saying: "The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets' systems, persist in targets' environments, and deploy a range of tools to carry out additional activity," Microsoft wrote in the report.

Threat level: Iran was likely using the attack for routine espionage, Microsoft said, rather than for a destructive cyberattack.

• However, the U.S. intelligence community has warned that Iran is "more willing than before to target countries with stronger capabilities" as part of its state-backed cyber operations.

@ D.C.

✍️ The White House is urging other members of the International Counter Ransomware Initiative to issue a joint statement saying they will not pay ransoms to cybercriminals. (The Record)

🐦 The Department of Justice alleged in a court filing that Elon Musk may have violated a 2022 Federal Trade Commission privacy order regulating X, formerly known as Twitter. (Axios)

🔎 The State Department detailed how it was able to quickly detect a China-linked hack involving Microsoft government email accounts on its networks in July. (Politico)

@ Industry

💰 TikTok is facing a €345 million ($368 million) fine from the Irish Data Protection Commission for violating the European Union's comprehensive privacy law. (TechCrunch)

🇨🇳 The Chinese government says it has not instituted any laws or regulations prohibiting government employees from using or buying foreign phones, despite media reports saying iPhones had been banned over security concerns. (CNBC)

@ Hackers and hacks

🪙 North Korea's Lazarus Group is likely behind this week's hack of the CoinEx exchange, researchers have found. (CoinDesk)

👀 Researchers uncovered NSO Group's Pegasus spyware on an iPhone belonging to a prominent Russian journalist, marking the first known time the spyware has been used to target a notable Russian national. (Washington Post)

📈 The number of apps that have had to patch a critical, zero-day vulnerability has skyrocketed this month — and it's likely to keep getting worse. (Ars Technica)

It's not every day you spend part of your workday wandering the floors of a casino. Here are some shots from the MGM near D.C. yesterday! 🃏 💰