MGM got popped and customer data exposed. Per usual, there are way too many unanswered at this point in the investigation, but that does not stop the media from trying to report, and there ais not shortage of “experts” to call on, so we end up with articles like this one from Bloomberg that say things like:
“Charles Carmakal, chief technical officer for Mandiant Inc., part of Google Cloud, described the hackers as ‘one of the most prevalent and aggressive threat actors impacting organizations in the United States today.’ Mandiant first came across the group in May 2022.”
Really? Some skiddie affiliates are one of the most prevalent threat actors? Ooof... And we get assessments like this:
“In the MGM hack, Scattered Spider may have worked with ALPHV, according to two people familiar with the group’s operations.”
Congratulations Bloomberg, you just discovered the business model driving the ransomware economy. Great reporting (facepalm).
The Bloomberg article was not very well researched and basically misses the mark as far as accurately explaining anything. Scattered Spider sounds like an affiliate group made up of young threat actors.
Whether they are as prolific as Mandiant asserts is debatable - there are a lot of independent threat actor groups made up of a mix of members who most likely identify as members of multiple groups - nothing new here.
They likely leased use of the BlackCat/ALPHV RaaS platform - nothing new here either, as that is the RaaS model - so describing the groups as possible "working together" is just a tragically uniformed way of describing what we have known for a long time: affiliate actors can rent RaaS platforms from developers.
Basically, the Bloomberg writer has zero idea how any of this works so presents all with fresh eyes and amazement – it would be cute if it was not so damaging to have such a high-profile outlet like Bloomberg to generate such ill-informed coverage.
Takeaway: But it gets better... now the SEC will get involved because MGM is publicly traded and the SEC has new rules about reporting breaches, so expect this will probably be another clown show.
More visibility and accountability in regard to security-related events at publicly traded companies is a good thing – that's a no-brainer, but we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.
The fact is that publicly traded companies are attacked every day, and if the company is really big, they may be attacked hundreds of times in a day. As we in the security trade already know, you can’t stop cyberattacks, but you can stop an attack from being successful and attaining its intended objective.
That said, the real challenge with this new SEC ruleset is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” to investors.
This leaves quite a bit of room for subjectivity, plausible deniability, and – if not structured correctly – could produce a culture where there is pressure on security teams to conceal security events from the executive suite, so the event goes unreported.
The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information about an incident – and this is the real rub here. There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.”
Forensic investigations are difficult, and they take time. The disclosure rule set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.
But investors, once informed of an attack, will want the details, and want them now. This could create situations where company leadership appears incompetent because they can’t answer tough questions about an event, undermining investor confidence.
Also, the company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts. he inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that - while reportable per SEC rules – may in fact not be that serious of an event from a security standpoint.
Any requirements on victim organizations to report material security events to investors needs to come with a concerted effort to educate investors on the nuances of attacks, security operations, and risk, or the SEC will just be creating more problems than they are actually solving.
There is so much to go on in this Bloomberg article that adds to confusion amongst the non-cyber audience, it would be exhausting to try to sort it all out here, as more than a few key takeaways from the attack were missed.
First of all, it's obvious the casino did not practice any network segmentation, so they made the attack far worse than it would have been. MGM (and everyone) also needs to reconsider whether they need to store all that PII on their customers - it's bad idea to collect and store PII unless it is really, really necessary, and loyalty programs don't rise to that level.
And as far as third-party vendors – we need more details on this, like what kind of vendor etc. to understand if they needed to have access to the casino's network and how that access was structured - but for the most part it sounds like the vendor had too much access and the casino had poor security protocols for managing that access.
There is a lot organizations can do to assure their vendors are not putting them at risk, but in the end all risk is owned by the organization, and they need to make sure that their practices do not exceed their risk tolerance - with a casino you would expect risk tolerance to be very, very low.
But given the relative ease with which the attackers appear to have carried out the operation, it seems likely that MGM’s security did not adequately reflect their risk tolerance - not by a long shot.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.