ALPHV ransomware gang releases lengthy statement on MGM hack

ALPHV also took aim at a media outlet and a malware researcher for what the gang considers inaccurate reporting.

The MGM incident began earlier this week, when the casino and resort revealed it was the victim of a hack and that it had been forced to take down many of its systems. This included hotel room pass cards, booking systems, and even some of its casino floor gaming systems, causing significant disruption to the company and its guests.

Since then, there has been a frenzy of reporting on the apparent casino takedown. Reuters reported on Thursday (14 September) that an ALPHV sub-group known as Scattered Spider was the culprit, according to “two sources familiar with the matter”, while malware researcher vx-underground tweeted details from a Financial Times story that claimed the hackers had aimed to make slot machines spit money for “mules to gamble and milk the machines”.

“In an interview over the Telegram messaging app, a person who claimed to represent the group described the techniques used to evade detection in the systems of one of the world’s largest casino operators,” the Financial Times wrote overnight.

But that’s not how things went down, apparently.

The true story – according to ALPHV

“We have made multiple attempts to reach out to MGM Resorts International, ‘MGM’,” an ALPHV spokesperson said on the group’s darknet leak site. “As reported, MGM shut down computers inside their network as a response to us. We intend to set the record straight.”

According to ALPHV – it is a criminal organisation, after all, so a degree of caution should be taken – it had not deployed any ransomware on MGM systems prior to them being shut down.

VIEW ALL

ALPHV had been “lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps”, the group said. It was then they were discovered, and MGM shut down every one of their Okta Sync servers.

Okta is a “secure identity cloud” single sign-on security solution, and shutting it down would have had a big effect on casino operations.

However, ALPHV was still on MGM’s network, complete with super admin privileges to the company’s Okta servers and global admin privileges to its Azure tenant.

“They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan,” ALPHV said.

ALPHV’s timeline is a little vague, but it says it was on the network on a Friday and that MGM barred all access to its Okta environment on a Sunday – presumably 8 and 10 September, respectively, though the gang does not provide dates.

“Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday,” ALPHV wrote. “They then made the decision to ‘take offline’ seemingly important components of their infrastructure on Sunday.”

The group did launch ransomware attacks on 11 September, though, targeting 100 ESXi hypervisors. According to ALPHV, however, this only happened after it had failed to “get in touch” with MGM. This was also when “external firms” were brought in, ALPHV said.

ALPHV reports a mixed response from MGM when it comes to negotiations.

“In our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed,” APLHV said. “As they were not responding to our emails with the special link provided (In order to prevent other IT personnel from reading the chats) we could not actively identify if the user in the victim chat was authorised by MGM leadership to be present.”

ALPHV then provided a new password to access the exfiltrated data, combining two passwords of “senior executives” in a manner that only the two specific executives could recognise, “clearly hinted to them with asterisks on the bulk of the password characters so that the authorised individuals would be able to view the files”.

Since then, the unknown user has continued to enter the chat, according to ALPHV. The gang told the mysterious user that if no response was received by midnight, it would release a statement – which it did overnight.

What happens next

Curiously, ALPHV has not been able to determine if the data it has exfiltrated contains personally identifiable information, but if it does – and MGM continues to not negotiate – the gang plans to share its information with Troy Hunt of HaveIBeenPwned.com to “disclose it in a responsible manner if he so chooses”.

ALPHV goes on to call out MGM’s history of insider trading and apparent lack of interest in its customers’ wellbeing. The group then takes aim at vx-underground over its reporting on the hack, before also pouring cold water on rumours US teenagers “breaking into this organisation”, and then generally questioning the cyber security firms and their perceived lack of insight into the hack and how hacking groups in general operate.

“The truth is that these specialists find it difficult to delineate between the actions of various threat groupings, therefore they have grouped them together,” ALPHV said. “Two wrongs do not make a right, thus they chose to make false attribution claims and then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this.”

ALPHV also claims that initial reports of the hack were leaked by disgruntled MGM employees or “outside security experts” and that the Financial Times’ reporting was fabricated.

“... we did not attempt to tamper with MGM’s slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal,” it said.

For now, though, ALPHV said it still has access to MGM’s network and that more attacks will follow if a deal is not reached. Finally, the group takes aim at IT news site TechCrunch, saying, “neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.”

Cyber Security Connect has reached out to MGM for comment.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.