On September 11th, MGM Resorts was subject to a ransomware attack that shut down all its systems including slot machines, voucher cash out machines, hotel reservations and guest services. The cyberattack basically handcuffed their operations throughout Las Vegas, although other MGM casinos in different states were affected too. Caesars was also apparently hit with a ransomware attack by the same group at the same time, now known to be Scattered Spider, a subgroup of ALPHV, which is said to be the largest and most sophisticated hacking group in the country. According to reports, the group attacked MGM by pretending to be an employee of the company and gaining access to their systems and data. On the social platform Telegram, a spokesman for the group said they took 6 terabytes of data from both MGM and Caesars.
Reports indicate the group asked for $30 million in ransom from both MGM and Caesars to reverse the hack and Caesars negotiated the price down to $15 million, while MGM said they wouldn’t pay the ransom. Caesars has since been operating normally, while MGM struggled for more than three weeks to get things back to normal. Insurance will pay the $15 million ransom for Caesars and it will cover up to $200 million of losses for MGM, but the public relations hit to MGM could amount to more than that in lost business going forward. Some are calling Caesars brass geniuses for paying the ransom, although others say that, like with any terrorist groups, negotiating with them only opens up the company to future cyberattacks.
Cyberattacks are not new to the gaming world
These attacks are nothing new. Private companies, governments, banks, hospitals, internet providers and other agencies get ransomware attacks regularly. In fact, one of the most famous cyberattacks was against the Church of Scientology. And in the gambling industry, the attacks go back to the early 2000s. In 2002 three well known offshore operations (who I won’t name since they were never publicly acknowledged), were hit with a disruption of service attack by Russian criminals who were eventually caught. Two of the companies paid the ransom via payment to an untraceable account in Russia, while the other company said they would not pay. While the two who paid the ransom were back online immediately, the other company that didn’t pay was down for almost six weeks, including part of the NFL season. To get back online they had to rebuild their entire system from the ground up, although the owner of that site always maintained he did the right thing, not negotiating with terrorists. It is notable that the two companies who paid the ransom are still operating, while the other company shut down a few years back, although that had more to do with their decision to cut off U.S. customers than the cyber attack. Back then the attacks involved Distributed Disruption of Service (DDoS) attacks, whereby a virus was inserted into their computer systems after an employee opened an infected email which led to mounds of data from various computers flooding into their servers, taking up all their bandwidth and making the servers inaccessible. DDoS attacks are still the main source of ransomware attacks, but the methods used are far more sophisticated now.
I spoke with Michael Calvin, the Chief Technology Officer and Joseph Martin, the CEO at Kinectify which is AML risk management technology company serving gaming operators in the U.S. and Canada. While Kinectify is not a cyber security company, they are advocates for modernization of the gambling space and they have an advisory service that helps gambling operators enhance their systems via work with industry experts who can design and test programs, meet compliance deadlines and provide outsource services to administrate compliance programs, thus efficiently allowing them to manage risk across their whole enterprise.
The first question I asked both Calvin and Martin was why the gambling space is so susceptible to ransomware attacks.
“The hackers need to ensure that you are able to pay the ransom they are asking for and they need you to know they have the sensitive data to be able to monetize their attack. So unfortunately, the gaming industry is a target for that. They’ve got a lot of cash and sensitive data and they’re seen as having an infrastructure that is vulnerable and needs to modernize. Those things combined makes it pretty likely that more attacks against the industry are going to occur.”
The next question I asked is whether it was possible that hackers could gain access to all the data, yet customer data and identity theft was not at risk. To this date, Gateway Casinos in Ontario, who were forced closed its Ontario locations in April for two weeks due to a cyberattack, contends that no client data was stolen, despite the casinos being down for over a month.
“It can happen in other industries. I’ll give you an example. LastPass (a password management company) has been hacked numerous times but customer data was not lost due to their encryption processes and algorithms. That is next level cryptography they implemented but that is not the norm in the industry. Every company is doing encryption at rest and encryption in transit, but too often the encryption keys are stored in the same places where the infrastructure is hosted. So if they gain access to the encrypted data and the key, then they will be able to access all the PII (personal identifiable information) data.”
I asked what the best method is to protect against cyber attacks. And this is where Calvin and Martin were most vocal.
“It’s all about best practices. The casino industry is a soft target because they are using old, outdated infrastructure that’s hosted on premise and on premise architecture is less secure than cloud platforms. You know when you’re working in cloud practices like AWS or Azure, you’re dealing with the leading edge of technology infrastructure. They’re buying the latest firewalls and IPS ID’s systems and the most advanced technology out there both hardware and software to secure those environments. Even large enterprises like we see in the gambling industry can’t invest that same amount of resources to protect their environments because it’s not their core competency. They’re in the business to deliver gaming solutions, not to provide infrastructure as a service. Therefore, it’s impossible to maintain and infrastructure on premise in the same way that the infrastructure is being maintained in the cloud. So, my first answer when asked how a company can protect itself is to get the stuff off premise and into the cloud.”
Is online safer?
I wondered if online only companies like DraftKings or FanDuel were safer than land-based companies like MGM and both Calvin and Martin said that isn’t necessarily so.
“All the companies could have vendors, like a sports trading platform, that is old. The code might be from the 1980s or 1990s and they may be forced to host it on premise because the ability to use the cloud isn’t there. So, the whole gaming community, including third party vendors, needs to modernize.”
Calvin and Martin also discussed the importance of ensuring that systems are segregated to avoid a situation where a careless employee opens an email and releases a virus throughout the entire system.
“You can’t’ mitigate all risk, but you can structure your solutions to minimize impact if you are attacked. You’ll notice in recent cyber attacks that you’re hearing about in the news that all systems went down at the same time, everything from payments to elevators. That’s because they are all hosted on the same servers in the same place, on the same corporate networks. But you know when you’re deploying stuff into the cloud you segregate your resources. So, the production network is completely separate from the non-production network. There’s no way that one machine on this network can talk to another machine on a different network. So, if a ransomware attacker were to occur to my dev environment it could totally destroy my dev environment, but it’s unlikely it would impact my productivity suite.”
I also spoke to a cyber security expert based in Toronto, who asked not to be identified in the article for business reasons about the situation with both the Vegas casinos and Gateway and he seemed to agree with Calvin and Martin. The key to avoiding cyber attacks is to ensure you have proper policies in place to safeguard against everything going down at the same time and also policies to try and prevent an employee from putting a company at risk.
“I always tell clients to never put all your eggs in one basket and back up everything on separate servers. More importantly they need to instill the fear of God into employees to not open up emails, click links or provide information over the phone or internet unless they are 100% sure the sources are confirmed. And this could mean using multiple sources before they get the ok to open and reply to an email. Whether they like it or not, what was state of the art security yesterday could be vulnerable today. Username and passwords are no longer considered a good security measure and requiring a symbol and number which was the big revolutionary way to foil hackers just 3 years ago is now easily compromised. Things like 2FA is much more hacker proof. That said, a company is only as safe as their weakest link. So companies need to constantly monitor employees and systems to stop a careless employee before they put the company’s data at risk.”
I also asked the security expert whether hackers can ever be stopped and his simple answer was no. He equated it to the COVID-19 virus.
“When COVID-19 first identified in Wuhan in late 2019 and the rest of the world in 2020 it was a novel virus. People had no way to fend it off so many got infected and the most vulnerable died. Eventually a vaccine came out and had the virus had not mutated, Covid would likely be over in 2021. But the virus mutated to Delta, then to Omnicron and now its on its umpteenth subvariant. And the drug companies can’t keep up. They are always chasing the last variants, but by the time the vaccine for that subvariant is available, a new subvariant pops up which eludes full protection from that latest vaccine. So those with the vaccine or previous exposure get some protection, but the virus will always progress enough to ensure that the most vulnerable, whether they are vaccinated or not, can penetrate their immune defenses and infect them.
It’s the same with the hackers. Antivirus companies and computer developers always find a way to identify and prevent malware from continuing to infect computers, but it’s always the last malware. By the time they have a solution for that, hackers have developed something new that penetrates the last fix. So, computer applications are always chasing after the last, now obsolete malware. And hackers are always looking for new, more destructive ways to obtain data that the cybercrime companies may not even have anticipated. The government and biggest companies like Microsoft and Amazon along with Malwarebytes, McAfee and Norton are known to even hire former hackers to help them develop new anti-hacking solutions but even they are a step behind the best hackers in the business. And like the mafia, when you kill the head of the organization there is always someone to take their place and usually someone with new techniques.”
Calvin and Martin seemed to confirm that opinion:
“Believing hacking can be stopped is pie in the sky. There is nothing that is hacker proof. It just doesn’t exist and it is never going to exist. Capabilities continue to change at the same rate or faster than our ability to protect ourselves from those things. If anyone said ‘hey I got this hacker proof system’ I came up with, the attackers are going to read about it, figure out what they are doing and find a way around it.”
So, we are now more than two weeks past the cyberattacks on MGM and Caesars and MGM is still doing what it can to 100% rectify the situation. Even with unlimited resources and industry experts, the hackers still hijacked their systems and it’s clear that once the systems are regenerated, they will still be open to new cyberattacks, unless they make significant changes. Kinectify has said that the answer is to get everything out of the premises and onto the cloud which may be true, but many CEOs and decision makers are likely leery of major changes. And some of these companies likely yearn for the days when everything, including slot machines, were manual and done with cash only.
One thing is certain, gambling is a multi-billion-dollar business and it is only going to grow as more states and provinces start offering both land-based and internet gambling. No doubt some hackers are already planning their next casino cyberattack and regardless of what the big names in gambling come up with to prevent it, there will be some vulnerability that they will be anxious to exploit. It’s imperative that CEOs and other decision makers swallow their pride and start using experts in the field like those at Kinectify and the Cyber Security expert to modernize their operations. They owe it to the shareholders, the staff and most of all to the gambling customers.
Read articles on the North American gambling industry from Hartley Henderson here at GamblersWORLD.