MGM Resorts International disclosed on the 11th of September that the company had been the target of a "cybersecurity issue" affecting its operational systems across multiple Las Vegas properties (MGM Resorts statements through September). Caesars Entertainment disclosed similarly on the 14th of September with parallel reporting that the company had paid an undisclosed ransom (Caesars 8-K filing, September 14). The threat-actor attribution has firmed up to a Scattered Spider / UNC3944 affiliate operating under the BlackCat / ALPHV ransomware-as-a-service umbrella, with the principal initial-access vector being vishing (voice-phishing) against the customer-organisation help-desk teams.
The vishing-against-help-desk pattern is the operational story. The attackers, on the public reporting, identified a target employee at the customer organisation through publicly-available information (LinkedIn or comparable), called the customer-organisation help-desk impersonating the employee, and used social-engineering techniques to convince the help-desk staff to reset the employee's MFA registration to a new device under attacker control. With the new MFA registration, the attackers gained authenticated access to the employee's account, and from there proceeded with post-compromise activity through the customer-organisation environment. The pattern is in the same family as the Lapsus$-and-Oktapus social-engineering activity from 2022 but at substantially larger operational scale.
The defensive response is operationally tractable but requires sustained programme work. Help-desk-side identity verification procedures need to be more robust than name-and-employee-number-based verification — verification through pre-arranged out-of-band channels (manager call-back, in-person verification at office locations, identity-document presentation) reduces the social-engineering surface. MFA-reset workflows specifically should require additional verification beyond the standard help-desk authentication, including manager approval and verification through pre-arranged channels. Phishing-resistant MFA (FIDO2 hardware tokens) reduces the value of any successful social-engineering attempt because the attacker cannot use the obtained credential against a phishing-resistant authentication path. The customer-portfolio MFA migration work that has been continuous through 2022-2023 has substantially addressed the FIDO2-side measures; the help-desk-process strengthening is the part of the defensive response that is operationally underdeveloped at many customer organisations.
For the customer-portfolio response. The audit cycle this week has covered customer-organisation help-desk-process review specifically. The findings have been varied — some customer organisations have substantively robust help-desk identity verification, some have process gaps that are now in active remediation. The aggregate operational work on this through Q4 is going to be substantial. The customer-portfolio incident-response readiness work has incorporated the Scattered Spider TTPs into the playbook content; the detection content for the documented post-compromise activity patterns has been deployed across customer SOC tenants.
The Caesars-side ransom payment has produced the broader strategic conversation about ransom decisions in 2023. Caesars's apparent decision to pay (the 8-K filing references "discussions" without explicit confirmation, but the public reporting is consistent with payment) is in tension with the post-Norsk-Hydro and post-HSE no-pay-with-recovery doctrine that has been the customer-portfolio guidance for several years. The customer-organisation conversations about whether the operational-pressure-driven payment posture is appropriate in any specific case continue to be substantive. My standing advice has been against payment in any case, with the recovery-posture investment being the substantive defensive answer; the Caesars case illustrates that the position is not universally adopted in 2023 even at substantial customer-organisations.
The wider strategic point about the Scattered Spider cluster specifically. The cluster — also tracked as UNC3944 / Octo Tempest — has been operationally active since 2022 and has demonstrated sustained capability against substantial enterprise targets across multiple sectors. The hospitality-sector targeting in September is specific to the financial calculation (high-volume operational systems, time-sensitive customer-service exposure that creates payment pressure) but the cluster's operational capability is broadly applicable. The customer-organisation threat-modelling needs to incorporate the cluster's documented TTPs explicitly.
I will return to this. The MGM and Caesars cases will continue to develop and the broader Scattered Spider activity will continue.