The hackers who are believed to be behind a major cyberattack that has disrupted several casinos and hotels in Las Vegas are part of a small but prolific cybercrime clique whose members have also hit other major U.S. companies in the past year by talking their way into access to computer networks, cybersecurity experts and a person familiar with the hacks said.
They are known in many cybersecurity circles in part because of a rare trait — they appear to be native English speakers, something that differentiates them from the many cybercrime groups that are made up of Russians and Eastern Europeans.
MGM Resorts, which runs many of the most popular casinos and hotels in Las Vegas including the Bellagio, Aria and Mandalay Bay, is still scrambling to recover after hackers significantly disrupted its operations earlier this week, leading to shutdowns on casino floors and hotel guests unable to use key cards to enter their rooms.
MGM employees were still unable to access their corporate emails as of Friday morning, a worker who was not authorized to speak for the company told NBC News. On Friday afternoon, MGM announced that while some systems were still affected by the attack, “the vast majority of our property offerings currently remain operational.”
The breach has become one of the most high-profile in recent years, a particularly public and flashy example of the ongoing scourge of cyberattacks and ransomware deployments that have waylaid police stations, hospitals and schools, alongside major businesses.
A person familiar with the attacks said the hackers behind the Las Vegas intrusions are members of a group that the cybersecurity industry often refers to as “Scattered Spider.”
And while many hacker groups employ varied hacking techniques to wreak havoc on computer systems, this group’s entry points can be decidedly low tech: phone calls and online chats with tech support.
Wendi Whitmore, a senior vice president at the cybersecurity company Palo Alto Networks, said her company is investigating multiple breaches connected to the hacker group. She said the hackers are masters of social engineering, which is the practice of fooling people into giving up information that can be used to take over the accounts of key people at victim companies. She declined to comment on who might be behind the recent casino attacks.
“They typically try to get a password reset by calling the help desk: ‘I’ve been traveling, I’ve just come back from vacation’ — some sort of a ruse that’s plausible enough,” she said.
“A lot of help desks have metrics on being able to resolve an incident quickly.”
Caesars Entertainment, which rivals MGM in Las Vegas and runs the Tropicana, William Hill, Harrah’s and its namesake Caesars, was also hacked last week, the company said in a Securities and Exchange Commission filing Thursday. It did not suffer public outages and may have paid the hackers to avert any major disruptions.
Those hackers do not have a clear public internet presence and could not be reached for comment. Charles Carmakal, a senior vice president at Mandiant, a cybersecurity company owned by Google that tracks the hacker group, said that they have been some of the most prolific hackers targeting American companies in recent months.
The group, which cybersecurity researchers began tracking last year, is behind many intrusions of American companies that have not been made public, he said.
In its SEC filing, Caesars said that the hackers first gained access via “a social engineering attack” on a tech support company that it uses. MGM’s press release about the hack didn’t address how the hackers broke in, and a spokesman didn’t respond to an email requesting comment.
An FBI spokesperson said in an email that the agency is actively investigating the incidents but declined to comment further.
It isn’t yet clear where any of the hackers are located, but Whitmore said there was active collaboration between law enforcement and the many cybersecurity companies that track those hackers. The United States often works with countries around the world to track and arrest cybercriminals.
“They’re gaining a lot more information about the potential attackers,” she said. “Certainly to the extent that they are located in the U.S., I think it would only be a matter of time before law enforcement would start being able to disrupt that.”