The Journal. - Six Days of Chaos at MGM’s Casinos
Episode Date: March 29, 2024A gang of young criminals. A more than $30 million ransom. Casinos in disarray. WSJ’s Robert McMillan brings us inside a cyberattack that brought mayhem to the Las Vegas Strip. Further Reading:... - The Audacious MGM Hack That Brought Chaos to Las Vegas Further Listening: - How North Korea’s Hacker Army Stole $3 Billion in Crypto - Hacking the Hackers - Hack Me If You Can Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
The following story took place over a week in September last year.
The story is set in Las Vegas, at the casinos that are owned and operated by MGM Resorts.
Our colleague Bob McMillan sets the scene.
MGM runs about half the Las Vegas Strip.
So, you know, they obviously operate the MGM Grand,
but they operate Bellagio and Mandalay Bay, Luxor,
you know, a whole bunch of the really iconic Las Vegas casinos.
This story is about a heist,
and it starts on an otherwise typical Friday night.
It's the busiest night for guests checking in,
for people gambling,
for people being entertained on the strip.
And that makes it a great time to strike.
The main characters are as follows.
MGM Resorts,
its CEO, Bill Hornbuckle,
and a brash young group of skilled thieves.
It's a true story,
the details of which are based on interviews with investigators,
MGM employees, court documents,
and a conversation with one of the alleged crooks.
Our opening scene takes place far from the glitz and glam of the casino floor.
It happens in the bowels of MGM, in the IT department.
This is Chapter One.
The Way In.
Tech support gets a call, Friday night.
It's a call that people in tech support get many times a day.
Somebody on the other line works for MGM. It's a call that people in tech support get many times a day.
Somebody on the other line works for MGM.
They say they forgot their password, can't get into the network.
They need to get their account back.
And what you do is you do an account reset, right?
So the tech support people, they ask for a bunch of personal information just to establish the identity.
And then they do establish that this appears to be a legit person and they reset the account.
So the person on the phone gets access to an MGM account.
But you know how these stories go.
Of course, the person on the phone was an imposter.
The MGM employee whose account got reset gets a notification on their phone saying like, hey, you just reset your account,
you know, you're back in the network.
And they look at their phone and they're like,
I didn't do this.
And so they report it to the IT department.
They're like, I just got some weird account reset.
Wasn't me, don't know what's going on. What happened after that alert came in to that employee and he had notified the IT department?
Did that raise any other alarm bells at MGM? Nope. Nope. It was just a weird thing happened.
Maybe look into it. It's not the kind of alert you would get at sort of IT central
and go into panic mode. It's just the kind of alert you would get at sort of IT central and go into panic mode.
It's just the kind of alert that happens all the time.
But soon, MGM resorts would go into panic mode.
Because that seemingly innocuous password reset was actually the moment the thieves got in.
And tens of millions of dollars were now on the line.
Welcome to The Journal, our show about money, business, and power.
I'm Ryan Knudson. It's Friday, March 29th.
Coming up on the show, chaos at the casino. Take to the fields of the USA for your next vacation. Ready to kick off? Discover exciting games and events.
Plus, find amazing hidden gems in cities full of adventures, delicious food, and diverse cultures.
You'll love it so much you'll want to extend your stay beyond the matches.
Get the ball rolling on your soccer getaway.
Head to visittheusa.com. Chapter 2. Eggplant emojis. So Saturday things got a little interesting.
On Saturday, MGM's IT department began to realize something was up. Someone was in their system, and they were moving around MGM's network.
They started going from system to system,
and they started changing whatever settings they could
to try and get other, you know, sort of open little back doors.
And they were doing all kinds of things,
setting up account privileges on systems
that would enable them to
maintain their beachhead within the MGM network, even if this first point of entry was shut down.
It was hackers. They were trying to steal things like customer data.
But they were also doing something you don't often see hackers do. They were goofing around,
making juvenile jokes and renaming files, some of which were
racist and crude. And that's not something you normally see. You don't see that from the Chinese,
right? Or the Russians even. This was unusual. So they're renaming files. They're popping up
using the eggplant emoji, which is, you can look it up, juvenile reference.
Yeah. I think people probably get what that emoji typically stands for.
Sadly, I did not, but don't tell anyone that.
Okay, boomer.
100% busted there.
While the hackers were moving around MGM's network,
the IT department was struggling to kick them out.
They try to shut down things and it's not working.
So there's something going on here.
There's something unusual
and there's something that merits the attention of upper management.
Chapter 3.
Dessert before dinner.
Cut to MGM's CEO, Bill Hornbuckle.
He's 62 years old with dark gray hair.
He's run the company for nearly four years.
And on Saturday night, he was with his wife,
getting ready for a fundraiser at a gala at the Wynn Casino.
It was an event where they had celebrity chefs, I think,
reimagine Girl Scout cookies into fantastic desserts.
It was called Dessert Before Dinner.
Yum.
And it sounded really fun.
Yeah.
And you go there, you have these Girl Scout cookie themed desserts presented.
And when they leave for the event, everything seems kind of normal.
But while at the event, Hornbuckle and one of MGM's top lawyers, who was also there, started getting messages from the company's tech department.
They're swapping messages and they're just getting worried.
They're seeing what the tech staff is reporting and they're not getting them out of the network.
Back at the office, the problem was getting worse for the tech staff.
They start to realize they are engaged in,
sometimes you might describe it as hand-to-hand combat.
They're engaged in this effort to try and push the intruder out of their network
and just finding out over and over again
that there's been another way set up to get them back in,
over and over again.
So yeah, that evening and all through that night,
they're just basically playing whack-a-mole with this group.
By midnight, Hornbuckle knew his company was in a full-scale crisis.
So MGM started taking steps to mount a defense.
One of the first things they do is they go off of email.
They're like, we don't know if these hackers have access to all of the email or not, but we don't trust it.
Then they called in their cybersecurity firm to help them investigate.
And pretty quickly they had identified the group that was responsible for this.
And who was it that had hacked into their system?
They called themselves Star Fraud.
Chapter 4.
The Hackers.
The Hackers.
Starfraud is a group of very capable cyber break-in artists.
They're great at cracking open the door. And then more than that, they're great at just launching a blitzkrieg on the network once they get in.
And moving around very quickly, securing a foothold,
and using a variety of techniques to just make sure that they never get kicked out again.
There are two things that really make Star Fraud stand out.
One is where they're based.
They're not in Russia or China, where many hackers live.
They're mostly from the U.S., the U.K., and Canada.
The other thing is that they're mostly a bunch of teenagers.
Yeah, Western teenagers.
So these are native English speakers.
I mean, most of the hacking stories that I've written about for the last 15 years have involved Russian hackers, Chinese hackers, sometimes North Korean hackers,
Iranian hackers. They often come from offshore because there are a number of countries where
it's really, really hard for the United States to arrest and extradite people. So that tends to be
where the worst cyber problems come from. But this was different. This was a Western cybersecurity problem.
And more notably, it's a Western cybersecurity problem that seems to have grown out of
teenagers playing video games. to stealing accounts online,
to breaking into phones, to stealing cryptocurrency, to freezing the operations of companies,
to becoming one of the biggest cyber threats that we're facing in the United States today.
Being native English speakers gives this group an advantage that hackers from other countries often can't use. They're really good at impersonating people. For a hacker looking
to break into an American company, this is a valuable skill. See, if you're able to steal an employee's
personal information, like their social security number and date of birth, which is pretty easy
to do on the dark web, then you can call up their company's IT department, pretend to be them,
and get their password reset, which is exactly how StarFrog got into MGM.
These kids can call up tech support and they speak English like native
English speakers. And so they don't raise any alarm bells when they call up and say that they're
employees of Western companies. And there's a way that when you're from the same culture as somebody,
you can really, it makes it easier to manipulate them, right? Like you can very quickly make a
connection over the phone with that kind of person and get them to relate
to you and to think of you not as just a voice on the phone, but actually as a real person who's
facing a crisis and needs to get their business done right away.
And Star Fraud has gotten really good at this kind of hack.
The group has also been linked to attacks on big companies like Clorox
and Caesars, another big casino operator in Vegas.
Do you have any sense of why Star Fraud targeted MGM?
Well, they were kind of going through a online casino hacking thing at the time.
I think they seem to like brand name victims
because there's this combination of a desire to make money, which they appear to be pretty good at doing, but also a desire to have recognizable targets for bragging rights as well, to be able to say, like, we hit somebody.
And I think hitting MGM probably felt like this is a cool company to hit, right? Like people are going to know who they
are. By Sunday, Hornbuckle and MGM knew who the hackers were. But what did they want?
And should MGM give it to them? Chapter 5 is next.
A fresh voice can speak to you and open your ears and your mind
to new views and new perspectives.
The call of the wild, a crescendo of culture.
Listen as a chorus of fresh voices moves you, taking you to greater heights.
Add your voice to the mix and let fresh answer back with perfect harmony in pure Michigan.
Keep it fresh at Michigan.org.
Summer's here, and you can now get almost anything you need for your sunny days
delivered with Uber Eats.
What do we mean by almost?
Well, you can't get a well-groomed lawn delivered,
but you can get a chicken parmesan delivered.
A cabana? That's a no.
But a banana? That's a yes.
A nice tan? Sorry, nope.
But a box fan? Happily, yes.
A day of sunshine? No.
A box of fine wines? Yes.
Uber Eats can definitely get you that. Get almost, almost anything delivered with Uber Eats.
Order now. Alcohol in select markets. Product availability may vary by Regency app for details.
Chapter 5. Shut it down.
Bill Hornbuckle had spent much of his Saturday night at the Girl Scouts gala messaging back and forth with a tech team that was responding to the hack.
And it seemed like the company was losing.
So, on early Sunday morning, Hornbuckle decided to do something drastic.
You know, at 5 a.m., Hornbuckle just says, shut it down.
You know, shut down our intranet, shut down the systems that these hackers seem to be abusing to retain their persistence on the network.
Why would shutting its computer system down help?
Well, so they're not shutting every single system down. MGM runs like thousands of servers and they have, you know, a back end systems that do all kinds of stuff.
They're very complicated business.
But the places where they knew these hackers had secured a foothold were they were going to pull the plug and just disconnect them from the Internet, essentially, which would just prevent the hackers from getting back in.
Right. Because if they're not connected to the internet, then the hackers have no way in.
So you pull up the drawbridges, essentially, around the castle.
Right, yeah, there you go.
But pulling up the drawbridges and shutting down big pieces of MGM's computer network would make it harder for the casino to serve its customers.
You know, this is going to have a big impact, right?
Like this is going to affect your ability to book online.
This is going to affect our ability to issue key cards in the hotels.
So if you wanted to check in, you'd have to check in,
you know, using like literally like a pen and paper kind of check-in.
But this is not going to be catastrophic, right?
This is going to prevent the hackers from getting back in.
It's going to prevent a data breach.
It's going to disrupt our business.
But we're going to stop this hack.
It's not going to go any farther.
Or so they thought.
Chapter 6.
All hell breaks loose. Chapter 6. All Hell Breaks Loose.
Early Tuesday morning, the hackers finally said what they wanted.
So at 2 a.m., the hackers send an email to Bill Hornbuckle, the CEO of MGM, saying that they've installed this ransomware.
It's going to freeze MGM's network everywhere.
They want more than $30 million.
How did Hornbuckle respond?
He didn't know about it.
He didn't know about it?
I mean, they sent it via email,
and he had been off his email since Sunday morning, basically.
As a defense against the hackers,
he stopped communicating via email,
so he wasn't checking messages.
Yeah. As a defense against the hackers, he stopped communicating the emails. He wasn't checking messages.
Yeah.
So the hackers send this guy a ransom demand at 2 a.m. and he doesn't get it for another 12 hours.
By Tuesday morning, MGM's casinos were in chaos.
The company's decision to disconnect many of its systems,
combined with Star Fraud's ransomware, was wreaking havoc.
It's a total shutdown. disconnect many of its systems, combined with Star Fraud's ransomware, was wreaking havoc.
It's a total shutdown. And by now, people were really starting to notice.
On Sunday, systems at MGM Resorts properties began shutting down,
including slot machines, company email, the MGM website, and more. Slot and gaming machines offline, ATM machines also down. Comes after several issues
were reported over the weekend at MGM properties, including guests not being able to use their
digital keys at hotel rooms. It sounds like a nightmare for our customers out there.
Slot machines aren't working. People are getting paid out with cash. You know, MGM is recruiting
like anyone they can get. Senior management is showing up in the pits. MGM is recruiting, like, anyone they can get senior management
is showing up in the pits at MGM with, like, money belts around their waist
to try and help pay out people who have won money.
Everything's pen and paper.
They're keeping track of their accounting system,
just moves off of computers, basically.
It's just a disaster.
But I thought MGM had pulled up the drawbridges
and shut off the system so that the hackers
were kicked out. How were they
able to get their ransomware on there?
Well,
I think they had been sort of kicked out, but
before they had done that, they had
sort of planted this
destructive software
as a... It's almost like you're getting kicked out of the port
and you're going to scuttle the ships, you know?
It's kind of like that.
So it appears that they no longer had access.
They had a way to get in,
but they had preset this ransomware to go.
They sort of left some bombs behind, so to speak.
Yeah, yeah.
Chapter seven, Hit or stay.
Remember how Hornbuckle didn't see Starfraud's email
where they asked for more than $30 million?
That meant MGM also wasn't negotiating with them.
And I don't think they liked that, right?
Like, I think they, at that point, were like,
okay, let's put some pressure on MGM.
And so this character emerges, Like, I think they, at that point, were like, okay, let's put some pressure on MGM.
And so this character emerges, this anonymous hacker who is sort of known to investigators and is basically known to have been in a position to know what was going on with the star fraud group.
This person shows up and starts doing interviews with the press.
The alleged hacker even started messaging Bob.
I had a Telegram chat with this person
who told me a bunch of stuff about how they allegedly got in.
And they start describing how incompetent the tech support people at MGM were
and how they allowed this to happen.
And clearly the effort is to put pressure on MGM to pay.
If Hornbuckle paid the money,
Starfraud said they would hand over the digital keys
that would unlock the ransomware and restore MGM's systems.
But paying the ransom wasn't Hornbuckle's only option.
Alternatively, he could rebuild the casino's computer systems from scratch.
You're up for disruption either way,
and you're paying criminals
and sort of trusting their tech support system
and kind of trusting them even if you pay the ransom.
Whereas if you just say like,
look, we're going to just burn this server to the ground,
reinstall everything from the ground up on it,
then you have a certain amount of confidence that they're actually kicked off of it.
So that's the question that they were facing on Tuesday.
How big of a task is it, though, to shut all your servers down and reinstall everything from scratch?
It's a big task.
Just think about the last time you got a new phone.
It's a big task. Just think about the last time you got a new phone and what it was like, how hard was it to like move everything from your old phone to the new phone, you know, and then imagine
that you have not a phone, but a server that's custom configured and that, you know, you've got
to do this 3,000 times or 4,000 times or whatever. You got to do this thousands of times.
Chapter eight, down times or whatever. You got to do this thousands of times. Chapter 8.
Down to the Wire.
Despite the fact that Starfraud's intrusion
had crippled MGM's casinos for several days,
causing chaos on the Vegas Strip,
Bill Hornbuckle wouldn't be swayed.
He decided not to pay the ransom.
Instead, the company rebuilt its computer systems
from the ground up.
Even though MGM didn't pay the more than $30 million ransom,
how big of a cost did it experience
by just fighting him off?
$100 million.
In an SEC filing that came out a few weeks after the hack,
they indicated that the cost of the incident was more than $100 million.
Wow. So it was more expensive for MGM to fight than to just pay.
100%. So this is not an uncommon thing where you have to make a call and it often is less expensive to just pay for the ransomware, get the decryption key.
It often is less expensive to just pay for the ransomware, get the decryption key.
But the problem is that, first of all, the decryption keys don't always work.
And then, you know, there is this question of like, are you going to get extorted again?
But isn't that still a concern for MGM?
I mean, can they really be sure that Star Fraud is gone and won't come after them again?
I mean, once you wipe the operating system off your computer and reinstall it like a fresh version of the OS, you know that whatever software they put on that computer is probably gone, right?
Like, that's the most sure you can be.
It's almost like buying a new computer, you know, at that point.
So, you get a lot of confidence from doing something like that.
Now, if we look at the initial way they got in,
it was through the tech support system, right?
So that's the thing that you need to fix because otherwise they can get through there again.
Epilogue.
It took MGM several days
to get most of the customer-facing systems up and running,
like the slot machines and the key cards, and several weeks to get most of the customer-facing systems up and running, like the slot machines
and the key cards, and several weeks to fix everything else. Here's Hornbuckle in an interview
after the hack was over. Look, it was a hell of a three-week period. I cannot but see how resilient
we are. I got to call out the MGM employees. They've been nothing but great through this entire
process. But this is behind us. Hopefully it's a one-time incident,
knock on something quickly,
and while we're all moving forward.
It had a significant impact.
The hack might be behind MGM,
but Bob says that ransomware attacks like these,
that start out by tricking tech support
into resetting a password,
are bound to become more common.
Well, everybody uses tech support, right?
Like there's everybody is vulnerable
to this sort of password reset over the phone problem.
It's a very, very widespread potential problem
and one that we suddenly need to think about
in a way that we didn't just a few years ago.
You mentioned earlier that a lot of the worst hackers were coming out of countries where
it's very difficult for the United States or other Western nations to extradite these
criminals.
But if these hackers are in the West, if they're in places in Europe and even in the U.S.,
does that mean that it might be easier for law enforcement to catch these guys?
Does that mean that it might be easier for law enforcement to catch these guys?
Well, Ryan, how many hours do you have to talk about this? Because one of the reasons that this group is so problematic and this phenomenon is such a problem is because a lot of the people engaged in this activity are minors.
And it makes things different when you're pursuing
minors. And there's sort of this sense of like, if you're a teenage boy, you feel kind of impervious
to the real world anyway. And then in the legal system, it's just really hard to stop them.
Before we go, we wanted to let you know that today marks one year since our colleague, Wall Street Journal reporter Evan Gershkovich, was detained by Russian authorities while on a
reporting trip and accused of espionage. Evan, the Journal, and the U.S. government vehemently deny the accusation,
and the Biden administration has designated Evan as wrongfully detained.
Russian courts have repeatedly rejected appeals by his lawyers, and this week,
ordered Evan held in pretrial detention in a Moscow prison until June 30th.
In a letter released last night, our editor-in-chief Emma Tucker said Evans' detention is, quote,
a blatant attack on the rights of the free press at a time when journalists are needed to bear witness to history.
That's all for today. Friday, March 29th.
Additional reporting in this episode by Catherine Sayre and Sarah Krause.
The Journal is a co-production of Spotify and The Wall Street Journal.
The show is made by Annie Baxter, Catherine Brewer, Maria Byrne, Victoria Dominguez,
Pia Gadkari, Rachel Humphries, Matt Kwong, Kate Linebaugh, Jessica Mendoza, Annie Minoff,
Laura Morris, Enrique Perez de la Rosa, Sarah Platt, Alan Rodriguez Espinosa, Our engineers are
Our theme music is by So Wiley.
Additional music this week
from Katherine Anderson,
Marcus Bugala,
Peter Leonard,
Bobby Lord,
Emma Munger,
Nathan Singapak,
Griffin Tanner,
and Blue Dot Sessions.
Fact-checking by Mary Mathis
and Najwa Jamal.
Thanks for listening.
See you Monday.