threatintel
actor tracker
Named attack · kill-chain walkthrough

MGM & Caesars Ransom

A 10-minute help-desk call freezes the Vegas Strip

Scattered Spider (UNC3944) + ALPHV/BlackCat ransomware affiliateSeptember 7–20, 2023 (initial access through detonation and partial recovery)High confidence

Attributed to Scattered Spider (also tracked as UNC3944 by Mandiant, Octo Tempest by Microsoft, and 0ktapus/Roasted 0ktapus by earlier researchers). The group is an English-speaking, predominantly US/UK youth network operating through the loosely-organized "Comm" social community. Multiple members were arrested in 2024: Noah Urban (Jan 2024, DOJ) and Tyler Robert Buchanan (Jun 2024, DOJ/Spain). ALPHV/BlackCat — a Russian-language ransomware-as-a-service — provided the encryption payload as a RaaS affiliate partner.

Scattered Spider — a loose collective of English-speaking young adults communicating via the 'Comm' underground — exploited the weakest link in enterprise identity: the human help desk. In roughly ten minutes on September 7, 2023, an attacker impersonating an MGM Resorts employee convinced the Okta-contracted help desk to reset MFA, surrendering Okta Super Admin credentials. Over the following days the group laterally moved into MGM's VMware ESXi hypervisor infrastructure and detonated ALPHV/BlackCat ransomware. Slot machines went dark, room-key systems failed, websites went offline, and MGM's casino floors were operationally degraded for roughly ten days. MGM refused to pay; the incident cost the company approximately $100 million per its October 5, 2023 SEC 8-K filing. Caesars Entertainment, hit by the same group weeks earlier, paid approximately $15 million of a $30 million ransom demand — disclosed in its September 14, 2023 SEC 8-K.

scene 00 / 08
Scattered SpiderUNC3944 / Octo TempestEnglish-speaking "Comm"US / UK youth networkOSINTLinkedIn / open webfind MGM employee by namejob title · dept · manager chainpretext assembled from public profileT1593.001 · T1591MGM employee ID'dname + title extractedpretext assembledHelp-desk vishing call"Hi, I'm [name from LinkedIn], reset my MFA"Okta-contracted IT help desk · Sept 7 2023~10 minutes · no robust identity verificationT1656 · T1566.004 · T1621 · T1078MFA resetgrantedSuper AdminOkta IdP — god-modecreate / modify any accountdisable MFA policies · add attacker devicehijack SSO assignments · enumerate appsT1078.004 · T1136.003 · T1556.006 · T1098.001Infrastructure Discoveryenumerate all SSO-integrated apps via Oktalocate VMware vCenter / ESXi management planeT1526 · T1082 · T1069.003 · T1018VMware vCenter foundvia SSO federationVMware ESXi hypervisor fleetIdP token → vCenter auth acceptedall guest VMs accessibleT1550.001 · T1563 · T1021.004 · T1072ALPHV/BlackCat ESXi payload deployedESXi ransomware detonationALPHV/BlackCat Rust encryptor — ESXi variant · ALPHV affiliate provides payloadall guest VMs per host encrypted simultaneously — Vegas Strip operationally degradedT1486 · T1490slot machinesoffline~10 daysroom keysdeadMGM Grand etc.websites / appsdownreservations impactedMGM Resorts — refused to pay~$100M loss8-K Oct 5 2023 · ~10 days disruptionslot machines · room keys · websites offlineT1486 · T1657Caesars Entertainmentpaid ~$15M ransomof $30M demanded · 8-K Sept 14 2023ops not materially disruptedpaid earlier — ~Sept 2023 before MGM hitaftermathCISA Advisory AA23-320A#StopRansomware: Scattered SpiderNov 16 2023 · CISA + FBI joint advisory30+ TTPs catalogued · help-desk verificationMFA hardening · FIDO2 recommendationOkta admin log monitoring guidanceDOJ Arrests — 2024Noah Urban — Jan 2024 (Florida)Tyler Robert Buchanan — Jun 2024 (Spain)five members charged — Nov 2024federal charges: wire fraud · identity theftCFAA violations across the broader campaignALPHV "Operator" statement published on dark-web blog ~Sept 14 2023 — archived by vx-underground — claimed the initial call took ~10 minutes
  1. Phase 01 · ReconnaissanceTA0043

    Attackers mined LinkedIn to identify an MGM employee and build a pretext for the help-desk call

    • Scattered Spider operators searched LinkedIn for MGM Resorts employees — specifically targeting individuals whose job titles and employer details would make them plausible caller identities for an IT help-desk reset request.
    • Open-source OSINT on the target (name, job title, department, likely manager structure) gave operators enough context to convincingly impersonate the employee during a live phone call.
    • The same OSINT-to-vishing pipeline had been used by Scattered Spider (tracked as 0ktapus) in 2022 against over 130 organizations in the Twilio/Cloudflare campaign, demonstrating the group's practised approach to social-engineering identity providers.
    • CISA advisory AA23-320A and Microsoft's Octo Tempest report both note that the group routinely researches targets on LinkedIn, Telegram, and internal directories before initiating contact.
    Techniques
    T1591 · Gather Victim Org InformationT1593.001 · Search Open Websites/Domains: Social MediaT1589.001 · Gather Victim Identity Information: Credentials
    Sources
  2. Phase 02 · Initial AccessTA0001

    One vishing call, ~10 minutes — the help desk reset MFA and handed over Okta Super Admin

    • On or around September 7, 2023, a Scattered Spider operator called the Okta-contracted IT help desk impersonating an MGM Resorts employee identified via LinkedIn reconnaissance.
    • The caller social-engineered the help-desk agent into resetting the target's multi-factor authentication — using only the employee's name, job title, and basic personal details as verification — a technique CISA designates T1656 (Impersonation) combined with T1566 vishing.
    • With MFA reset, the attacker authenticated as the target employee and escalated to Okta Super Administrator privilege — granting control over MGM's entire identity provider, including the ability to add or modify any user, application, or authentication policy.
    • Caesars Entertainment suffered a similar help-desk social-engineering attack weeks earlier (August 2023 access), also attributed to Scattered Spider; Caesars' ALPHV ransomware detonation preceded MGM's.
    • CISA advisory AA23-320A explicitly lists help-desk social engineering and MFA reset abuse as Scattered Spider's primary initial-access vector across its known victim set.
    Techniques
    T1656 · ImpersonationT1566.004 · Phishing: Spearphishing VoiceT1078 · Valid AccountsT1621 · Multi-Factor Authentication Request Generation
    Sources
  3. Phase 03 · Persistence & Identity TakeoverTA0003

    Okta Super Admin gave the group god-mode over MGM's identity plane — new accounts, disabled MFA, SSO pivots

    • With Okta Super Admin access, operators could create new administrator accounts, disable or bypass MFA policies for existing users, and modify any SSO application assignment — enabling persistent access that survived individual password resets.
    • The group used Super Admin privileges to enumerate all Okta-integrated applications, identifying downstream SaaS and on-premises systems reachable via SSO federation.
    • CISA and Mandiant reporting on UNC3944 describe the group adding attacker-controlled devices as registered MFA factors on targeted accounts to maintain persistent access after incidents began response.
    • Microsoft's Octo Tempest analysis notes the group uses identity-provider control as both a persistence mechanism and a lateral-movement enabler — Okta Super Admin is the master key to the entire enterprise identity graph.
    Techniques
    T1078.004 · Valid Accounts: Cloud AccountsT1136.003 · Create Account: Cloud AccountT1556.006 · Modify Authentication Process: Multi-Factor AuthenticationT1098.001 · Account Manipulation: Additional Cloud Credentials
    Sources
  4. Phase 04 · DiscoveryTA0007

    From Okta's vantage point, attackers mapped MGM's entire infrastructure — including the VMware ESXi hypervisor fleet

    • Super Admin access to Okta gave the group visibility into every application integrated with MGM's identity provider, enabling automated enumeration of cloud and on-premises environments without scanning from external infrastructure.
    • Operators identified MGM's VMware vCenter and ESXi hypervisor management plane as accessible via SSO-federated credentials — a common enterprise pattern where virtualization infrastructure is protected behind the same identity layer as SaaS applications.
    • CISA advisory AA23-320A and CrowdStrike reporting describe Scattered Spider conducting internal network reconnaissance using native tools (PowerShell, WMI, net commands) and cloud-provider APIs after obtaining valid credentials, to identify high-value targets before ransomware detonation.
    • Discovery of the ESXi fleet was the prerequisite step to the hypervisor-targeted ransomware deployment that would cause maximum operational disruption.
    Techniques
    T1082 · System Information DiscoveryT1069.003 · Permission Groups Discovery: Cloud GroupsT1526 · Cloud Service DiscoveryT1018 · Remote System Discovery
    Sources
  5. Phase 05 · Lateral MovementTA0008

    Federated credentials and stolen tokens moved the attack from Okta to on-premises VMware hypervisors

    • Using Okta Super Admin access, the group issued or hijacked federation tokens to authenticate directly into VMware vCenter — the management console controlling MGM's ESXi hypervisor fleet — without needing to compromise individual guest OS credentials.
    • This identity-first lateral movement pattern — moving from cloud IdP to on-premises infrastructure via SSO trust — is a Scattered Spider signature documented across multiple victims in CISA AA23-320A and Mandiant's UNC3944 series.
    • CISA and Microsoft note Scattered Spider also uses legitimate remote-management tools (AnyDesk, TeamViewer, RustDesk) and native tunneling to maintain access during lateral movement, making traffic difficult to distinguish from authorized IT activity.
    • The VMware management plane gave operators the ability to interact with every guest virtual machine running on the ESXi hosts — including systems supporting MGM's casino floor operations, hospitality systems, and payment infrastructure.
    Techniques
    T1550.001 · Use Alternate Authentication Material: Application Access TokenT1021.004 · Remote Services: SSHT1563 · Remote Service Session HijackingT1072 · Software Deployment Tools
    Sources
  6. Phase 06 · Execution — ALPHV/BlackCat RansomwareTA0002

    ALPHV/BlackCat encrypted ESXi hypervisors across MGM's infrastructure — taking down casino operations simultaneously

    • Scattered Spider, acting as a RaaS affiliate, obtained the ALPHV/BlackCat ransomware payload and deployed it against MGM's VMware ESXi hypervisors — a known ALPHV specialty that maximizes impact by encrypting multiple virtual machines per physical host in a single operation.
    • ALPHV/BlackCat is written in Rust, supports both Windows and Linux (ESXi), and includes a dedicated ESXi encryptor variant; encrypting the hypervisor layer rather than individual guest VMs prevents booting any VM on the host, achieving maximum blast radius.
    • The encryption event caused slot machines across MGM casino floors to go dark, room-key card systems to fail, MGM.com and reservation systems to go offline, and MGM Rewards digital services to become unavailable — disruption persisting for approximately ten days.
    • ALPHV published a statement on their dark-web leak blog around September 14, 2023 claiming responsibility for the MGM attack and disputing MGM's public characterization of events — a now-common RaaS PR tactic to pressure victims.
    • Caesars Entertainment, hit earlier by the same group, paid approximately $15 million of a $30 million ransom demand before its systems were encrypted to operational impact, per its September 14, 2023 8-K filing.
    Techniques
    T1486 · Data Encrypted for ImpactT1490 · Inhibit System RecoveryT1059.004 · Command and Scripting Interpreter: Unix Shell
    Sources
  7. Phase 07 · ImpactTA0040

    MGM refused to pay — ~$100M loss, 10 days of operational chaos; Caesars paid ~$15M before detonation

    • MGM Resorts refused to pay the ransom. In its October 5, 2023 SEC 8-K filing, MGM disclosed that the cybersecurity incident was expected to have a negative impact of approximately $100 million on its third-quarter 2023 Adjusted EBITDAR, plus additional costs for cybersecurity consulting, legal fees, and remediation.
    • Caesars Entertainment, which had been compromised earlier (August 2023 access), disclosed in its September 14, 2023 8-K that it had paid approximately $15 million — roughly half the $30 million ransom demanded — to prevent further data exposure and the threat of encryption; Caesars' casino operations were not materially disrupted.
    • MGM's operational impact spanned approximately ten days: slot machines were inoperable, hotel room-key card systems failed across multiple properties (including the MGM Grand, Bellagio, and Park MGM in Las Vegas), MGM.com and the MGM Rewards mobile app were offline, and check-in processes reverted to manual.
    • ALPHV/BlackCat published a statement on their dark-web blog around September 14, 2023 — archived by vx-underground — claiming they had spent only 10 minutes on the initial MGM social-engineering call and criticizing MGM's response, in a public pressure tactic to deter future victim resistance.
    • Multiple Scattered Spider members were subsequently arrested: Noah Urban (Florida, January 2024) and Tyler Robert Buchanan (Spain, June 2024) on DOJ federal charges related to the Scattered Spider hacking campaign.
    Techniques
    T1486 · Data Encrypted for ImpactT1657 · Financial TheftT1491 · Defacement
    Sources
  8. Phase 08 · Response & LessonsTA0040

    CISA + FBI advisory, DOJ arrests, and industry guidance reshaped help-desk identity verification standards

    • CISA and the FBI published joint advisory AA23-320A on November 16, 2023 — '#StopRansomware: Scattered Spider' — cataloguing the group's TTPs, covering 30+ techniques across reconnaissance, initial access, persistence, and impact, and issuing mitigations targeted specifically at MFA policies and help-desk verification procedures.
    • The advisory's primary mitigation recommendations included: requiring robust identity verification (e.g., callback to known numbers, manager approval, in-person verification) before any MFA or password reset; phishing-resistant MFA (FIDO2/hardware tokens) as a baseline; monitoring Okta admin logs for Super Admin privilege escalations; and implementing network segmentation between identity infrastructure and hypervisor management planes.
    • Okta itself issued guidance following the incident on hardening help-desk authentication workflows, and noted in its own November 2023 disclosure that a breach of its support case management system (separate incident) had also affected a small number of Okta customers' session tokens.
    • The arrests of Noah Urban (January 2024) and Tyler Robert Buchanan (June 2024) marked the first significant law-enforcement action against Scattered Spider's membership; DOJ charged five individuals in November 2024 in connection with the broader campaign.
    • The MGM/Caesars intrusions became a landmark case study for the intersection of social engineering, cloud identity provider compromise, and ransomware — demonstrating that no amount of network perimeter defense prevents an attacker who controls the identity plane.
    Techniques
    T1562.001 · Impair Defenses: Disable or Modify ToolsT1078 · Valid Accounts
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Scattered Spider (UNC3944) + ALPHV/BlackCat ransomware affiliate
Capability
  • T1591
  • T1593.001
  • T1589.001
  • T1656
  • T1566.004
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources