Scattered Spider – MGM Resorts & Caesars Entertainment
September 2023
Executive Summary
The Scattered Spider threat group, composed largely of English-speaking individuals using social engineering and SIM-swapping, compromised MGM Resorts and Caesars Entertainment. Caesars reportedly paid approximately $15M in ransom. MGM refused to pay; the resulting disruption took hotel and casino systems offline for over a week, with estimated losses exceeding $100M. The incidents highlighted the effectiveness of social engineering against helpdesk and identity systems.
Why This Matters
MGM/Caesars showed that social engineering by loosely organized criminal groups can paralyze major enterprises as effectively as sophisticated malware, exposing identity and helpdesk processes as critical policy-relevant attack surfaces.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Social engineering of helpdesk
Attackers impersonated employees to IT helpdesks to obtain credentials and MFA resets, bypassing technical controls through human vectors.
Ransomware deployment and system shutdown
ALPHV/BlackCat ransomware deployed across MGM infrastructure; hotel check-in, slot machines, restaurant POS, and loyalty systems went offline for over a week.
Extended operational impact
MGM operated on manual processes for days; estimated losses exceeded $100M. Caesars paid ~$15M ransom to avoid similar disruption.
Threshold Crossings
- •Demonstrated that social engineering alone can defeat sophisticated technical security at major enterprises
- •Highlighted that young, loosely organized groups can cause damage comparable to state-sponsored actors
Restraint Factors
- •Financially motivated — no geopolitical or destructive intent
- •Attackers offered decryption for payment, consistent with criminal ransomware model
Attribution Assessment
Threat actor mapped to United States / United Kingdom (individuals; not state-sponsored) based on infrastructure analysis, malware attribution, and operational patterns.
- •FBI and CISA joint advisory on Scattered Spider (Nov 2023)
- •SEC required MGM and Caesars to disclose incidents under new cyber disclosure rules
- •Multiple Scattered Spider members subsequently arrested in the US and UK (2024)
Sources: CISA/FBI Advisory AA23-320A: Scattered Spider; SEC: MGM Resorts International Form 8-K
- Bloomberg: Caesars Paid Roughly Half of $30M Ransom Demand(2023-09-14)
“High Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Ransomware
Denial of access through encryption — coercive value through economic extortion and operational disruption.
Observed coercive effects
- •Demonstrated that social engineering alone can defeat sophisticated technical security at major enterprises
- •Highlighted that young, loosely organized groups can cause damage comparable to state-sponsored actors
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
MGM systems offline for 10+ days with >$100M in losses; Caesars paid ~$15M ransom; customer data exfiltrated at both companies.
Infrastructure Meaning
Malware / tooling
Capability profile
MGM systems offline for 10+ days with >$100M in losses; Caesars paid ~$15M ransom; customer data exfiltrated at both companies.
4 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •Corporate duty of care for customer data and operational resilience
- •Debate over ransom payment regulation
Policy responses
- •FBI and CISA joint advisory on Scattered Spider (Nov 2023)
- •SEC required MGM and Caesars to disclose incidents under new cyber disclosure rules
- •Multiple Scattered Spider members subsequently arrested in the US and UK (2024)
Regulatory changes
- •SEC cyber incident disclosure rules (effective Dec 2023) applied to both companies
- •Renewed Congressional interest in regulating ransom payments
Governance impact assessment
Accelerated the SEC's practical enforcement of new cyber disclosure requirements and re-centered policy attention on identity security and social engineering as enterprise-critical risks.
Sources
CISA/FBI Advisory AA23-320A: Scattered Spider
SEC: MGM Resorts International Form 8-K
Bloomberg: Caesars Paid Roughly Half of $30M Ransom Demand
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
WannaCry
May 2017 · North Korea
WannaCry exposed how a leaked intelligence exploit can cascade into a global healthcare crisis, sharpening the policy debate on vulnerability disclosure and the duty to protect civilian systems.
Colonial Pipeline
May 2021 · Russia (criminal, not directly state-sponsored per US assessment)
Colonial Pipeline proved that criminal ransomware can trigger national-level infrastructure disruptions, collapsing the boundary between cybercrime and national security and forcing mandatory regulation of pipeline cyber defenses.
Costa Rica / Conti
April – May 2022 · Russia (criminal, not directly state-sponsored per public assessments)
Costa Rica showed that ransomware can effectively disable a nation's fiscal and health systems, forcing the first-ever national emergency declaration over a cyber attack and elevating ransomware to a sovereign-level threat.
Change Healthcare
February 2024 · Russia (criminal, possible state nexus)
Change Healthcare demonstrated that a single ransomware attack on a dominant healthcare intermediary can cascade into a national healthcare crisis, making the case for treating healthcare claims infrastructure as critical national infrastructure.