It’s been about ten days since MGM Resorts International confirmed a major cybersecurity incident that has disrupted operations across their properties. Slot machines went dark, hotel room keys stopped working, guests couldn’t check in electronically, and the company’s website was taken down. The estimated financial impact is staggering — analysts are projecting costs could exceed $100 million. And from what we know so far, it started with a phone call.
The attack has been attributed to a group known as Scattered Spider (also tracked as UNC3944), reportedly working with the ALPHV/BlackCat ransomware operation. According to multiple reports, the initial breach vector was a social engineering call to MGM’s IT help desk. An attacker, armed with information scraped from a LinkedIn profile, convinced a help desk employee to reset credentials. From that foothold, the attackers escalated privileges and eventually deployed ransomware across MGM’s systems.
The Social Engineering Problem We Keep Ignoring#
Let me be direct: we spend billions on firewalls, endpoint detection, zero-trust architectures, and AI-powered threat detection, and then a 10-minute phone call brings down a $14 billion company. This isn’t a technology failure. It’s a systemic failure in how we think about security.
Social engineering isn’t new, and it isn’t exotic. Kevin Mitnick wrote about it decades ago. Yet here we are in 2023, and the help desk remains one of the softest entry points in most organizations. The reason is straightforward: help desks are optimized for customer service. Their KPIs are resolution time and customer satisfaction. Security friction is the enemy of those metrics.
When an articulate caller provides enough personally identifiable information to seem legitimate and pressures for immediate access, the path of least resistance is to help them. That’s what help desk staff are trained to do — help. The attacker exploits not a bug in software, but a feature in human psychology.
What’s particularly notable about the Scattered Spider group is their fluent English and social manipulation skills. Unlike many ransomware operations that rely primarily on technical exploitation, this group excels at the human element. They research targets thoroughly, craft convincing pretexts, and execute with the confidence of someone who belongs.
The Cloud and Identity Layer#
Reports suggest that the attackers targeted MGM’s Okta environment and their Azure Active Directory, essentially going after the identity layer that ties everything together. This is the nightmare scenario for organizations that have centralized their identity management (which is the right thing to do, ironically).
When your identity provider is compromised, the attacker doesn’t need individual exploits for each system. They have the keys to the kingdom. Every application that trusts your IdP, every service that uses SSO, every cloud resource protected by that identity layer — all of it becomes accessible.
This highlights a critical challenge in modern cloud architecture: centralized identity is both the best practice for security and a catastrophic single point of failure if breached. The answer isn’t to go back to fragmented authentication — it’s to layer additional protections around the identity infrastructure itself.
Multi-factor authentication helps, but it’s not a complete solution. The Scattered Spider group has demonstrated the ability to bypass MFA through social engineering (convincing help desks to add new MFA devices) and MFA fatigue attacks (repeatedly triggering push notifications until a tired user approves one). Hardware security keys like YubiKeys are more resistant, but adoption rates remain low even in security-conscious organizations.
The Caesars Connection#
It’s worth noting that Caesars Entertainment disclosed their own breach just days before the MGM incident became public. Caesars reportedly paid approximately $15 million in ransom — roughly half of the $30 million demanded. The same group is believed to be responsible.
The contrast in responses is instructive. Caesars paid the ransom, contained the damage relatively quietly, and resumed normal operations. MGM refused to pay, resulting in extended outages across their properties. There’s no universally right answer here — the FBI advises against paying ransoms, but when your entire operation is crippled and every day costs millions, the calculation gets complicated fast.
From a technical standpoint, MGM’s extended recovery time suggests either insufficient backup and recovery infrastructure or that the attackers achieved deep enough access to compromise recovery mechanisms themselves. Sophisticated ransomware operations now specifically target backup systems, knowing that intact backups are the primary alternative to paying.
What Organizations Should Actually Do#
If you’re an engineering or security leader reading this, here’s what I’d prioritize:
Harden your help desk procedures. Implement callback verification for sensitive operations. Require manager approval for credential resets on privileged accounts. Train help desk staff to recognize social engineering tactics and give them explicit permission to refuse requests that don’t pass verification, without fear of negative performance reviews.
Protect the identity layer. Treat your IdP as critical infrastructure. Implement hardware MFA for administrative access. Monitor for anomalous authentication patterns. Have a specific incident response plan for identity infrastructure compromise.
Assume breach in your architecture. Implement network segmentation so that compromising one system doesn’t grant access to everything. Use just-in-time access provisioning rather than standing privileges. Monitor lateral movement indicators.
Test your recovery. Regular disaster recovery testing isn’t just about checking a compliance box. Can you actually restore operations if your primary systems and backups are simultaneously compromised? How long does it take? What’s the manual fallback?
My Take#
I’ve been in this industry long enough to see the same fundamental patterns repeat across decades of increasingly sophisticated technology. The MGM breach is, at its core, the same class of attack that has worked since the dawn of computing: fool a human, get access, escalate, profit.
What frustrates me is that social engineering remains the neglected stepchild of security investment. Organizations spend millions on SIEM platforms and endpoint detection but treat security awareness training as an annual checkbox exercise. The attacker community has clearly figured out that the human layer is the most cost-effective attack surface. Our defensive investments should reflect that reality.
The MGM incident will generate months of analysis, regulatory scrutiny, and vendor marketing campaigns for various security products. But if it doesn’t fundamentally change how organizations think about help desk security and identity protection, then we’ll be writing about the next version of this story within the year.
Don’t wait for the case study. Audit your help desk procedures this week. Test your identity infrastructure resilience this month. The attackers are already researching their next target.