Threat Intelligence Assessment

MGM Resorts 2023 — Anatomy of an Identity Attack

April 22, 2026

Key Judgments

[ HIGH CONFIDENCE ]

Scattered Spider (UNC3944) executed the September 2023 intrusion against MGM Resorts using vishing and identity provider manipulation as primary attack vectors, with no malware required to achieve initial access. Attribution is assessed with high confidence based on ALPHV's public claim of responsibility, CrowdStrike and CISA technical reporting, and the group's consistent use of English-language social engineering against IT help desks.

[ HIGH CONFIDENCE ]

The ransomware deployment against MGM's ESXi hypervisors was a secondary action triggered by failed negotiation, not the original objective. The primary mission was data exfiltration and extortion. This distinction matters for defenders — the destructive phase was avoidable at multiple points before ransomware was ever introduced.

[ MODERATE CONFIDENCE ]

Caesars Entertainment, targeted by Scattered Spider during the same period via the same social engineering playbook, paid approximately $15 million in ransom. The parallel targeting of two major casino operators within weeks reflects deliberate sector targeting, not opportunistic selection.

Executive Summary

In September 2023, Scattered Spider — a loosely organized cybercriminal collective of English-speaking young adults based primarily in the United States and United Kingdom — breached MGM Resorts International using nothing more than a phone call. By impersonating an MGM employee on a ten-minute call to the company's IT help desk, attackers obtained administrator access to MGM's Okta and Azure environments. What followed was ten days of operational chaos across MGM's Las Vegas properties: slot machines offline, digital room keys dead, reservation systems down, ATMs dark. The company lost an estimated $100 million in Q3 2023 revenue and spent an additional $10 million on incident response. MGM declined to pay the ransom. Its competitor Caesars, hit by the same group using the same playbook days earlier, paid $15 million.

The intrusion began with open-source reconnaissance. Scattered Spider identified a high-privilege MGM employee via LinkedIn, then called MGM's IT help desk posing as that employee and requested a password reset. No technical exploit was used. No phishing email was sent. The help desk agent had no mechanism to verify the caller's identity beyond the information they provided. Administrator credentials to MGM's Okta tenant were obtained within ten minutes of the call connecting.

With Okta super administrator access, the attackers moved quickly to entrench themselves. A secondary identity provider was registered under attacker control — giving them a persistent authentication path that survived MGM's subsequent defensive lockout attempts. Credential harvesting via domain controller memory dumps using standard tooling yielded domain administrator rights, enabling broad lateral movement across MGM's hybrid cloud and on-premise environment. Throughout this phase, no novel malware was deployed. The attackers lived entirely on legitimate credentials and identity infrastructure.

When MGM's security team detected unusual activity on September 9th and began shutting down Okta Sync servers, the attackers had already pre-positioned for impact. On September 11th, after failed negotiation attempts, ALPHV deployed ransomware against more than 100 ESXi hypervisors across MGM's environment. The encryption of virtual machine infrastructure at that scale, across a network with insufficient hypervisor isolation, produced near-simultaneous operational failure across MGM's Las Vegas properties. Six terabytes of data had already been exfiltrated before a single file was encrypted.

Attribution is assessed with high confidence. ALPHV publicly claimed responsibility on September 14th, describing their access timeline and MGM's defensive response in detail. The claim was corroborated by CrowdStrike, CISA, and the FBI, who issued a joint advisory on Scattered Spider in November 2023. In July 2024, a 17-year-old suspect was arrested in the United Kingdom. Five additional members faced U.S. federal charges by November 2024. As of 2026, Scattered Spider remains operational — CISA updated its advisory in July 2025 reflecting new TTPs including more sophisticated social engineering techniques and the adoption of DragonForce ransomware alongside their existing playbook.

Threat Actor Profile

DesignationScattered Spider / UNC3944 / Muddled Libra
SponsorshipNo nation-state affiliation — financially motivated cybercriminal collective, loosely affiliated with The Com and ALPHV ransomware-as-a-service
MandateData theft, extortion, and ransomware deployment against large enterprises; persistent focus on identity infrastructure and IT help desk exploitation
Known OpsTwilio (2022), Caesars Entertainment (2023), MGM Resorts (2023), Snowflake customer campaign (2024), Marks & Spencer (2025), Qantas via third-party customer service platform (2025)
Signature TTPsVishing, SIM swapping, MFA fatigue attacks, Okta identity provider abuse, living-off-the-land, ESXi ransomware deployment via ALPHV affiliate

Incident Reconstruction

Sep 7, 2023Scattered Spider targets Caesars Entertainment via social engineering against a third-party IT support vendor. Caesars pays $15 million ransom — half the original $30 million demand.
Sep 8, 2023Scattered Spider identifies an MGM Resorts employee via LinkedIn. Attacker calls MGM IT help desk, impersonates the employee, and requests a phone number reset. The call lasts approximately ten minutes. Administrator privileges to MGM's Okta and Azure tenants are obtained.
Sep 8–10, 2023Attackers establish persistence by deploying a secondary identity provider under their control. Credential harvesting via domain controller memory dumps grants domain administrator rights. Lateral movement and data exfiltration begin across MGM's environment.
Sep 10–11, 2023MGM security team detects unusual activity and begins shutting down critical infrastructure including Okta Sync servers. MGM publicly discloses the incident and contacts law enforcement.
Sep 11, 2023ALPHV deploys ransomware against more than 100 ESXi hypervisors. Slot machines go offline. Digital room keys fail. Online reservations, the MGM app, and on-site ATMs are disrupted across MGM's Las Vegas properties.
Sep 14, 2023Scattered Spider claims exfiltration of 6 terabytes of data and threatens notification to HaveIBeenPwned if ransom terms are not met. MGM declines to pay.
Sep 20, 2023MGM confirms full restoration of all systems after ten days of disruption. Total losses reported at approximately $100 million in Q3 revenue impact plus $10 million in incident response costs.
Jul 2024A 17-year-old in Walsall, UK is arrested by West Midlands Police in cooperation with the FBI in connection with the MGM attack.
Nov 2024U.S. prosecutors unseal criminal charges against five alleged Scattered Spider members. 19-year-old Remington Ogletree arrested.
Jan 2025MGM agrees to a $45 million class-action settlement covering victims of both the 2019 and 2023 breaches.

Technical Indicators — MITRE ATT&CK

ReconnaissanceT1591.004

Gather Victim Org Information — LinkedIn used to identify and profile a high-privilege MGM employee prior to vishing call

Initial AccessT1566.004

Phishing: Voice — vishing of MGM IT help desk, impersonating a known employee to obtain credential reset

PersistenceT1556.006

Modify Authentication Process — secondary identity provider deployed under attacker control to survive MGM's defensive lockout

Credential AccessT1003.001

LSASS Memory — domain controller memory dumps used to harvest credentials and obtain domain administrator rights

Lateral MovementT1078.004

Valid Accounts: Cloud Accounts — Okta and Azure administrator access used to move across MGM's cloud and on-premise environments

ExfiltrationT1041

Exfiltration Over C2 Channel — 6 terabytes of data exfiltrated prior to ransomware deployment

ImpactT1486

Data Encrypted for Impact — ALPHV ransomware deployed against 100+ ESXi hypervisors, encrypting virtual machine infrastructure across MGM's Las Vegas properties

Implications for Defenders

  1. 01.

    Treat your IT help desk as an attack surface, not a support function. Scattered Spider gained administrator access to one of the largest hospitality companies in the world with a ten-minute phone call. Every help desk agent needs identity verification protocols that cannot be bypassed by someone who knows an employee's name and LinkedIn profile. Callback verification to known numbers — not numbers provided by the caller — is non-negotiable.

  2. 02.

    Protect your identity provider like it is your perimeter — because it is. Once Scattered Spider had Okta administrator access, they owned MGM's environment. The specific technique is Identity Provider Federation Abuse — attackers federate a domain they control to your tenant, allowing them to bypass MFA entirely for any user sourced from the rogue IDP. Restrict who can register new identity providers, alert on any new IDP registration, and enforce just-in-time access for Okta super administrator roles.

  3. 03.

    Segment your hypervisor infrastructure. ALPHV encrypted more than 100 ESXi hypervisors in a single deployment. A flat network with no isolation between workstations and hypervisor management interfaces means one compromised credential can take down your entire virtual environment in minutes.

  4. 04.

    Log and alert on Okta administrative actions in real time. MGM's security team detected the intrusion a day after it began — too late to prevent persistence. New IDP registration, super admin privilege grants, and Okta Sync server queries should all generate immediate alerts, not appear in next-morning log reviews.

  5. 05.

    Do not conflate detecting an intrusion with containing it. MGM detected unusual activity and began shutting down infrastructure — but the attackers had already implanted backdoors. Shutting down Okta without first identifying and evicting the secondary IDP left ALPHV with a deployment path already in place. Detection triggers eviction, not just isolation.

  6. 06.

    Standard MFA is no longer sufficient against this group. As of 2025, Scattered Spider deploys Adversary-in-the-Middle tooling — specifically Evilginx — to intercept MFA tokens in real time, bypassing push-based and OTP authentication entirely. Phishing- resistant MFA (FIDO2 hardware keys or passkeys) is the only category of authentication that holds against this technique.

Key Takeaway

The MGM breach established something the security industry had long theorized but rarely seen at this scale: a sophisticated, multi-week enterprise intrusion executed without a single piece of malware at the point of entry. A phone call, a LinkedIn profile, and a help desk agent without a verification protocol were sufficient to compromise an organization with a multi-billion dollar security budget. The ransomware came later, almost as an afterthought, after negotiations broke down. In 2026, Scattered Spider remains active — linked to attacks on Marks & Spencer, a Qantas third-party customer service platform, and a broad Snowflake customer campaign — and CISA updated its advisory as recently as July 2025 to reflect new TTPs. The lesson is not that ransomware is the threat. The lesson is that your identity infrastructure is the threat surface, your help desk is the front door, and the most dangerous attacker in your threat model may never touch your endpoint at all.

Prev
Home