Social Engineering and the Great Casino Takedown: HUMINT’s Modern Avatar.
So many are shocked to learn that social engineering led to one of the biggest casino takedowns in history. As the digital age grows, so do the avenues for cyberattacks. What happened with MGM Resorts recently stands as a grim testament to this vulnerability. Yet, this isn’t a story about the complexities of hacking software but of exploiting human nature— a strategy as old as espionage itself.
MGM, with its vast array of luxury resorts and a thriving online sports betting operation, became a victim of what many might consider a simple phone call. Amidst malfunctioning slot machines, disabled digital hotel keys, and guests queued for manual check-ins, the giant resort seemed almost paralyzed. While MGM cited a “cybersecurity issue” with a restrained online presence during this period, the underlying cause revealed a classic example of human-led intelligence warfare— one that predates our digital age.
In the military realms of yore, this type of intelligence gathering was termed as HUMINT, or Human Intelligence. HUMINT involved gathering intelligence by means of interpersonal contact, as opposed to the more modern SIGINT (Signal Intelligence) which involves intercepting signals between people (communications) or between machines (like encrypted messages). In essence, HUMINT is about understanding and exploiting human behaviors, emotions, and vulnerabilities.
Now, contrast this with the contemporary term, “social engineering”. It is nothing but HUMINT in a new guise. The attackers, instead of focusing on the tech vulnerabilities, focus on the human aspect of the chain. It is about manipulating people into breaking standard security practices to gain unauthorized access to systems or data. In MGM’s case, this took the form of vishing - a voice call variant of phishing.
The perpetrators behind this, Scattered Spider, are known maestros in the social engineering realm, particularly in ‘vishing’ or ‘voice phishing’ where fraudsters use phone calls as the basis for their attack.
Reportedly, their strategy was fairly straightforward. They found an employee’s details on LinkedIn, impersonated them, and then simply called MGM’s IT help desk to acquire the necessary credentials. The ease of this breach is both astonishing and terrifying. It underscores the human vulnerability in the otherwise sturdy digital fortresses of today.
Interestingly, Scattered Spider’s members are not the hooded, middle-aged, hackers of stereotype. They are young adults, possibly in their late teens to early twenties, scattered across Europe and potentially the US, fluent in English - and, some of whom may be active duty military. Their age and linguistic capabilities only make their impersonation game more authentic.
The hack’s aftermath saw MGM’s data held hostage, encrypted and ransomed for cryptocurrency. Interestingly, their initial plan was to hack the slot machines but when this failed, they defaulted to ransoming the stolen data.
This MGM incident is a stark reminder. While we bolster our digital defenses, train our algorithms, and patch our vulnerabilities, there’s still a need to address the oldest and perhaps the most significant vulnerability: the human element. It’s about time organizations not just invest in tech defenses but also in training their staff against such social engineering attacks.
Because as history and the military’s reliance on HUMINT has shown, sometimes the biggest vulnerabilities are not in our machines, but in ourselves. Be mindful, folks - and be wary, as a split second oversight could circumvent even the tightest of security controls.
