Five days after a cyberattack crippled operations of MGM Resorts International, including its signature Las Vegas properties the Bellagio and the MGM Grand, the company said Thursday morning it is still working to resolve issues as another major resort operation, Caesars Entertainment, acknowledged it was also the target of a cyberattack.

Hackers struck MGM Resorts on Sunday morning, rendering doors to the chain's casinos and hotels unusable. Slot machines and ATM machines were also inoperable, elevators were out of order and customers had to wait hours to check into rooms. Even the company's website remains down.

"We continue to work diligently to resolve our cybersecurity issues while addressing individual guest needs promptly," MGM Resorts said a statement Thursday. "We couldn't do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers. Thank you for your continued patience."

"It was kind of chaotic," Haywood told ABC Las Vegas affiliate station KTNV. "The machines wouldn't take our ticket. Lines everywhere. Just chaos."

Tracked as UNC3944 and also referred to as 0ktapus, Scatter Swine, and Scattered Spider, the hacking group has targeted at least 100 organizations, mostly in the United States and Canada. The group typically engages in SMS phishing campaigns (smishing), but has been broadening its skills and arsenal of tools and is expected to start targeting more industries.

Mandiant also noticed that the group shifted to ransomware deployment in mid-2023, which can be highly profitable. In some attacks, they were seen using the ALPHV (BlackCat) ransomware, but Mandiant believes they could use other ransomware as well, and they may “incorporate additional monetization strategies to maximize their profits in the future.”

The threat actor has been active since late 2021, typically employing smishing to obtain valid employee credentials and contacting the victim organization’s help desk to obtain multi factor authentication (MFA) codes or reset account passwords, by impersonating the targeted employees.

During such calls, the hacking group has been observed providing various types of verification information that the help desk requested, including personally identifiable information (PII), employee ID, and username.

While these incidents have caused great disruption at Las Vegas casinos, what’s been most frustrating to security industry pros is that the social engineering and execution tactics of Scattered Spider — the threat group behind the attacks — have been well-known for several months.

Callie Guenther, cyber threat research senior manager at Critical Start, said Scattered Spider operates as a financially driven threat actor that has been active since at least May 2022.

In one of their recent attacks, Guenther said Scattered Spider used what's known as a Bring Your Own Vulnerable Driver (BYOVD) technique that involves the deployment of a vulnerable kernel-mode driver, such as the Intel Ethernet diagnostics drivers, as a way to gain elevated privileges within Windows systems, thereby evading endpoint detection and response (EDR) solutions.