What happened during the MGM Resorts cyberattack in 2023?

In September 2023, MGM Resorts suffered a significant cyberattack that disrupted key public-facing systems, including customer loyalty platforms, guest check-in, room service, and even door locks. The attack involved unauthorized access to MGM's data systems and potentially the removal of sensitive data. The incident was highly public, and MGM confirmed the attack due to the scale of the disruption.

How was Caesars Entertainment affected by a cyberattack in 2023?

Caesars Entertainment disclosed a cybersecurity incident via a Form 8-K SEC filing, indicating that a threat actor accessed and obtained a copy of sensitive customer loyalty program records. The filing suggested that Caesars took steps to ensure the stolen data was deleted by the attacker, implying possible ransom negotiations, though payment was not officially confirmed.

Who was responsible for the MGM and Caesars cyberattacks?

The ALPHV/BlackCat Advanced Persistent Threat (APT) group and its affiliates, including Scattered Spider, are suspected to be behind both the MGM Resorts and Caesars Entertainment attacks. This group is known for sophisticated ransomware operations and has been active since at least 2021.

What tactics did the attackers use in the MGM and Caesars incidents?

The attackers used social engineering to gain initial access, followed by double-extortion ransomware tactics. This involved encrypting data on victim systems and exfiltrating unencrypted copies for further extortion. The group is also known for triple-extortion, targeting both organizations and their customers.

How did social engineering play a role in these attacks?

Social engineering was a key factor, with attackers tricking employees into granting access to internal systems. This allowed the threat actors to bypass standard security controls and initiate the ransomware attack chain.

What is double-extortion and triple-extortion ransomware?

Double-extortion ransomware involves both encrypting a victim's data and exfiltrating a copy, which is used to pressure the victim into paying a ransom to avoid public exposure. Triple-extortion adds a third layer, where attackers also extort the victim's customers using stolen data.

What defensive strategies are recommended against groups like ALPHV/BlackCat?

Recommended strategies include user training to recognize social engineering, implementing multi-layered defenses (EDR, XDR, SIEM), restricting privileges, monitoring for suspicious encryption, and regularly testing defenses with tools like Cymulate Breach and Attack Simulation (BAS) and Continuous Automated Red Teaming (CART).

How can organizations test their defenses against ransomware like BlackCat?

Organizations can use Cymulate's Breach and Attack Simulation (BAS) to test EDR and XDR tools against known ransomware tactics, simulate data exfiltration, and tune controls. Continuous Automated Red Teaming (CART) enables full attack chain simulations to validate layered defenses.

What role does continuous testing play in cyber defense?

Continuous testing ensures that security controls remain effective as threats evolve and organizational changes occur. Automated assessments with Cymulate help identify gaps, validate detection and prevention capabilities, and reduce the risk of successful attacks.

How does Cymulate help organizations defend against ransomware and advanced threats?

Cymulate empowers organizations to continuously assess and validate their security posture through automated attack simulations, exposure validation, and red teaming. This proactive approach helps identify vulnerabilities, optimize controls, and improve resilience against ransomware and other advanced threats.

What are the key features of the Cymulate platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, and an extensive threat library with over 100,000 attack actions updated daily.

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit our Partnerships and Integrations page.

How does Cymulate automate security validation?

Cymulate automates security validation by running 24/7 attack simulations, validating controls across prevention, detection, and response, and integrating with security tools to push updates and optimize configurations. Automation reduces manual effort and ensures continuous coverage.

What is Cymulate's approach to exposure prioritization?

Cymulate validates the exploitability of exposures and ranks them based on prevention and detection capabilities, business context, and threat intelligence. This helps organizations focus remediation efforts on the most critical vulnerabilities.

How does Cymulate help with attack path discovery and lateral movement prevention?

Cymulate's attack path discovery feature identifies potential attack paths, privilege escalation, and lateral movement risks. It enables organizations to test and tune controls to prevent attackers from moving laterally within the environment.

What is the Cymulate Breach and Attack Simulation (BAS) module?

The BAS module allows organizations to simulate real-world attacks against their defenses, test EDR and XDR tools, and validate the effectiveness of security controls against known ransomware and other threats.

What is Continuous Automated Red Teaming (CART) in Cymulate?

CART enables organizations to simulate full attack chains, playing out advanced threat scenarios to test if layered defenses can stop sophisticated attacks. It supports ongoing, automated testing as threats and environments evolve.

How easy is Cymulate to use and implement?

Cymulate is designed for ease of use, with agentless deployment, intuitive dashboards, and minimal setup. Customers report that simulations can be run with just a few clicks, and the platform provides actionable insights quickly. Support and educational resources are available to assist with onboarding.

What feedback have customers given about Cymulate's usability?

Customers consistently praise Cymulate for its intuitive interface, ease of use, and actionable insights. Testimonials highlight the platform's user-friendly dashboard, quick implementation, and accessible support team. For example, a Cybersecurity Manager noted, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.'

What common pain points does Cymulate address for organizations?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. The platform integrates exposure data, automates validation, and provides actionable insights to solve these issues.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. The platform is tailored to the needs of each role, from strategic oversight to operational validation and offensive testing.

How does Cymulate help with cloud security validation?

Cymulate secures hybrid and cloud infrastructures by automating compliance and regulatory testing, validating cloud security controls, and integrating with leading cloud security solutions such as AWS GuardDuty, Check Point CloudGuard, and Wiz.

What business impact can customers expect from using Cymulate?

Customers report up to a 52% reduction in critical exposures, a 60% increase in team efficiency, 40X faster threat validation, and an 81% reduction in cyber risk within four months. Cymulate also helps consolidate tools, reduce costs, and improve decision-making with actionable metrics. See the Hertz Israel case study for details: Read the case study.

Are there case studies showing Cymulate's effectiveness?

Yes, Cymulate has numerous case studies across industries. For example, Hertz Israel reduced cyber risk by 81% in four months, a sustainable energy company scaled penetration testing cost-effectively, and Nemours Children's Health improved detection in hybrid environments. Explore more at our Case Studies page.

How does Cymulate address the needs of different security roles?

Cymulate tailors solutions for CISOs (metrics and investment justification), SecOps (automation and efficiency), red teams (offensive testing with a large attack library), and vulnerability management teams (validation and prioritization). Each role benefits from features designed for their specific challenges.

How does Cymulate help organizations communicate risk and justify security investments?

Cymulate provides quantifiable metrics and actionable insights that help CISOs and security leaders communicate risk, justify investments, and align security strategies with business objectives. The platform delivers validated data for clear reporting to stakeholders and regulators.

How does Cymulate improve operational efficiency for security teams?

Cymulate automates manual processes, prioritizes remediation, and enables faster threat validation, leading to a 60% increase in team efficiency and saving up to 60 hours per month in testing new threats.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a personalized quote, schedule a demo with the Cymulate team.

How can I get a quote for Cymulate?

You can receive a customized quote by scheduling a demo with Cymulate. The team will assess your organization's requirements and recommend the best package and pricing.

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These attest to Cymulate's robust security practices, data protection, and compliance with international standards. Learn more at Security at Cymulate.

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC). The platform includes 2FA, RBAC, IP restrictions, and regular third-party penetration testing. Cymulate is GDPR compliant and has a dedicated privacy and security team.

How long does it take to implement Cymulate?

Cymulate is designed for rapid, agentless deployment. Customers can start running simulations almost immediately after setup, with minimal resources required. Support is available via email, chat, and a comprehensive knowledge base.

What support resources are available for Cymulate users?

Cymulate offers email and chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for quick answers. These resources help users maximize the platform's value and resolve issues efficiently.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more at About Us.

Where can I find Cymulate's latest research, news, and events?

Stay updated with Cymulate's latest research, news, and events via the blog, newsroom, and events page. The Resource Hub also offers insights, thought leadership, and product information.

How is Cymulate recognized in the cybersecurity industry?

Cymulate is recognized as a market leader in automated security validation by Frost & Sullivan and was named a Customers' Choice in the 2025 Gartner Peer Insights. The company is trusted by organizations worldwide and regularly features in industry news and analyst reports.

A Grand Attack on the Palace-MGM Resorts and Caesars Cyber Attacks

By: Cymulate

Last Updated: July 22, 2025

Editor’s Note: This is an evolving MGM Resorts and Caesars Cyber attacks related story, which will change as new information is disclosed and discovered as the investigation into these events continues. This post will be updated as new information becomes available.

In 2023, Las Vegas was rocked by twin disclosures of cyberattacks against MGM Resorts and Caesars Entertainment – two of the biggest casino and resort companies in the world. Beginning with a major service disruption at multiple MGM properties, the news was followed by a Securities and Exchange Commission (SEC) filing by Caesars that they had also suffered a breach.

MGM Resorts Guest Services Paralyzed and Data Compromised

On or about September 9, a threat actor was able to gain unauthorized access to MGM Resorts data systems, taking several key public-facing systems offline and potentially removing sensitive data from the organization. Systems used to manage customer loyalty platforms, check-in for guests, guest services such as room service, and even the door locks on many of the resort guest rooms were unusable as the organization raced to deal with the incursion and resulting disruption.

While MGM Resorts has not yet defined what systems were accessed and what data may have been taken, the very public nature of the attack made it impossible for the organization to deny that an attack did indeed occur.

ALPHV group and affiliates suspected perpetrators

Within about 48 hours, vx-underground announced on X (formerly Twitter) that the ALPHV group and their affiliates (including Scattered Spider) were responsible for the attack, citing confidential sources within the threat actor group itself. According to the information obtained by vx-underground, the attackers leveraged social engineering techniques to trick employees into giving them access to systems that would otherwise be inaccessible except to internal teams. While this information has not yet been corroborated by any official first-party source or by law enforcement, vs-underground does have a solid reputation in their reporting of threat activities, correctly attributing many attacks over the last several years.

Caesars Entertainment may have paid rendered unto someone

Days later, Caesars Entertainment filed a Form 8-K with the SEC to declare that they had experienced a “material event” due to a cybersecurity incident. A material event is defined by Harvard Law School as, “… those matters as to which an average prudent investor ought reasonably to be informed before purchasing the security registered.”

In short, an organization that is publicly traded must notify the SEC if an event occurs that could have an impact on the trading of that organization’s shares. The filing notes that a threat actor did gain access to, and did obtain a copy of, a sensitive data-set – the customer loyalty program records. While no specific details were revealed in the filing, one particular statement does lead to the potential that Caesars paid a ransom to end the attack: “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

This would indicate that communication between Caesars and the threat actor occurred, and that some agreement was reached to convince the attackers to destroy their stolen copy of the data. While it cannot be confirmed that Caesars paid the threat actors responsible, that is the most common method of achieving this goal.

Both MGM Resorts and Caesars may have been attacked by the same threat actor - BlackCat

The suspected threat actor in both MGM Resorts and Caesars attacks is the ALPHV/BlackCat Advanced Persistent Threat (APT) group. This criminal organization has been in operation since at least 2021 and specializes in ransomware attacks in various countries around the world.

While they appear to be a Russian APT group (due to most communications being in Russian), their identities and locations have not been confirmed by threat intelligence groups. Compounding and confusing the overall situation is that ALPHV/BlackCat is known to work through a network of affiliate threat actors with multiple locations around the world and varying political, financial, and other end goals.

Tactics used

The tactics used in these two attacks do fit the overall pattern of the APT group and their affiliates, however. Initial access by forms of social engineering is common, followed by “double-extortion” ransomware – a situation where not only is the data encrypted on the victim’s systems, but an unencrypted version is also exfiltrated onto the systems of the threat actors.

This stolen data copy can be used to further coerce the victim into paying the ransom in order to avoid additional data exposure (and the regulatory consequences of that exposure) and/or to inflict reputational damage on the organization itself.

If the ransom is paid, the attack is stopped, and the data copy is (– reportedly) - destroyed by the threat actor. If not, then the data is released via dark-web sites and available to the general public in addition to other threat actors.

Unfortunately, ALPHV/BlackCat and their affiliates have been known to perform “triple-extortion” attacks, where the data is also used to extort money directly from customers of the victim company in return for not releasing sensitive information found about that customer in the stolen data set.

Defending Against ALPHV/BlackCat: Strategies and Best Practices

While ALPHV/BlackCat as an APT group is considered to be sophisticated, there are methods that can be used to defend an organization against its attacks. First and foremost, training end-users to recognize the signs of social engineering is important. If something feels “off” or just not right, it very well may be; confirming an odd request with a supervisor could be the difference between smooth sailing and having to recover from an attack.

Implementing a Multi-Layer Defensive Strategy

Prevention at the user level may not always be an option, especially as threat actors continue to refine their social engineering activities to produce harder-to-recognize attack attempts. This is why a multi-layer defensive strategy is absolutely critical. ALPHV/BlackCat employs multiple tactics that can be identified by EDR and XDR systems tuned to look for them. Most notably, many of their attacks utilize known security tools such as Mimikatz and LaZagne. Their attacks also frequently make changes to security controls such as Group Policy Objects (GPOs) in Active Directory. These behaviors can be identified and blocked by different forms of endpoint controls – if deployed on all devices, including Windows, Linux, and MacOS desktops, servers, and Cloud instances and properly tuned for the environments these assets run within. Alterations to GPOs can also be blocked based on user access controls and limitation of privileges.

Continuous Testing and Simulation for Robust Defense

Additionally, any form of unexpected encryption operations should be blocked and should trigger alerts and alarms within the Security Operations Center (SOC) to investigate immediately. SIEM solutions can be configured to alert on such activities, and many EDR and XDR platforms can also block the activity and raise an alert for immediate review. If the activity is legitimate, an exclusion can be configured and the process run again; but in situations like these attacks, this blocking action can end up saving the organization millions in ransom payments, recovery efforts, and lost reputation.

The use of EDR and XDR solutions across all Operating Systems that can identify sequences of events (including attempts to elevate privileges, scanning of file systems, and attempts to encrypt data) are viable solutions for limiting and/or stopping threat actors from successfully performing these forms of attack when used as one layer of controls. As no single defensive tool will catch all forms of ransomware attacks alone, configuring defenses in multiple, compensating layers is a necessity.

Such defenses must also be regularly tested. Cymulate Breach and Attack Simulation (BAS) can put EDR and XDR tools through their paces to ensure they recognize and block known ransomware methodologies and scenarios. BAS can also simulate data exfiltration to help tune data control solutions and ensure they are not permitting sensitive information to leave the control of the organization.

Continuous Automated Red-Teaming (CART) can allow an organization to play out an entire attack and determine if the layered defenses properly stop it from succeeding at compromising the organization. All these assessments can be automated to allow for ongoing testing with existing and newly discovered attack techniques over time to ensure that defenses are not drifting as changes occur within both the organization and the threat actor community.

Update: September 14, 2023

The Financial Times is reporting that someone identifying themselves as part of Scattered Spider – an affiliate of ALPHV and the suspected perpetrators of this series of attacks – had even more in store for these gaming companies.

The original plan included an attempt to alter the software of the casinos’ slot machines, then hire independent contractors (known as “mules” in the cybersecurity world) to collect as much money as possible from the machines until the casinos identified and stopped the attacks. The alterations would reportedly have caused the machines to pay out more money than they would when operating normally.

This part of their plan appears to have failed, according to the anonymous source. The Financial Times was unable to verify the identity of their source, or if this source was indeed working as part of Scattered Spider or another ALPHV affiliate. More info will be posted here as it is discovered and/or disclosed.

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

MGM Resorts Guest Services Paralyzed and Data Compromised Caesars Entertainment may have paid rendered unto someone Both MGM Resorts and Caesars may have been attacked by the same threat actor - BlackCat Defending Against ALPHV/BlackCat: Strategies and Best Practices

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

CUSTOMERS

Control Validation in Law Enforcement

Cymulate helps validate the agency can operate effectively and bring offenders to justice.

Read Case Study

Webinar

CISA Alert- Is your organization exposed?

Cybersecurity is no longer a luxury, it's a necessity with new threats emerging every day.

Watch Now

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo

Frequently Asked Questions

Incident Analysis: MGM Resorts & Caesars Palace Cyber Attacks