This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.
Ryan Knutson: The following story took place over a week in September last year. The story is set in Las Vegas at the casinos that are owned and operated by MGM Resorts. Our colleague Bob McMillan sets the scene.
Robert McMillan: MGM runs about half the Las Vegas Strip. So they obviously operate the MGM Grand, but they operate Bellagio and Mandalay Bay, Luxor, a whole bunch of the really iconic Las Vegas casinos.
Ryan Knutson: This story is about a heist and it starts on an otherwise typical Friday night.
Robert McMillan: It’s the busiest night for guests checking in, for people gambling, for people being entertained on the Strip, and that makes it a great time to strike.
Ryan Knutson: The main characters are as follows, MGM Resorts, its CEO Bill Hornbuckle and a brash young group of skilled thieves. It’s a true story, the details of which are based on interviews with investigators, MGM employees, court documents, and a conversation with one of the alleged crooks. Our opening scene takes place far from the glitz and glam of the casino floor. It happens in the bowels of MGM, in the IT department.
This is Chapter 1: The Way In.
Robert McMillan: Tech support gets a call, Friday night. It’s a call that people in tech support get many times a day. Somebody on the other line works for MGM. They say they forgot their password, can’t get into the network, they need to get their account back. And what you do is you do an account reset, right? So the tech support people, they ask for a bunch of personal information just to establish the identity, and then they do establish that this appears to be a legit person and they reset the account so the person on the phone gets access to an MGM account.
Ryan Knutson: But you know how these stories go. Of course, the person on the phone was an imposter.
Robert McMillan: The MGM employee whose account got reset gets a notification on their phone saying like, “Hey, you just reset your account, you’re back in the network.” And they look at their phone and they’re like, “I didn’t do this.” And so they report it to the IT department. They’re like, “I just got some weird account reset, wasn’t me, don’t know what’s going on.”
Ryan Knutson: What happened after that alert came in to that employee and he had notified the IT department, did that raise any other alarm bells at MGM?
Robert McMillan: Nope. Nope. It was just a weird thing happened. Maybe look into it. It’s not the kind of alert you would get at IT central and go into panic mode. It’s just the kind of alert that happens all the time.
Ryan Knutson: But soon MGM Resorts would go into panic mode, because that seemingly innocuous password reset was actually the moment that thieves got in and tens of millions of dollars were now on the line. Welcome to The Journal, our show about money, business and power. I’m Ryan Knutson. It’s Friday, March 29th. Coming up on the show, chaos at the casino.
Chapter 2: Eggplant Emojis.
Robert McMillan: So Saturday things got a little interesting.
Ryan Knutson: On Saturday MGM’s IT department began to realize something was up. Someone was in their system and they were moving around MGM’s network.
Robert McMillan: They started going from system to system and they started changing whatever settings they could to try and get, sort of other open little back doors. And they were doing all kinds of things, setting up account privileges on systems that would enable them to maintain their beachhead within the MGM network, even if this first point of entry was shut down.
Ryan Knutson: It was hackers. They were trying to steal things like customer data, but they were also doing something you don’t often see hackers do. They were goofing around making juvenile jokes and renaming files, some of which were racist and crude.
Robert McMillan: And that’s not something you normally see. You don’t see that from the Chinese, right, or the Russians even. This was unusual. So they’re renaming files, they’re popping up using the eggplant emoji, which is, you can look it up, juvenile reference.
Ryan Knutson: Yeah, I think people probably get what that emoji typically stands for.
Robert McMillan: Sadly, I did not, but don’t tell anyone that.
Ryan Knutson: Okay, boomer.
Robert McMillan: A hundred percent busted there.
Ryan Knutson: While the hackers were moving around MGM’s network, the IT department was struggling to kick them out.
Robert McMillan: They tried to shut down things and it’s not working. So there’s something going on here. There’s something unusual and there’s something that merits the attention of upper management.
Ryan Knutson: Chapter 3: Dessert Before Dinner.
Cut to MGM CEO Bill Hornbuckle. He’s 62 years old with dark gray hair. He’s run the company for nearly four years, and on Saturday night he was with his wife getting ready for a fundraiser at a gala at the Wynn Casino.
Robert McMillan: It was an event where they had celebrity chefs, I think reimagine Girl Scout cookies into fantastic desserts. It was called Dessert Before Dinner.
Ryan Knutson: Yum.
Robert McMillan: And it sounded really fun. And you go there, you have these Girl Scout, cookie-themed desserts presented, and when they leave for the event, everything seems kind of normal.
Ryan Knutson: But while at the event, Hornbuckle and one of MGM’s top lawyers who was also there started getting messages from the company’s tech department.
Robert McMillan: They’re swapping messages and they’re just getting worried. They’re seeing what the tech staff is reporting and they’re not getting them out of the network.
Ryan Knutson: Back at the office the problem was getting worse for the tech staff.
Robert McMillan: They start to realize they are engaged in, sometimes you might describe it as hand-to-hand combat. They’re engaged in this effort to try and push the intruder out of their network and just finding out over and over again that there’s been another way set up to get them back in over and over again. So yeah, that evening and all through that night, they’re just basically playing whack-a-mole with this group.
Ryan Knutson: By midnight, Hornbuckle knew his company was in a full-scale crisis. So MGM started taking steps to mount a defense.
Robert McMillan: One of the first things they do is they go off of email. They’re like, “We don’t know if these hackers have access to all of the email or not, but we don’t trust it.” Then they called in their cybersecurity firm to help them investigate, and they pretty quickly, they had identified the group that was responsible for this,
Ryan Knutson: And who was it that had hacked into their system?
Robert McMillan: They called themselves Star Fraud.
Ryan Knutson: Chapter 4: The Hackers.
Robert McMillan: Star Fraud is a group of very capable cyber break-in artists. They’re great at cracking open the door. And then more than that, they’re great at just launching a blitzkrieg on the network once they get in and moving around very quickly, securing a foothold and using a variety of techniques to just make sure that they never get kicked out again.
Ryan Knutson: There are two things that really make Star Fraud stand out. One is where they’re based. They’re not in Russia or China where many hackers live. They’re mostly from the US, the UK and Canada. The other thing is that they’re mostly a bunch of teenagers.
Robert McMillan: Yeah, Western teenagers. So these are native English speakers. I mean, most of the hacking stories that I’ve written about for the last 15 years have involved Russian hackers, Chinese hackers, sometimes North Korean hackers, Iranian hackers. They often come from offshore because there are a number of countries where it’s really, really hard for the United States to arrest and extradite people. So that tends to be where the worst cyber problems come from. But this was different. This was a Western cybersecurity problem, and more notably, it’s a Western cybersecurity problem that seems to have grown out of teenagers playing video games. And we’ve been kind of watching this criminal organization go from just messing around on video games, to stealing accounts online, to breaking into phones, to stealing cryptocurrency, to freezing the operations of companies, to becoming one of the biggest cyber threats that we’re facing in the United States today.
Ryan Knutson: Being native English speakers gives this group an advantage that hackers from other countries often can’t use. They’re really good at impersonating people. For a hacker looking to break into an American company, this is a valuable skill. See, if you’re able to steal an employee’s personal information like their social security number and date of birth, which is pretty easy to do on the dark web, then you can call up their company’s IT department, pretend to be them, and get their password reset, which is exactly how Star Fraud got into MGM.
Robert McMillan: These kids can call up tech support and they speak English like native English speakers, and so they don’t raise any alarm bells when they call up and say that they’re employees of Western companies. And there’s a way that when you’re from the same culture as somebody you can really, it makes it easier to manipulate them, right? You can very quickly make a connection over the phone with that kind of person and get them to relate to you and to think of you not as just a voice on the phone, but actually as a real person who’s facing a crisis and needs to get their business done right away.
Ryan Knutson: And Star Fraud has gotten really good at this kind of hack. The group has also been linked to attacks on big companies like Clorox and Caesars, another big casino operator in Vegas. Do you have any sense of why Star Fraud targeted MGM?
Robert McMillan: Well, they were kind of going through a online casino hacking thing at the time. I think they seem to brand name victims because there’s this combination of a desire to make money, which they appear to be pretty good at doing, but also a desire to have recognizable targets for bragging rights as well. To be able to say, “We hit somebody.” And I think hitting MGM probably felt like this is a cool company to hit, right, like people are going to know who they are.
Ryan Knutson: By Sunday, Hornbuckle and MGM knew who the hackers were, but what did they want and should MGM give it to them?
Chapter 5, is next.
Chapter 5: Shut it Down.
Bill Hornbuckle had spent much of his Saturday night at the Girl Scouts Gala messaging back and forth with a tech team that was responding to the hack, and it seemed like the company was losing. So on early Sunday morning, Hornbuckle decided to do something drastic.
Robert McMillan: At 5:00 a.m., Hornbuckle just says, “Shut it down. Shut down our intranet. Shut down the systems that these hackers seem to be abusing to retain their persistence on the network.”
Ryan Knutson: Why would shutting its computer system down help?
Robert McMillan: Well, so they’re not shutting every single system down. MGM runs thousands of servers and they have backend systems that do all kinds of stuff. They’re very complicated business, but the places where they knew these hackers had secured a foothold, they were going to pull the plug and just disconnect them from the internet essentially, which would just prevent the hackers from getting back in.
Ryan Knutson: Right, because if they’re not connected to the internet, then the hackers have no way in.
Robert McMillan: Correct, yeah.
Ryan Knutson: So you pull up the drawbridges essentially around the castle.
Robert McMillan: Right. Yeah, there you go.
Ryan Knutson: But pulling up the drawbridges and shutting down big pieces of MGM’s computer Network would make it harder for the casino to serve its customers.
Robert McMillan: This is going to have a big impact. This is going to affect your ability to book online. This is going to affect our ability to issue key cards in the hotels. So if you wanted to check in, you’d have to check in using literally like a pen and paper, kind of check-in. But this is not going to be catastrophic, right? This is going to prevent the hackers from getting back in. It’s going to prevent a data breach. It’s going to disrupt our business, but we’re going to stop this hack. It’s not going to go any farther.
Ryan Knutson: Or so they thought.
Chapter 6: All Hell Breaks Loose.
Early Tuesday morning the hackers finally said what they wanted.
Robert McMillan: So at 2:00 a.m., the hackers send an email to Bill Hornbuckle, the CEO of MGM saying that they’ve installed this ransomware, it’s going to freeze MGM’s network everywhere. They want more than $30 million.
Ryan Knutson: How did Hornbuckle respond?
Robert McMillan: He didn’t know about it.
Ryan Knutson: He didn’t know about it?
Robert McMillan: I mean, they sent it via email, and he had been off his email since Sunday morning basically.
Ryan Knutson: As a defense against the hackers, he stopped communicating the emails so it wasn’t checking messages.
Robert McMillan: Yeah. So the hackers send this guy a ransom demand at 2:00 a.m. and he doesn’t get it for another 12 hours.
Ryan Knutson: By Tuesday morning, MGM’s casinos were in chaos. The company’s decision to disconnect many of its systems combined with Star Fraud’s ransomware was wreaking havoc.
Robert McMillan: It’s a total shutdown.
Ryan Knutson: And by now, people were really starting to notice.
Speaker 4: On Sunday systems at MGM Resort’s properties began shutting down, including slot machines, company email, the MGM website and more.
Speaker 5: Slot and gaming machines offline, ATM machines also down.
Speaker 6: Comes after several issues were reported over the weekend at MGM Properties, including guests not being able to use their digital keys at hotel rooms.
Speaker 7: It sounds like a nightmare for our customers out there.
Robert McMillan: Slot machines aren’t working. People are getting paid out with cash. MGM is recruiting anyone they can get. Senior management is showing up in the pits at MGM with money belts around their waist to try and help pay out people who have won money. Everything’s pen and paper. They’re keeping track of their accounting system just moves off of computers basically. It’s just a disaster.
Ryan Knutson: But I thought MGM had pulled up the drawbridges and shut off the system so that the hackers were kicked out, how are they able to get their ransomware on there?
Robert McMillan: Well, I think they had been sort of kicked out, but before they had done that, they had sort of planted this destructive software as a, it’s almost like you’re getting kicked out of the port and you’re going to scuttle the ships. It’s kind of like that. So it appears that they no longer had access. They had a way to get in, but they had preset this ransomware to go.
Ryan Knutson: They sort of left some bombs behind, so to speak.
Robert McMillan: Yeah, yeah.
Ryan Knutson: Chapter 7: Hit or Stay.
Remember how Hornbuckle didn’t see Star Fraud’s email where they asked for more than $30 million, that meant MGM also wasn’t negotiating with them,
Robert McMillan: And I don’t think they liked that, right? I think they at that point were like, “Okay, let’s put some pressure on MGM.” And so this character emerges, this anonymous hacker who is sort of known to investigators and is basically known to have been in a position to know what was going on with this Star Fraud group. This person shows up and starts doing interviews with the press.
Ryan Knutson: The alleged hacker even started messaging Bob.
Robert McMillan: I had a telegram chat with this person who told me a bunch of stuff about how they allegedly got in, and they start describing how incompetent the tech support people at MGM were and how they allowed this to happen. And clearly the effort is to put pressure on MGM to pay.
Ryan Knutson: If Hornbuckle paid the money, Star Fraud said they would hand over the digital keys that would unlock the ransomware and restore MGM’s systems. But paying the ransom wasn’t Hornbuckle’s only option. Alternatively, he could rebuild the casino’s computer systems from scratch.
Robert McMillan: You’re up for disruption either way, and you’re paying criminals and sort of trusting their tech support system and kind of trusting them even if you pay the ransom. Whereas if you just say, look it, we’re going to just burn this server to the ground, reinstall everything from the ground up on it, then you have a certain amount of confidence that they’re actually kicked off of it. So that’s the question that they were facing on Tuesday.
Ryan Knutson: How big of a task is it though to shut all your servers down and reinstall everything from scratch?
Robert McMillan: It’s a big task. Just think about the last time you got a new phone and what it was like, how hard was it to move everything from your old phone to the new phone and then imagine that you have not a phone, but a server that’s custom configured and that you’ve got to do this 3,000 times or 4,000 times, or whatever. You’ve got to do this thousands of times.
Ryan Knutson: Chapter 8: Down to the Wire.
Despite the fact that Star Fraud’s intrusion had crippled MGM casinos for several days, causing chaos on the Vegas Strip, Bill Hornbuckle wouldn’t be swayed. He decided not to pay the ransom. Instead, the company rebuilt its computer systems from the ground up, even though MGM didn’t pay the more than $30 million ransom, how big of a cost did it experience by just fighting him off?
Robert McMillan: $100 million. In an SEC filing that came out a few weeks after the hack, they indicated that the cost of the incident was more than $100 million.
Ryan Knutson: Wow, so it was more expensive for MGM to fight than to just pay.
Robert McMillan: A hundred percent. So this is not an uncommon thing where you have to make a call and it often is less expensive to just pay for the ransomware, get the decryption key. But the problem is that first of all, the decryption keys don’t always work. And then there is this question of are you going to get extorted again?
Ryan Knutson: But isn’t that still a concern for MGM? I mean, can they really be sure that Star Fraud is gone and won’t come after them again?
Robert McMillan: I mean, once you wipe the operating system off your computer and reinstall it like a fresh version of the OS, you know that whatever software they put on that computer is probably gone, right? That’s the most sure you can be, it’s almost like buying a new computer at that point. So you get a lot of confidence from doing something like that. Now, if we look at the initial way they got in, it was through the tech support system, right? So that’s the thing that you need to fix, because otherwise they can get through there again.
Ryan Knutson: Epilogue: It took MGM several days to get most of the customer-facing systems up and running, like the slot machines and the key cards and several weeks to fix everything else. Here’s Hornbuckle in an interview after the hack was over.
Bill Hornbuckle: Lucky it was a hell of a three-week period. I cannot, but see how resilient we are. I got to call out the MGM employees. They’ve been nothing but great through this entire process. But this is behind us. Hopefully it’s a one-time incident. Knock on something quickly and while we’re all moving forward, it had a significant impact as you saw.
Ryan Knutson: The hack might be behind MGM, but Bob says that ransomware attacks like these that start out by tricking tech support into resetting a password are bound to become more common.
Robert McMillan: Well, everybody uses tech support, because everybody is vulnerable to this sort of password reset over the phone problem. It’s a very, very widespread potential problem and one that we suddenly need to think about in a way that we didn’t just a few years ago.
Ryan Knutson: You mentioned earlier that a lot of the worst hackers were coming out of countries where it’s very difficult for the United States or other Western nations to extradite these criminals. But if these hackers are in the West, if they’re in places in Europe and even in the US, does that mean that it might be easier for law enforcement to catch these guys?
Robert McMillan: Well, Ryan, how many hours do you have to talk about this, because one of the reasons that this group is so problematic and this phenomenon is such a problem is because a lot of the people engaged in this activity are minors. And it makes things different when you’re pursuing minors. And there’s sort of this sense of like if you’re a teenage boy, you feel kind of impervious to the real world anyway. And then in the legal system, it’s just really hard to stop them.
Ryan Knutson: Before we go, we wanted to let you know that today marks one year since our colleague, Wall Street Journal reporter Evan Gershkovich was detained by Russian authorities while on a reporting trip and accused of espionage. Evan, The Journal and the US government vehemently deny the accusation and the Biden administration has designated Evan as wrongfully detained. Russian courts have repeatedly rejected appeals by his lawyers, and this week ordered Evan held in pretrial detention in the Moscow prison until June 30th. In the letter released last night, our Editor-in-Chief Emma Tucker said, Evan’s detention is “a blatant attack on the rights of the free press at a time when journalists are needed to bear witness to history.”
That’s all for today, Friday, March 29th. Additional reporting in this episode by Catherine Sayre and Sarah Krauss. The Journal is a co-production of Spotify and The Wall Street Journal. The show’s made by Annie Baxter, Katherine Brewer, Maria Byrne, Victoria Dominguez, Pia Gadkari, Rachel Humphreys, Matt Kwong, Kate Linebaugh, Jessica Mendoza, Annie Minoff, Laura Morris, Enrique Perez de la Rosa, Sarah Platt, Alan Rodriguez Espinoza, Heather Rogers, Jonathan Sanders, Pierce Singgih, Laing Tang, Jeevika Verma, Lisa Wang, Catherine Whelan, Tatiana Zamis, and me, Ryan Knutson. Our engineers are Griffin Tanner, Nathan Singapok, and Peter Leonard. Our theme music is by So Wylie. Additional music this week from Katherine Anderson, Marcus Bugala, Peter Leonard, Bobby Lord, Emma Munger, Nathan Singapok, Griffin Tanner and Blue Dot Sessions. Fact-checking by Mary Mathis and Najwa Jamal. Thanks for listening. See you Monday.
