Scattered Spider / MGM Resorts – LinkedIn OSINT → Vishing Help Desk → Okta Super Admin → Azure AD → 100 ESXi Servers Encrypted
Scattered Spider (UNC3944) compromised MGM Resorts International in September 2023 using a single 10-minute phone call to the IT help desk. Attackers researched an MGM employee on LinkedIn, impersonated them to a help desk agent, obtained an MFA reset, and gained initial access. From there they escalated to Okta Super Administrator, claimed Azure AD tenant-level control, moved laterally across the network, and encrypted over 100 ESXi hypervisors using ALPHV/BlackCat ransomware — causing $100M in losses and a 10-day outage. The entire initial access chain required no technical exploit whatsoever.
Before making any call, the attacker used LinkedIn to identify an MGM Resorts employee — gathering their full name, job title, and enough personal and professional detail to convincingly impersonate them to an IT help desk agent. Mandiant confirmed from forensic recordings of these call center attacks that the threat actors already possessed PII on their victims before calling — including SSN last four digits, dates of birth, and manager names — to pass standard help desk identity verification. Scattered Spider are native English speakers, removing any accent barrier that typically flags social engineering attempts from non-Western threat actors.
PII used to pass verification (Mandiant confirmed): Last 4 digits of SSN, date of birth, manager name and job title
Why it worked: Help desks are trained to be helpful — suspicion of an "employee" feels obstructive
Mandiant: "The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate"
The attacker called MGM's IT help desk, impersonated the employee identified on LinkedIn, and requested a multi-factor authentication reset. Mandiant confirmed from forensic recordings that the consistent pretext used was claiming to be receiving a new phone — a routine scenario that naturally requires an MFA reset. The agent had no way to verify the caller's true identity beyond the PII provided, which matched what the attacker had gathered. The call lasted approximately 10 minutes.
Pretext used (Mandiant confirmed): "I'm receiving a new phone and need my MFA reset" — a routine, unsuspicious request
Verification bypassed with: SSN last 4 digits, date of birth, manager name — all pre-researched
Verification failure: Help desk had no phishing-resistant out-of-band identity verification
ALPHV statement: "All SCATTERED SPIDER did to get into MGM was hop on LinkedIn, find an employee, then call the help desk"
With initial account access, the attacker's first move was not to escalate immediately — it was to read. Mandiant confirmed that UNC3944 consistently searched victims' internal SharePoint sites for help guides and documentation covering VPNs, virtual desktop infrastructure (VDI), and remote telework utilities. This gave them a roadmap of the environment drawn entirely from the victim's own internal documentation, dramatically accelerating lateral movement planning without triggering any security tooling.
Content targeted (Mandiant confirmed): VPN setup guides, VDI connection instructions, remote telework utilities documentation
Why effective: Internal IT docs contain exactly the information an attacker needs — network topology, tool names, access paths
Detection gap: SharePoint search activity by a recently-reset account is virtually indistinguishable from legitimate onboarding
With initial account access, the attacker escalated to Okta Super Administrator. Mandiant additionally confirmed a technique not widely reported: UNC3944 used Okta's self-assignment feature to assign the compromised account to every application in the Okta instance — giving them SSO access to every federated application simultaneously, and a visual inventory of every app tile available in the Okta portal. They also configured a second Identity Provider as an impersonation app and stripped MFA from targeted admin accounts.
Privilege achieved: Super Administrator — full control over all identity for downstream applications
Mandiant confirmed technique: Okta self-assignment to every app in the instance — instant access to all SSO-protected applications
IdP abuse: Second Identity Provider configured as "impersonation app" — could act as any user in the org
MFA stripped: Second-factor requirements removed from authentication policies for targeted accounts
Having compromised Okta, the attacker pivoted to MGM's Azure AD tenant and claimed super administrator privileges including Tenant Root Group management permissions. Mandiant additionally confirmed a persistence technique specific to this group: UNC3944 accessed vSphere and Azure through SSO applications to create entirely new virtual machines, from which all follow-on activities were conducted. These attacker-controlled VMs had Microsoft Defender and Windows telemetry disabled, making forensic investigation significantly harder.
Mandiant confirmed persistence: New VMs created in vSphere and Azure via SSO — used as clean base for all further activity
VM hardening by attacker: MAS_AIO and privacy-script.bat used to remove Microsoft Defender and Windows telemetry
PCUnlocker ISO: Attached to existing VMs via vCenter to reset local admin passwords, bypassing domain controls
Impact: Cloud activity sourced from inside the environment — malicious traffic indistinguishable from legitimate traffic
With domain-level cloud access, the attacker moved laterally using legitimate tools already present in the environment. Mandiant confirmed several techniques not widely reported: UNC3944 created API keys inside CrowdStrike's external console to run commands (whoami, quser) via the Real Time Response module — effectively using the victim's own EDR as a remote access tool. They also used Mimikatz, ADRecon, and IMPACKET from attacker-controlled VMs, along with multiple tunnelling tools for persistent C2.
Credential theft: Mimikatz, "SecretServerSecretStealer" PowerShell script, ADRecon
Tunnelling tools (Mandiant confirmed): NGROK, RSOCX, Localtonet, Tailscale, Remmina
Python libraries: IMPACKET installed on attacker VMs
EDR evasion: BYOVD — CVE-2015-2291 Intel driver used to disable endpoint security agents
SaaS accessed (Mandiant confirmed): vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, GCP — all via Okta SSO
Before deploying ransomware, the attacker exfiltrated sensitive data from MGM's environment — establishing the leverage needed for double extortion. They threatened to publish the stolen data unless the ransom was paid, independent of whether MGM could recover from encryption using backups. Caesars Entertainment, hit in a similar attack at the same time, paid approximately $15 million ransom to prevent data publication.
Caesars parallel: Caesars paid ~$15M ransom; MGM refused and incurred ~$100M in losses instead
ALPHV statement: Claimed to still have access to MGM infrastructure and threatened further attacks
Data targeted: Customer PII, loyalty programme data, internal credentials
Exfil method: Legitimate cloud storage and remote access tools — no custom malware required
On September 11, 2023 — after MGM failed to respond to the attacker's contact attempts — ALPHV/BlackCat ransomware was deployed against over 100 ESXi hypervisors across MGM's Las Vegas properties. The rapid encryption of 100+ VMware ESXi servers caused a 36+ hour initial outage and disrupted casino floor operations, hotel check-ins, digital room keys, ATMs, and slot machines for 10 days across multiple Las Vegas properties. MGM refused to pay the ransom.
Targets: 100+ VMware ESXi hypervisors running MGM's production VMs
Timeline: Deployed Sept 11, 2023 — after MGM ignored attacker contact attempts for 24hrs
Impact: Casino floors, hotel check-ins, digital room keys, ATMs, slot machines — all disrupted
Financial impact: ~$100M losses + $45M class-action lawsuit settlement
MGM decision: Refused to pay ransom — incurred full remediation cost instead