Connect with us

Hi, what are you looking for?



MGM Hackers Broadening Targets, Monetization Strategies

The financially motivated UNC3944 group that hacked MGM has hit at least 100 organizations, mainly in the US and Canada.

Google-owned Mandiant says the financially motivated threat actor responsible for the recent MGM Resorts hack has been expanding its targets, as well as its monetization strategies. 

Tracked as UNC3944 and also referred to as 0ktapus, Scatter Swine, and Scattered Spider, the hacking group has targeted at least 100 organizations, mostly in the United States and Canada. The group typically engages in SMS phishing campaigns (smishing), but has been broadening its skills and arsenal of tools and is expected to start targeting more industries.

Mandiant also noticed that the group shifted to ransomware deployment in mid-2023, which can be highly profitable. In some attacks, they were seen using the ALPHV (BlackCat) ransomware, but Mandiant believes they could use other ransomware as well, and they may “incorporate additional monetization strategies to maximize their profits in the future.”

The threat actor has been active since late 2021, typically employing smishing to obtain valid employee credentials and contacting the victim organization’s help desk to obtain multi factor authentication (MFA) codes or reset account passwords, by impersonating the targeted employees.

During such calls, the hacking group has been observed providing various types of verification information that the help desk requested, including personally identifiable information (PII), employee ID, and username.

UNC3944 uses legitimate-looking phishing pages that frequently use service desk or single sign on (SSO) lures, likely leveraging information harvested using existing access to a victim’s network to make the phishing more credible.

Since 2021, the group has used at least three phishing kits, including EightBait (which can deploy AnyDesk to victims’ systems) and two phishing kits built using a targeted organization’s webpage, with few code changes between them.

Advertisement. Scroll to continue reading.

In addition to smishing and social engineering, the group was also observed using a credential harvesting tool, thoroughly searching through a victim’s internal systems to identify valid login information, using publicly available tools to harvest credentials from internal GitHub repositories, and the open source tool MicroBurst to identify Azure credentials and secrets.

According to Mandiant, UNC3944 also appears to be using information stealers to harvest credentials, including Ultraknot (also known as Meduza stealer), Vidar, and Atomic.

“A common hallmark of UNC3944 intrusions has been their creative, persistent, and increasingly effective targeting of victims’ cloud resources. This strategy allows the threat actors to establish a foothold for their later operations, perform network and directory reconnaissance, and to access many sensitive systems and data stores,” Mandiant says.

Mandiant also observed UNC3944 abusing Microsoft Entra environments to access restricted resources, creating virtual machines for unmonitored access, abusing Azure Data Factory to steal data, and leveraging access to victims’ cloud environments to host malicious tools and move laterally.

“UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies. We expect that these threat actors will continue to improve their tradecraft over time and may leverage underground communities for support to increase the efficacy of their operations,” Mandiant notes.

Related: Ransomware Gang Takes Credit for Disruptive MGM Resorts Cyberattack

Related: Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products

Related: Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...