Cyber security has never been more important to the global gaming industry, with recent attacks on US casino giants MGM Resorts and Caesars capturing global headlines. Singapore’s Marina Bay Sands and leading industry supplier Aristocrat have also been targeted over the past year, while Okada Manila in the Philippines suffered a mysterious “technical issue” with its IT systems in November. In this in-depth feature, Inside Asian Gaming speaks with a range of cyber security experts to learn more about modern-day cyber attacks, why the gaming industry has become a target and what companies can do to stay safe.
If you’ve ever felt like you were living your life inside a fishbowl, spare a thought for the owners of one unfortunate North American casino. In a famous incident that made headlines back in 2017 after being detailed in a report by threat intelligence agency Darktrace, the casino in question was hacked not through its IT systems but via its fish tank.
Taking advantage of a high-tech setup in which the tank was internet-connected to allow for automated feeding and constant temperature monitoring, hackers were able to infiltrate the broader network and download 10GB of data to servers in Finland before the breach was detected.
But if that incident served as a warning to the industry, it seems the warning wasn’t heeded.
In September last year, details emerged of a major cyber incident affecting multiple systems throughout MGM Resorts International’s North American properties. Although it was initially reported that the incident had resulted in thousands of slot machines across MGM’s casino floors going dark, it soon became apparent that everything from onsite ATMs, electronic payment systems, hotel reservation systems and even hotel key cards had stopped working, either as a direct result of the hackers’ actions or due to MGM shutting systems down to avoid further breaches.
And MGM wasn’t alone, with Caesars Entertainment revealing in the ensuing days that it too had been subject to a cyberattack just a few weeks earlier. It was subsequently reported that Caesars had paid a US$15 million ransom to avoid data being leaked, although analysts have expressed doubt over this and the company has never confirmed.
MGM, for its part, said in a filing that the incident would cost it around US$100 million in EBITDAR.
If the world’s gaming operators weren’t paying attention before, rest assured they’re taking notice now given growing evidence the industry has become a major target for international cybercriminal groups.
“Attackers have discovered that casino companies are not always the impenetrable fortresses that we see in the movies,” observes Gus Fritschie, Vice President of Security Services for IT security and compliance firm Bulletproof – a subsidiary of Gaming Labs International (GLI).
“After seeing all the physical security controls in a casino, one would think the logical computer controls are just as strong. However, what the general public does not see is what plagues many verticals; outdated systems and software, weak policies and procedures, and lack of buy-in and support from C-suite around information security. This leads to networks with gaps and vulnerabilities that cyber criminals can exploit.”
Matthew Chao, Chairman and CEO of Hong Kong-listed IT solutions firm BoardWare Intelligence Technology Limited, says there are many reasons why gaming firms become targets, one being the valuable data they handle which includes personal info and financial data.
“This data can be monetized on the black market, used for identity theft or leveraged for targeted phishing attacks,” Chao explains. “Cybercriminals see these establishments as data-rich environments, making them enticing targets.
“Besides, the gaming industry generates substantial revenue, and casinos hold significant amounts of cash on-premises. Cybercriminals may attempt to breach gaming systems to manipulate outcomes or exploit vulnerabilities in financial transactions, such as skimming credit card information from guests or tampering with electronic payment systems.
“Recently, cybercriminals have committed crimes to attract media or public attention, thereby providing hacking as a service and gaining both fame and fortune. These make casinos attractive targets for cybercriminals.”
Last year’s MGM Resorts attack was revealed to be the work of well-known hacker groups Scattered Spider and ALPHV, who used social engineering to infiltrate the company’s defenses. According to details provided by the groups in the weeks that ensued, Scattered Spider implemented an impersonation and vishing scheme to gain access to MGM’s systems: identifying an MGM employee through LinkedIn and then impersonating them in a call to MGM’s IT help desk in which they claimed they were having trouble logging into their accounts.
The hackers gained administrative privileges to MGM’s Okta and Azure systems during the course of a 10-minute phone call, and the following day – after MGM discovered unusual activity on its servers – ALPHV deployed ransomware within the network.
According to Kevin King, CEO of hotel technology provider Shiji International, social engineering – which aims to manipulate individuals into revealing sensitive information or performing actions that can compromise security through means such as phishing emails, phone scams or impersonation – is proving increasingly popular amongst hacker groups these days, particularly with the advancement of generative AI.
“We can anticipate that phishing and social engineering attacks will evolve to be more sophisticated, customized to individual victims and automated,” King says. “This evolution will likely enable these attacks to be conducted on a larger scale. Imagine getting a call from a family member in distress, speaking with their voice, knowing personal details about you (possibly gleaned from online sources) and urgently requesting a money transfer.
“This scenario is already feasible, and it’s not hard to envision such tactics becoming automated in the future. IoT attacks are relevant in a number of industries, and hotels and casinos are just two.”
In reality, however, there are dozens of weapons in the armory of hacker groups, with malware, zero-day exploits, insider threats and supply chain attacks just some of the methods used to infiltrate networks, depending upon where vulnerabilities are identified.
“The threat actors’ playbook is continually evolving and varied, with new threats developed and launched daily,” says Wickie Fung, Managing Director, Hong Kong & Greater Bay Area at Palo Alto Networks.
“To give an idea of the scale of cyber threats, our team detects 1.5 million unique threats and blocks another 8.6 billion known attacks every day. Unfortunately, bad actors have the same access to advanced technologies including artificial intelligence, machine learning and big data analysis, and automate their attacks.
“With AI tools becoming increasingly available for low prices on the dark web, and the emergence of ransomware-as-a-service models, the barrier of entry for threat actors is lowered – which may increase such attacks.”
King also notes that cybercriminals often execute their attacks in several phases, first infiltrating a company’s systems to establish persistence, then working their way through other interconnected systems within the business.
“If hackers successfully breach one system, they can potentially pivot and move laterally to compromise other interconnected systems, leading to a cascade of disruptions,” explains Nelson Lei, Assistant Director, BWZ, for Macau’s BoardWare Information System Limited – a subsidiary of Boardware Intelligence Technology.
“[That’s why victims] may proactively shut down systems or services as a precautionary measure to limit the potential damage caused or to contain the impact of the cybersecurity incident.”
It is this interconnectivity of applications that ultimately forced MGM to shut down so many of its property-wide systems during last year’s incident.
Asia has faced its own challenges in this regard, with Philippines integrated resort Okada Manila shutting down the vast majority of its slot machines for the best part of a week in November. Okada has not revealed whether or not a cyberattack was to blame – telling IAG at the time that it was experiencing “technical issues” with its “Information Technology Systems” – but like other recent incidents those issues also infiltrated various other operational systems throughout the IR.
Singapore’s Marina Bay Sands was more forthcoming in revealing its own data security incident last November which saw an unknown third-party gain access to the customer data of around 665,000 rewards program members. While MBS said there was no evidence that data had been used to harm affected customers, the company added that it was working with a leading external cybersecurity firm and had “taken action to further strengthen our systems and protect data.”
Industry suppliers haven’t been immune either, with Australian slot machine giant Aristocrat the victim of a cyberattack last year which saw the personal information of staff extracted and in some cases published. Aristocrat revealed in August that the attack saw a hacker exploit a vulnerability in the third-party file sharing software MOVEit used by the company.
Ironically, a trial of cashless gaming technology being conducted by Aristocrat in a club north of Sydney had only weeks earlier been terminated after a cyberattack saw the data of some participants compromised.
It later emerged that Aristocrat was just one of over 650 organizations infiltrated via the MOVEit software, which was targeted by ransomware group Clop by exploiting a zero-day vulnerability. Clop initially stated it would start publishing data from those organizations if they didn’t enter negotiations around ransom payments, although it is unclear what became of this threat.
Still, it begs the question of how companies who are breached should react to ransom demands and what might motivate them to pay in the first place when expert advice says not to do so.
According to a November 2023 study commissioned by advisory McGrathNicol and conducted by market research firm YouGov, 73% of Australian businesses that have been victims of a cyberattack over the past five years opted to pay a ransom demand, while 70% of those surveyed who had not been attacked said they would be willing to pay.
Of those who had paid a ransom, 37% did so within the first 24 hours and 74% within 48 hours.
“Businesses are still overwhelmingly paying ransoms, and paying them quickly, to avoid negative backlash from customers, partners and stakeholders. It’s now being factored in as a cost of doing business,” stated McGrathNicol Advisory Cyber Partner Darren Hopkins upon release of the findings.
“The research shows that executives are becoming empathetic and less hard-nosed about reporting these attacks to authorities. But without greater collaboration and knowledge-sharing, our ability to prevent ransomware attacks is undermined. This intelligence can help business leaders make informed decisions rather than rushing into paying an expensive, and potentially illegal, ransom.”
Another report by Unit 42, the threat intelligence arm of Palo Alto Networks, states that global ransomware demands in 2022 ranged from as low as US$3,000 to as high as US$50 million, while amounts actually paid went as high as US$7 million.
“We encourage organizations to consider alternatives before paying a ransom,” offers Palo Alto’s Fung. “It is recommended to focus on preventive measures, robust backups and incident response capabilities to minimize the impact of ransomware attacks.”
Of course, King notes that the tactics used by hackers are specifically designed to encourage payment for fear of further attacks, while an organization’s ability to pay a large sum may also make it a more attractive target in the first place.
“Criminals often employ double extortion tactics, demanding payment not only to decrypt data but also to refrain from releasing it online,” says Shiji International’s CEO. “This strategy increases the likelihood of payment, as companies with backups capable of restoring encrypted data are still incentivized to pay to prevent a data breach.
“Ransom amounts vary widely, ranging from thousands to millions of dollars. Often, the demanded sum correlates with the victim’s revenue – higher revenue often leads to a higher ransom. In some instances, ransomware groups base their demands on the victim’s cyber insurance coverage, setting a ransom amount that mirrors this coverage.
“Reports indicate that the median ransomware payment is around US$350,000. Furthermore, over 30% of ransomware victims experience repeated attacks. This recurrence might be due to multiple ransomware gangs targeting the same victims and exploiting the same vulnerabilities.”
While ransomware groups can operate from just about anywhere on the planet, King notes that they tend to be more prevalent in countries influenced by factors like inadequate cybercrime laws, a shortfall in international law enforcement collaboration, and economic circumstances where engaging in such activities can be more lucrative than traditional employment. Eastern Europe, particularly Russia and its neighboring countries, is a hotspot, and groups will often work together whereby each will deploy their particular specialty, be it developing malware, laundering money, trading stolen credentials, or other activities.
This is why it’s more important than ever, insists Chao, for casino operators to ensure they have a strong, comprehensive casino security system in place providing various layers of protection to ensure the safety and integrity of operations, assets and customer information.
“This includes physical security, network security, data protection, surveillance and monitoring, fraud detection and prevention, access control, security awareness training, incident response and recovery, and regulatory matters and compliance,” he says. “Of course, a professional and experienced partnership is also very important.
“Different organizations have different cultural backgrounds and infrastructure, so it highlights the significance of having a well-defined incident response playbook. An incident response playbook serves as a proactive guide that outlines the steps, roles and responsibilities necessary for responding to and mitigating cyber security incidents.
“Having an incident response playbook enables an organization to act swiftly and efficiently: the incident response team can quickly activate and follow predefined procedures, minimizing response times and allowing for a more efficient containment and mitigation of the incident.”
Adds Fung, “Cybersecurity is a business problem, not an IT problem. The execution has to be from the top-level cascading to everyone in the organization.
“It all starts with having the right mindset. While an IR executive may not be an IT expert, they should have a basic understanding of cybersecurity principles and best practices. It is important to prioritize cybersecurity as a strategic business risk and collaborate closely with IT and security teams.
“Regularly updating knowledge on emerging threats, promoting employee awareness training and ensuring the implementation of best-in-class security controls are key responsibilities.”
Bulletproof’s Fritschie also puts the onus onto industry suppliers, noting it’s “in their interest to make sure their products, both land-based and online, are as strong and secure as possible.”
Fritschie cites the 2014 example of a Russian gang that targeted a weakness in a slot machine manufactured by a leading industry supplier to manipulate payouts.
“How do you prevent this? By intentionally integrating security into the software development lifecycle,” he adds. “We are seeing more suppliers taking the onus upon themselves to pre-perform security testing beyond what is required for regulatory purposes. They have taken steps to strengthen their own internal security teams.”
Ultimately, casinos and other gaming companies are by their nature attractive targets for cybercriminals, being profit-rich environments that hold significant amounts of data and whose operations can be severely impacted by a data breach. As such, it seems likely the gaming industry will remain in criminal crosshairs, making it more important than ever to bolster security defenses.
“The unpleasant truth is that no company can be 100% secure,” says Fritschie. “What we want to do in gaming is raise the bar and implement stronger controls and testing requirements to drive security forward. Like burglary, if the house has an effective alarm, good lighting, cameras and locked doors, the thief will more likely move on to an easier victim, and the same applies in gaming.
“We have to raise the bar so attackers move on to another vertical, company or entirely different industry. You don’t want to gamble with security, save that for the craps table instead!”
