Ransomware groups have made hundreds of millions of dollars from attacks on tribal casinos in North America over the last two years, with these incidents leading to operational disruptions, theft of player data and financial losses, a cybersecurity expert said Tuesday.
“We’ve seen a dozen or more tribes hacked,” said Andrew Cardno, CEO of Gaming Changing Technologies. “This is no joke. You look at who is doing it, it is foreign nations doing it … and they are hacking you right now.”
Several incidents have become public in recent years as casinos were forced to close to remediate their networks following a ransomware attack. Cardno said New Mexico’s Tesuque Casino reopened after ten days in early October after an attack that was initially identified at the Santa Fe resort on September 25.
The casino, which is operated by the Pueblo of Tesuque, immediately closed once the attack was discovered. Casino officials said in a Facebook post that the results from the investigation will “strengthen the casino’s cyber security defences.”
Other recent cyber-attacks have shut down six Lucky Star tribal casinos in Oklahoma belonging to the Cheyenne and Arapaho tribes in July. In May, the Seminole Nation’s casino also in Oklahoma was affected by a ransomware attack. In October 2020, two Nez Perce Tribe casinos in Idaho were forced to close by attacks.
It is also an issue on the agenda for federal officials who help to oversee the $30bn Indian gaming market, with the chair of the National Indian Gaming Commission recording a message for tribal regulators during October's Cybersecurity Awareness Month.
Cardno told attendees Tuesday (November 16) at the National Indian Gaming Association’s mid-year conference at Pechanga Resort in Temecula, California, the estimated value of the attacks that have occurred over the last two years is between $200m and $300m.
Cardno noted the amount of data that flows through a casino floor and the loyalty program at a major tribal casino such as the Pechanga Resort.
“Why is the data worth so much? That’s the life blood of your business,” he said.
Cardno added that what customers do not see is that every slot machine and table game, as well as employee who carries around a minicomputer, are connected to the resort’s network.
“Your business is running on information,” he said. “If you turned it off today, you wouldn’t be a business. When you get a ransomware attack your business stops. Period.”
“It’s not just hackers, it’s an industry,” Cardno warned tribal gaming regulators and executives. “There are foreign nations that have divisions of people to do this.”
He said an attack could be as simple as someone bribing an employee to plug in a storage drive to give them access to systems, or there have been hacks due to a flaw in an executive's iPhone that creates a back door into systems that cannot be stopped, a flaw which is called a “zero-day” vulnerability.
Cardno said a “zero-day” attack on a network allows hackers into a casino’s network to infect every single computer and every smartphone without the business knowing.
“You’ll never see it. It’s a back door where they can come and go,” he said. “One day after they get into your system, they’ll turn it off and call you. You better have bitcoin ready to pay because if it gets to that stage, you are not going to get rid of them.”
Cardno urged tribal gaming executives to have a remediation program in place before any ransomware attack occurs. He told a conference room full of tribal gaming executives and regulators that if they want to become “totally paranoid” they should ask their IT departments how many hits they get per day.
“And after you realize that it’s thousands or tens of thousands attacking attempts … become paranoid.”
Cardno said there are several steps a tribal casino can take to mitigate the risks of a ransomware attack. He admitted it “sounds crazy,” but recommended casinos install a redundant gaming system.
“There’s a lot of cost to that,” Cardno admitted. “I don’t know any casino that has done that. But go ask the casinos that have closed if they should have had a redundant gaming system. It is possible to let your operations continue during a time of total distress.”
He also suggested casinos make that secondary system completely isolated from the external world or any other systems by putting it in the resort’s safest room and limiting access to the servers.
“No one touches it, and you test it on the slowest day of the year to make sure it is still running,” Cardno said. “So, build a set of systems that are 100 percent isolated, 100 percent cut off from the outside world. You’ve got the advantage with brick-and-mortar properties.”
Cardno urged executives that after they are finished building an isolated server system for their property “walk up with a knife, I’m not kidding, and cut the cable and you are off the grid and running locally.”
“We can still make revenue. We can still run our business,” he said. “Not a single property I’ve heard of has done that.”
Cardno also asked conference attendees to compare the cost of shutting down a brick-and-mortar facility following a ransomware attack to the cost of installing back-up systems.
“The thing you need to do is isolate your core systems so you can operate without the outside world,” he said. “Completely isolate your core systems and then you have a chance.”