Sands Casino Corporate Systems Eviscerated by Iranians

After company CEO Sheldon Adelson endorsed nuking Iran during public remarks at Yeshiva University, hacktivists thought to be state-sponsored digitally sabotaged thousands of Sands’ computers.

Las Vegas Sands Corp. owns the Sands, Venetian, and Palazzo hotels and casinos.

Hackers first poked around the perimeter of the firm’s computer networks, looking for weaknesses.

By January, the hackers homed in on Sands Bethlehem, a 3,000-slot-machine casino and resort in Bethlehem, Pa.

“Going after the weak link in the security chain is a well-worn hacker trick,” according to Bloomberg. The attackers broke into the resort’s virtual private network, or VPN, which gives employees access to their files from home or out-of-state.

To do this, they first tried using “software that cracks password logins by systematically trying as many as several thousand letter combinations per minute; the software keeps going until it either guesses right or runs out of permutations,” Bloomberg reports. “It’s a brute-force method, sort of like the safecracking tools in movies that spin through every possible combination to find the correct set of numbers.”

Since brute-force attempts are common, the casino staff wasn’t overly concerned. Staff put another layer of security on the targeted accounts, so that entering the network would require more than just a password.

No matter. On Feb. 1, the hackers found a weakness in a Web development server used to test Web pages before they go live.

Once inside, the perpetrators maneuvered a tool called Mimikatz to uncover passwords used previously to log in to the Bethlehem network. The hackers gained access to almost every Sands file there.

“But the Bethlehem computer system was a box—and what they were really after was the key that would let them out,” Bloomberg reports.

Sometime before Feb. 9, they found it: the login credentials of a computer engineer who normally worked at headquarters but whose password had been used in Bethlehem during a recent trip.

That login got the hackers into the company’s servers in Vegas.

“As they rifled through the master network, the attackers readied a malware bomb” that was small in size but potent, according to Bloomberg.  The code runs about 150 lines long, in the Visual Basic programming language. Not only does it erase data stored on computers and servers, but it also automatically reboots them -- the trick to compromising data that’s untouchable while a machine is running.

The detonation turned thousands of servers, desktop PCs, and laptops into waste.

Security staffers noticed logs showing the hackers may have downloaded—or were preparing to—vast numbers of documents, from credit checks on high-rollers to detailed diagrams of global computer systems. At this point, Sands decided to completely disconnect the company from the Internet. 

Still, Sands was able to keep many core operations functioning—because the hackers weren’t able to access a key IBM mainframe. Hotel guests could still get into their rooms. Elevators ran. Slot machines functioned.

“The hackers’ malicious payload wiped out about three-quarters of the company’s Las Vegas computer servers,” Bloomberg reports. Recovering data and building new systems could cost the company more than $40 million.