The Customer

As one of the world’s most recognizable casino and hotel brands, this customer is an icon of American global hospitality and entertainment, operating more than thirty world-class hotels and casinos globally.

The Problem

A threat actor associated with a well-known cyber-terrorist hacking group began offering the sale of data allegedly stolen from the customer. The actor in question was a known member (or associate) of The Dark Overlord group, which has claimed responsibility for a number of other high-profile hacks and intrusions.

This scenario was especially troubling because the data was being offered by someone with an established reputation for hacking and selling high-profile databases.

News or mentions of this particular threat actor were flagged by Night Lion Security’s Shadowbyte application, which generates real-time alerts for our threat hunting team. Within several hours of its original posting, Vinny Troia, Night Lion’s CEO, contacted the customer’s chief information security officer (CISO), alerting him of the active sale. Night Lion was then retained to establish communication with the actor in order to validate the data and learn how it was obtained.

The Solution

At the behest of the customer’s security team, Night Lion’s counterintelligence unit established direct communication with the hacker. In direct conversations, our analyst posed as an interested buyer of the data. After several lengthy discussions, a rapport was established with the actor, at which time he began to brag about his accomplishments.

After our analyst was able to apply social engineering techniques to elicit the criminal into providing details on the breach was carried out. The actor also shared a copy of the data with our team, which was then sent back to the client for direct analysis and validation.

Our team worked directly with federal law enforcement agents to provide critical information on the actor, which included his current and past-aliases.

The information provided to the customer was validated and used to close the previously exploited vulnerability.