Tribal governments, casinos, and health facilities remain under a heightened alert for cyber attacks after the FBI’s Cyber Division issued a warning that millions of dollars in costs and damages are at risk.
Dated Nov. 3, the alert served as a reminder to tribal leaders and information-technology professionals gathered last week at the TribalNet Conference & Tradeshow in suburban Dallas, where cyber security was already a big focus with at least eight sessions dealing with the topic.
“Ransomware attacks in recent months against tribal entities have caused damages estimated in the millions of dollars and the FBI has received reports of tribal entities affected by ransomware attacks since at least 2016,” the alert said. “Entities impacted by these attacks include tribal governments, healthcare-service providers, emergency-services providers, schools, and casinos, with attacks leading to operational disruption, sensitive-data theft, and financial losses.”
A number of the attacks made the news in been 2020 and 2021 and the National Indian Gaming Commission revealed over the summer that cyber attacks have jumped 1,000% since 2019. There was one in 2019, which soared to 12 in roughly 18 months in 2020 and 2021.
The issue came to a head in June when six Oklahoma tribal casinos were subject to ransomware demands and had to close temporarily. In August, the Ho-Chunk Nation in the Wisconsin Dells was hit and the casino was shuttered for four days. The Tesuque Casino in New Mexico was the subject of cyber attacks and closed for three days in September.
Hackers have been getting into and shutting down casino systems, then demanding ransoms in return. Some seek out credit information and other personal details of customers that they can sell on the dark web. Not only casinos, but tribal medical facilities are attacked and asked to pay ransom; it’s an even bigger threat, since patient lives are at risk.
“The alert was focused particularly on ransomware, because of what’s been happening recently,” said Mike Day, CEO of TribalHub, which put on the TribalNet technology-focused conference. “We’re seeing it and everybody’s seeing it.”
Day is a member of the newly formed non-profit Tribal Information Sharing and Analysis Center, a platform for helping tribes protect against cyber threats. The group monitors cyber-threat advisories and pushes that information out to tribes, he said.
“They’re making everybody aware of what we know, which is reiterating that there have been increasing threats to Native American organizations, and not just governments, casinos, and health systems,” Day said. “A lot of critical infrastructure across the country is held on tribal lands, and they’re worried about that.”
Since 2019, no less than nine different ransomware groups are known to have attacked tribes and tribal enterprises, Day said, and at least 12 tribes, plus a major casino-equipment supplier, have fallen victim to ransomware. These are just the reported incidents; unreported numbers “make this significantly higher,” he said.
The mention of millions of dollars from ransomware attacks is the first public acknowledgement of what’s happened to tribal operations cost-wise. Tribes have never revealed how they dealt with the attacks, although NIGC executives said over the summer that attackers have requested several hundred thousand dollars and even more than $1 million in some cases without saying how much was paid out. Tribes aren’t required to report the cyber attacks to the NIGC, so a clear number of attacks and payouts isn’t known.
“The stance of the federal government is never to pay a ransom,” Day said. “The stance of insurance companies, when you get cyber insurance, is almost always to pay the ransom. They’re in conflict. The worry is tribes are funding the guys that are behind all this. We just have to figure out how to prevent it, so we’re stopping it altogether.”
John Iannarelli, who served on the Cyber Division’s executive staff at the FBI and is a former assistant special agent in charge of overseeing cyber investigations, served as a keynote speaker at the TribalNet Conference. He said it’s not surprising that hackers are targeting tribal casinos and governments viewed as easier targets than commercial casinos. It’s not a question of if, but when tribes should expect to be hit, he said.
“Some of the big casinos in Vegas have entire teams of people who do nothing but cyber security and physical security, but that’s not always the focus of the Indian casinos,” Iannarelli said. “Some of it is just available resources. It’s hard to find cyber people in general. The entire business world in this country is woefully understaffed in the cyber arena, so cyber talent working onsite isn’t always easy to find.”
Larger casinos stand a better chance of warding off attacks. They tend to do a better job of training employees, since many attacks can originate from workers going on their personal email at work and clicking on a suspicious link. It can even happen from their home computer if they’re working on a tribal website, Iannarelli said.
“All you need is a little protection in place,” Iannarelli said. “There are so many opportunities for cyber thieves. They’re not going to waste their time trying to get past somebody who has protection. They’ll just go on to the next person who hasn’t done as good of a job as you have in protecting yourself.”
Cyber attacks are accelerating, because criminals have figured out there’s a lot of money to be made. They’re requesting five figures, six figures, and even higher, he said.
“If I rob a casino at gunpoint, the chances are I’ll get caught — or worse, something will happen to me,” Iannarelli said. “If I’m safely behind my computer, first you have to find me. A lot of these thieves aren’t in the U.S., so U.S. law enforcement, including the FBI, has no jurisdiction.”
Exacerbating the situation is that cyber attacks aren’t the FBI’s number-one priority. Instead, counterterrorism and counterintelligence are where the resources are allocated, Iannarelli said. That’s why it’s important for casinos to protect themselves and one of the ways is to religiously back up data, so they can wipe the ransomware off their system and reinstall their data.
As for who are the culprits for cyber attacks in general, Iannarelli cited state-sponsored terrorism, saying that China, for example, has an army of hackers to attack businesses and disrupt the U.S. economy
“You also see it from Iran, North Korea, and certainly there’s a lot going on from Russia as well,” Iannarelli said. “There’s also the good-old-fashioned criminal sitting in a cyber cafe somewhere who is just doing it for profit. And there’s definitely corporate espionage. If competitors are nearby, who’s to say they’re not trying to put you out of business to drive business to their own casino?”
Dave Bailey, president and general manager of technology company Arctic IT, also spoke at the conference, saying China or Chinese technology and some competitors may be responsible for some of the attacks. Many hackers have turned away from gathering credit-card and other data to instead take down revenue-generating operations. That could be the casino games, parking systems, or credit-card processors, he said.
“If they can take down revenue-generation operations for a period of time, they can get the casino to pay a ransom,” Bailey said. “Casinos will pay when the ransom is less than it costs to be shut down.”
The overarching lesson from the TribalNet conference, according to Day, is that cyber security needs to be taken seriously, not just from the technology team, but the entire organization, all the way up to the top executives. What was different at the conference this year is that even technology vendors at the tradeshow had a security messaging component for their products, he said.
Conference attendees were quick to acknowledge that cyber security is at elevated levels at their properties.
“If you’re not concerned, you’re naive,” said Virgil Debrosse, the IT senior account manager for the Chickasaw Nation in Oklahoma. “I can tell you it’s a top priority in terms of how we manage our patch process, multi-factor authentication, and onboarding new vendors and new technology. Security is one of the first steps we go through in the vetting process.”
Debrosse said organizations are vulnerable if IT departments are run “very lean.” In that case, something has to give, but even large Las Vegas casinos have been hit in the past, so no one is immune. With the shift to the cloud, it’s become even more important to have rigorous protocols to make sure systems are secure, he said.
“It’s not surprising at all (that it’s a big focus at the conference),” Debrosse said. “It should be at the forefront of everybody’s mind, because the threat is real.”
Fran Moore, director of information technology for the Wild Horse Resort in eastern Oregon, said her casino purchased a network-control system costing $250,000 that will help in warding off cyber attacks.
Steve Neely, general manager of the Rolling Hills Casino in Northern California, said it’s a focus of theirs, but he still worries that no matter how diligent they try to be, hackers are working to figure out ways to get around tomorrow what they have in place today.
“We continue to invest,” Neely said. “We’re a high-valued industry with a lot of data, so it make senses to want to target us.”
Patrick Tinklenberg, vice president of IT at Sycuan Casino in Southern California, said funding by the tribe has made a difference in building infrastructure, implementing user education, adding security products and tying in awareness training. It could still come down, however, to a team member clicking on a link or opening an email that allows hackers access no matter what’s done systemwide.
“We’ve had a lot of attempted attacks and watch and manage them,” Tinklenberg said. “A number of years ago, we had an attack that scared us badly, but didn’t do any damage. It certainly made us aware of our vulnerabilities. I’m constantly worried about it.”
