In February, Iranian hackers took down the computer system of gambling magnate Sheldon Adelson’s casino empire, wiping hard drives clean and shutting down email.
Las Vegas Sands, the world’s largest gaming company, was devastated by the attack.
But until a Bloomberg Businessweek report Thursday night, the company had never revealed the extent of the hack.
Coming months before the recent hack on Sony Pictures, the hit on Sands is now believed to be the first major destructive cyberattack on a U.S. business, although there are likely others that have gone unreported.
From the instant the offensive started, Las Vegas Sands suspected it was retaliation for Adelson’s hawkish stance on the Middle East. Adelson, who is Jewish, contributes heavily to Republican causes and owns three news outlets in Israel.
Notably, at a panel at Yeshiva University in October 2013, Adelson suggested the U.S. should set off a nuclear warhead in the Iranian desert to convey power during its nuclear negotiations with Tehran.
The U.S. would then have the upper hand to say, “You want to be wiped out? Go ahead and take a tough position,” Adelson told the crowd.
The comments raised eyebrows and even got a response from Iran’s Supreme Leader Ayatollah Ali Khamenei, who suggested America “should slap these prating people in the mouth and crush their mouths.”
Businessweek described Sands’s cyber defenses as thin, allowing the Iranian hackers to roam around the company’s networks for four months before launching their attack.
As of 2012, Sands only had five people protecting 25,000 computers. Although a 2013 upgrade and expansion was underway, it was on an 18-month rollout plan, and no match for coordinated cyber actors.
The attackers went in through Sands’s weakest link, its casino in Bethlehem, Pa. They slipped in through a vulnerability in the casino’s Web development server and started scraping up login credentials that allowed them to hop to the company’s major computer system.
From there, they were able to launch the malware, known as a wiper attack, that took down the entire network and erased some data. It was similar in style to the Sony attack.
But because the hackers didn’t get at some core Sands operations — namely gambling and hotel room swipe keys — the hit went unnoticed by the public until this week.
Lawmakers and intelligence officials have warned that destructive cyberattacks would soon start hitting the U.S. But until the Sony hack, Americans had not seen a large-scale, successful destructive attack carried out on U.S. soil.
The Sands hack raises questions about whether other companies have also covering up similar destructive offensives.
Lawmakers have pushed for industry to disclose more information about the cyber threats they are facing. But the private sector has resisted, arguing it needs protections from shareholder lawsuits before doing so.