Inside a Modern Cyber Breach: Key Lessons for Casino Operators on the Frontlines

By Paul Leger
Senior Director, Cybersecurity and Governance Services

September 02, 2025

Share

The Anatomy of a Cybersecurity Compromise

When unusual activity or anomalies are detected in a company’s IT infrastructure, this may suggest a potential problem. In such cases, a team of security professionals analyze the available evidence to determine whether unauthorized access has occurred, identify the techniques employed, and assess the impact for the organization.

A recent investigation by the Bulletproof security team presents an overview of the mechanisms behind modern gaming cyberattacks, and measures that organizations can use to strengthen their resilience against these threats.

Leaving No Stone Unturned

A wide-ranging investigation typically covers the following areas:

• Critical servers showing unusual activity
• System logs and network traffic
• Configuration and patching status
• Threat intelligence and behavioral analytics
• Internal training on cybersecurity awareness and best practices

These methods aim to comprehensively identify all indicators, such as potential backdoors and techniques for data exfiltration.

How to Investigate a Breach

Security investigators use a blend of automated tools and hands-on investigation to:

• Collect and review evidence from affected systems
• Classify suspicious processes and activity
• Analyze network traffic for abnormal connections
• Examine logs for hints of unauthorized access
• Review application code for any hidden vulnerabilities or malicious changes

The Main Findings: What Lurked Beneath

During our investigation of a casino gaming client, the digital equivalent of a break-in was confirmed. Here’s what our cybersecurity team found:

• Malicious Processes: Suspicious software had been quietly installed on key servers. Tools, such as PupyRAT and Rekoobe, are known for giving attackers secret control over systems, allowing them to elevate privileges and siphon off data without detection.
• Living off the Land: Attackers cleverly used legitimate software already present on the servers (like the Amazon SSM Agent) to avoid raising alarms. This technique, called “Living off the Land,” makes their actions blend in with normal operations.
• Persistent Access: The Rekoobe backdoor, for example, could receive commands, transfer data, and even access sensitive password files. Its stealthy design allowed it to hide in plain sight and communicate with outside command servers at regular intervals.
• Command & Control Links: Unusual network traffic revealed connections to suspicious domains and IP addresses—classic signs of an attacker maintaining remote control.

Indicators of a Compromise

The investigation flagged five key signs that an attack had taken place:

1. Simultaneous installation of suspicious processes on different servers
2. Unusual outbound connections to known malicious domains and IP addresses
3. Misuse of administrative privileges for ongoing access
4. Transmission of sensitive information (like usernames and passwords) over unprotected channels
5. Possible application of steganographic techniques for the concealment of information

Attribution

There is no definitive or conclusive attribution to a particular origin or group; however, tools such as PupyRat were observed in cyberattacks associated with Earth Berberoka (also referred to as GamblingPuppet or DiceyF). This group is believed to have links to Chinese-speaking individuals and has been active since early 2022. Their operations primarily target online gambling and casino websites, especially within China and Southeast Asia[i].

Moreover, the analysis revealed that multiple files initially encoded in ASCII presented Chinese characters when processed with Unicode encoding and the translation of these characters subsequently uncovered hidden information. This method is commonly employed to evade detection.

Recommendations: How to Bounce Back and Build Resilience

Responding to and recovering from a breach encompasses more than the restoration of normal operations; it presents an opportunity to strengthen organisational resilience. Our Bulletproof cybersecurity recommends:

• Better Network Segmentation: Divide networks into secure zones to limit how far attackers can move if they get in.
• Advanced Endpoint Protection and Monitoring: Employ next-generation security solutions to identify and oversee potential threats, and utilize detection rules to enhance detection capabilities, reducing the likelihood of evasion by malicious actors.
• Regular Security Assessments: Don’t wait for trouble; conduct frequent evaluations of your security posture to proactively identify and remediate emerging risks. In addition to routine vulnerability scans and penetration testing, it is advisable to validate security controls through red teaming exercises that emulate real-world attack scenarios.
• Restrict Administrative Privileges: Only give the keys to the kingdom to those who truly need them—and review access rights regularly.
• Incident response: Strengthen your organization’s incident response capabilities by evaluating the maturity of current procedures, developing comprehensive plans and playbooks, and routinely conducting tabletop exercises to assess and improve their effectiveness.

Takeaways for Everyone

This case isn’t unique. Cyber attackers are constantly evolving, making use of both new malware and legitimate system tools to slip past traditional defenses. While technology helps, the key to cybersecurity resilience is a culture of vigilance, regular testing, and readiness to respond quickly when (not if) anomalies are detected.

Distributed Denial of Service (DDoS) attacks can flood casino systems with overwhelming traffic, resulting in service outages that disrupt gaming operations and cause significant revenue loss, particularly during peak times. Alongside this threat, insider threats pose a serious risk, as employees or contractors with access to sensitive systems may inadvertently or deliberately compromise security, leading to data leaks. These situations illustrate several potential vulnerabilities where data may be at risk.

With the vast amount of personal and financial data casinos collect from their players with key efforts around enhancing KYC initiatives, they are prime targets for data breaches. An attack could expose sensitive information, leading to identity theft and loss of player trust.

Even when your code and systems are well-built, the threat landscape is always changing. Proactive monitoring, robust incident response plans, internal cyber awareness training, and a healthy dose of skepticism about anything unusual can make all the difference.

Final Thoughts

The online gaming and land-based gambling industry is increasingly targeted by cybercriminals. To address these risks, operators are encouraged to implement strong security protocols, invest in advanced defensive technologies, and collaborate with others in the sector to share threat intelligence in real time. Operators must remain vigilant and invest in robust cybersecurity measures to protect against these evolving threats. A proactive approach can help strengthen platform security, protect player data and funds, and maintain player confidence.

[i] Operation Earth Berberoka: An Analysis of a Multivector and Multiplatform APT Campaign Targeting Online Gambling Sites

To learn more about how GLI can help your gaming cybersecurity needs, contact your GLI representative today.