Nevada Cyberattack: Ransomware Attackers Breached Systems Months Earlier

Hackers breached Nevada's government computer systems three months prior to a ransomware attack discovered on August 24, according to an after-action report by the Governor's Technology Office. The investigation, conducted by Mandiant, revealed that a state employee unknowingly downloaded malware disguised as a legitimate system tool on May 14.

Although an anti-malware tool quarantined the malicious software on June 26, a backdoor remained active, allowing the attacker to establish a connection to their infrastructure each time a user logged on.

Between August 16 and 24, the threat actor accessed critical servers, retrieving credentials from 26 accounts and accessing over 26 thousand files. On August 24, they deployed ransomware and deleted backup volumes, disrupting key state services for 28 days.

Governor Joe Lombardo stated that the state did not pay a ransom and managed to recover around 90 percent of the compromised data. The attack particularly affected state services, including DMV in-person appointments and access to public databases.

The state incurred over 1.3 million dollars in response efforts, covering vendor support for incident response and recovery. More than 4,200 hours of overtime were logged by state employees working to restore services.

Experts noted that the rapid recovery was impressive, as similar incidents can take months to resolve. The remaining 10 percent of affected data is under review but wasn't necessary for restoring essential services.

The report emphasizes the need for improved cybersecurity measures and recommends enhanced access controls, separating user accounts, and investing in a centralized security operations center. Cameron Call, a cybersecurity expert, highlighted the importance of this incident as a wake-up call for the state to modernize its cybersecurity infrastructure.

The full report is available online for further details.