Report blames Nevada hack on employee downloading malware
JasonDoiy via Getty Images
By
Chris Teale
The August cyber incident took down state websites after a state worker inadvertently downloaded malware onto a government machine. And while hackers demanded a ransom, none was paid.
A Nevada cyberattack earlier this year that resulted in widespread disruption to state services was caused by an employee accidentally downloading malware, according to a report released last week.
In its after-action report on the August incident, the Nevada Governor’s Technology Office — known as GTO — said in May an employee unknowingly downloaded a system administration tool laced with malware from a spoofed website. The tool then installed a hidden backdoor that remained active even after endpoint protection mitigated the malware in June.
Hackers then installed remote monitoring software to compromise user accounts and were able to move across various critical systems to access sensitive directories and the state’s password vault server. In late August, hackers deployed ransomware to disrupt state services, although the report says containment and recovery protocols were quickly initiated to minimize the damage and ensure continuity of operations.
“This incident highlights the importance of proactive defense and the critical role of GTO personnel in safeguarding public assets,” Nevada CIO Timothy Galluzi said in a statement accompanying the report. “The foresight of Executive Branch Leadership and the State Legislature in funding key cybersecurity initiatives helped ensure a potential full-scale ransomware event was contained and remediated. The resilience shown throughout this event reflects Nevada’s technical capabilities and the dedication of the teams responsible for protecting them.”
At the time, the attack resulted in around 60 state agencies and their websites being disabled and unable to offer electronic services. The state’s Department of Motor Vehicles and social service offices were unable to process applications, while law enforcement could not access DMV records. Full recovery took 28 days, and in mid-September Gov. Joe Lombardo said 90% of public-facing websites had been restored. The state’s $7 million cybersecurity insurance policy was expected to cover the costs from the attack.
The hackers demanded the state pay a ransom to end the attack, but officials refused. Instead, the state used backup and recovery systems, as well as robust partnerships with the private sector, to ensure it did not compromise its overriding principle of not paying ransoms to bad actors.
“The coordinated efforts between internal teams and external partners ensured that data integrity was preserved and services were restored efficiently,” the report says. “This approach demonstrated fiscal responsibility by avoiding the financial and ethical pitfalls of ransom payments. It also reinforced the State’s commitment to protecting taxpayer resources.”
The report says after the attackers escalated on Aug. 15, the state detected outages nine days later as several virtual machines went offline. Within hours, the incident had been escalated to the CIO and governor’s offices, with access regained just eight hours after outages were detected. The state then isolated the impacted virtual machines and engaged with its legal counsel and outside vendors. Having detected the outage at 1:52 a.m. on Aug. 24, the state began its recovery protocols at 5 p.m. that same day.
Over the next 28 days, the state recovered around 90% of its data and prioritized critical systems first. The report says a combination of scenario planning, tabletop exercises and a robust communications strategy helped mitigate the worst of the attack. That included having Lombardo play a role as a spokesperson to reassure the public and frame how the incident impacted the state, while the CIO’s office shared technical milestones and updates.
Restoring payroll was a top priority, and it was successful as no state employee or retiree missed a paycheck because of the hack and outages. The state estimated 50 state employees in GTO and partner agencies logged over 4,000 hours of overtime in the 28-day response and recovery period, an effort it said helped make sure paychecks did not stop.
“Thanks to [staff] efforts and the foresight of the State Legislature in funding key cybersecurity initiatives, what could have escalated into a full-scale ransomware event was effectively contained and remediated,” the report says. “The resiliency demonstrated throughout this event reflects both the strength of our technical capabilities and the dedication of the teams entrusted with protecting them.”
While the report says the state’s response to the incident was successful, it says it also shows the need to invest further in cybersecurity. The state’s cybersecurity preparedness must keep evolving, it says.
Part of that evolution will involve a centralized security operations center, something that is gaining traction in other states to monitor threats on state agencies, local governments and other sectors. The state also will implement a modern endpoint detection and response platform, a “comprehensive patching strategy,” stronger identity protection and expanded employee training. GTO urged the state legislature to keep funding cybersecurity effectively and allow it to pursue these goals.
“Looking ahead, the State recognizes that cybersecurity is a continuous journey, not a one-time achievement,” the report concludes. “While the response to this incident was a success, it also revealed opportunities to further enhance monitoring, detection, and response capabilities.… Continued support from the State Legislature will be essential to fund these initiatives and ensure the resilience of Nevada’s digital government.”