Nevada State Hackers Eluded Detection for Several Months

Recent analyses reveal that a ransomware threat actor compromised Nevada’s statewide government systems for several months prior to executing a ransomware attack. An after-action report released by the governor’s technology office indicates that the breach allowed the intruder to erase backups and disrupt essential services across multiple government agencies.

This incident demonstrates a sophisticated approach to cyber intrusion, where the attacker infiltrated Nevada’s network as early as May 14 by utilizing a spoofed administrative tool obtained from a fraudulent website. Following this initial access tactic, the assailant installed a backdoor that remained undetected by existing security systems. By August, the unauthorized user escalated their privileges, deploying monitoring tools and acquiring credentials for 26 separate accounts, including access to the state’s password vault server.

The ransomware was executed on August 24, leading to service disruptions across over 60 agencies that lasted for up to 28 days. Critical operations including those related to health benefits, public safety records, and DMV services were significantly impacted as state officials rushed to contain the breach.

While Nevada’s technology office managed to restore essential services within the first week post-attack, a complete recovery necessitated a total rebuilding of its Active Directory system alongside ongoing identity enhancement measures throughout state infrastructure. Reports indicate that over 4,200 hours of overtime were logged, leading to nearly $1.3 million spent on emergency cybersecurity assistance from firms like Mandiant and Microsoft.

Investigators discovered that the cybercriminal compressed over 3,200 files that could have been earmarked for data theft, including sensitive documents with personal information that may have triggered legal notification requirements. As of now, there are no signs that any of this data has surfaced on leak sites, though authorities are continuing to monitor the situation.

It is noteworthy that Nevada officials opted not to pay the ransom demands made by the attackers. Moving forward, state leaders are considering the establishment of a centralized security operations center and enhancements to endpoint defenses, as highlighted in the report.

James Turgal, a vice president of global cyber risk at Optiv and a former executive assistant director at the FBI, remarked that this incident reflects the severe financial and privacy repercussions associated with statewide cybersecurity breaches. He emphasized that the rising number of attacks alongside their consequences makes securing local government systems a critical concern across the nation.