LAS VEGAS (AP) – A massive cyberattack in Nevada caused significant disruptions, resulting in state workers being placed on paid administrative leave and residents unable to obtain driver's licenses. The attack, which began as early as May when a state employee accidentally downloaded malicious software, took until August to fully restore services and cost the state at least $1.5 million to recover from, as noted in an after-action report released by state officials on Wednesday.
Governor Joe Lombardo stated, "Nevada's teams protected core services, paid our employees on time, and recovered quickly – without paying criminals." The attack is part of a growing trend of cybercrimes affecting various states and municipalities in recent years.
In a related incident, Georgia's largest county experienced a cyberattack in January 2024 that shut down office phone lines and included threats to release sensitive data. The LockBit ransomware group claimed responsibility for that attack. Similarly, Rhode Island's health and benefits programs were compromised, with hackers releasing files on the dark web.
Nevada's ransomware attack stands out due to its scale and impact. Gregory Moody, director of cybersecurity programs at UNLV, described it as a “fairly large ransomware attack against a state.” The decentralized nature of Nevada’s cyber systems allowed the attack to spread rapidly. However, Moody noted that Nevada’s response was faster than average compared to other states, where discovering an attacker can typically take seven to eight months.
The financial implications of the attack were considerable. The report indicated that the state incurred 4,212 hours in overtime, costing approximately $211,000 in direct wages, along with $1.3 million spent on external contractor assistance. This latter expense was covered by the state's cyber insurance. Moody suggested that Nevada was fortunate, as other cyber breaches, like the 2023 attack on MGM Resorts in Las Vegas, were expected to cost that organization over $100 million.
The cyberattack on Nevada began when an employee mistakenly downloaded a malware-infected tool mimicking a frequently used IT administration tool. This incident created a hidden backdoor, which allowed the attacker access to the state's network. By August, the attacker had established encrypted tunnels and utilized remote desktop protocols to navigate through the system, even reaching the password vault server. Although a zipped file containing sensitive information pertaining to a former state employee was created, investigators have yet to confirm that any data was successfully extracted or published online.
The report outlines several recommendations to bolster Nevada’s cybersecurity, including establishing a centrally-managed security operations center and implementing endpoint detection and response to enhance threat detection. However, cybersecurity experts have indicated that these recommendations consist of standard practices that should have been adopted by the state years prior. Cameron Call, chief technology officer at the Las Vegas-based cybersecurity company Blue Paladin, remarked, "The recommendations that they put forward are definitely solid, but, you know, they’ve been best practice for quite a while."
Overall, the Nevada cyberattack highlights the critical need for robust cybersecurity measures across state systems, as well as the implications that such incidents can have on public services and overall state functioning.
