Executive Summary
- An after-action report identified a spoofed website and SEO poisoning as the source of a ransomware attack on Nevada state systems in August.
- The attack, which began with a malware download on May 14, impacted 60 state offices and required a 28-day recovery period. No ransom was paid.
- Investigators found that 26 user accounts were compromised, and backup data was deleted, though 90% of encrypted data was recovered.
- Nevada is now considering establishing a state security operations center (SOC) and using federal grants to enhance its cybersecurity infrastructure.
An after-action report from the Nevada Governor’s Technology Office (GTO) has identified a spoofed website and search engine optimization poisoning as the cause of a ransomware attack that disrupted state systems in late August. The incident, which began with a malware download on May 14, led to a 28-day recovery period affecting approximately 60 state offices. The state did not pay the requested ransom.
Attack and Response Details
The investigation, conducted with assistance from the law firm BakerHostetler LLP and cybersecurity firm Mandiant, determined that a state employee downloaded a fake version of a system administration tool from a malicious website. This site was promoted through paid ads in a technique known as search engine optimization poisoning. The initial intrusion created a backdoor, allowing the attacker to move through the network and compromise 26 user accounts, some with administrative privileges.
According to the report, the state’s incident response plan was immediately activated. The attack involved the deletion of backup data, which complicated recovery efforts. The state utilized Dell Recovery Support to restore systems, successfully recovering 90 percent of the encrypted data. While data exfiltration was not confirmed, monitoring is ongoing. The total cost included 4,212 hours of overtime for state employees.
Impact on Public Services
The cyber attack significantly impacted public services. The Nevada Department of Motor Vehicles canceled appointments and waived late fees, while the Nevada Health Authority reverted to paper processes to continue distributing benefits such as the Supplemental Nutrition Assistance Program (SNAP) and Temporary Assistance for Needy Families (TANF). State officials confirmed that employee and retiree payroll was not disrupted.
Future Cybersecurity Measures
In response to the attack, Nevada officials are reviewing the establishment of a state security operations center (SOC) and a unified endpoint detection and response system. During an October 16 hearing, state CIO Timothy Galluzi testified before the Interim Finance Committee about the need for continued investment in cybersecurity. The GTO has requested the release of federal grant funds to acquire additional security tools and to further research the creation of a state SOC in partnership with the University of Nevada, Las Vegas.