The State of Nevada has published an after-action report detailing how hackers breached its systems to deploy ransomware in August, and the actions taken to recover from the attack.
The document is one of the few completely transparent technical report from a U.S. state on a cybersecurity incident, describing all the steps of the attacker and setting an example on how cybersecurity incidents should be handled.
The incident impacted more than 60 state government agencies and disrupted essential services, from websites and phone systems to online platforms. 28 days later, without paying a ransom, the state recovered 90% of the impacted data that was required to restore affected services.
In a report today, the State of Nevada details with full transparency how the initial compromise occurred, the threat actor's activity on its network, and the steps taken after detecting the malicious activity.
Ransomware attack unfolding
Although the breach was discovered on August 24, the hacker had gained initial access on May 14, when a state employee used a trojanized version of a system administration tool.
According to the report, a State employee searched Google for a system administration tool to download and was instead shown a malicious advertisement that led to a fraudulent website impersonating the legitimate project.
This fake website offered a malware-laced version of the admin utility, which deployed a backdoor on the employee's device.
Threat actors have increasingly begun to use search advertisements to push malware disguised as popular system administration tools, like WinSCP, Putty, RVTools, KeePass, LogMeIn, and AnyDesk. However, malware is installed instead of the desired program, giving threat actors initial access to corporate networks.
As these tools are designed for system administrators, the threat actors hope to gain elevated access on the network by targeting these IT employees.
Once executed, the malware configured a hidden backdoor that automatically connected to the attacker’s infrastructure upon user login, providing them with persistent remote access to the state’s internal network.
On June 26, Symantec Endpoint Protection (SEP) identified and quarantined the malicious tool, and then deleted it from the infected workstation, but the persistence mechanism resisted, and hackers could still reach the environment.
On August 5, the attacker installed a commercial remote-monitoring software on a system, which enabled them to perform screen recording and keystroke logging. A second infection with that tool occurred ten days later.
Between August 14 and 16, the attacker deployed a custom, encrypted network tunnel tool to bypass security controls and established Remote Desktop Protocol (RDP) sessions across multiple systems.
This type of remote access allowed them to move laterally between critical servers, including the password vault server, from where they retrieved credentials of 26 accounts, then wiped event logs to hide their actions.
Mandiant's incident response team confirmed that the attacker accessed 26,408 files across multiple systems and prepared a six-part .ZIP archive with sensitive info.
The investigation found no evidence that the attacker exfiltrated or published the data.
On August 24, the attacker authenticated to the backup server and deleted all backup volumes to disable recovery potential, and then logged into the virtualization management server as root to modify security settings to allow the execution of unsigned code.
At 08:30:18 UTC, the attacker deployed a ransomware strain on all servers that hosted the state’s virtual machines (VMs).
The Governor’s Technology Office (GTO) detected the outage roughly 20 minutes later (01:50 AM), marking the start of the 28-day statewide recovery effort.
Paying overtime, not a ransom
The State of Nevada maintained a firm stance against paying ransom and relied on its own IT staff and overtime payments to restore the impacted system and services.
Cost analysis shows that the 50 state employees worked a total of 4,212 overtime hours, incurring a wage cost of $259,000 to the state.
This response allowed timely payroll processing, kept public safety communications online, and quick re-establishment of citizen-facing systems, and saved the state an estimated $478,000 when compared to standard ($175/hour) contractor rates.
The costs for external vendor support during the incident response period amounted to a little over $1.3 million, and are broken down in the table below.
| Vendor | Service Provided | Obligated Cost |
|---|---|---|
| Microsoft DART | Unified Support & Infrastructure Rebuild | $354,481 |
| Mandiant | Forensics & Incident Response | $248,750 |
| Aeris | Recovery & Engineering Support | $240,000 |
| BakerHostetler | Legal & Privacy Counsel | $95,000 |
| SHI (Palo Alto) | Network Security Services | $69,400 |
| Dell | Data Recovery & Project Management | $66,500 |
| Other IR Vendors | Various Support Services | ~$240,069 |
It should be noted that the ransomware actor has not been named. BleepingComputer did not see any major gangs claiming the intrusion on extortion sites.
The incident demonstrates Nevada’s cyber-resilience, comprising decisive and swift “playbook” action, and also brought up a level of transparency that is commendable.
Despite the recovery costs and effort, the State of Nevada has also improved its cybersecurity defenses at the advice of trusted vendors.
"The GTO focused on securing the most sensitive systems first, ensuring that access was limited to essential personnel," the report notes.
Some of the technical and strategic actions included removing old or unnecessary accounts, resetting passwords, and removing outdated security certificates. Additionally, system rules and permissions were reviewed to ensure that only authorized users have access to sensitive settings.
However, the state admits that there is plenty of room for improvement and realizes the importance of investing in cybersecurity, to improve monitoring and response capabilities in particular, as threat actors also evolve their tactics, techniques, and procedures.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
powerspork - 1 month ago
Paying overtime to the existing employees is exactly the right move. A contractor doesn't know or care and only works to fulfill the contract. Employees know how it is supposed to work and will make it right because they don't want to deal with half baked work for the ensuing years.
They also GOT PAID overtime which means they likely won't be bitter about the extra hours put in. Too bad most employers cannot figure that one out, or just ride the "lol you're salary" to the moon. Time is money and not paying extra hours is literally theft of someone's life.
The math averages out to about 80 hours and $5k pay per employee. That is not a bad haul.
deltasierra - 1 month ago
Agreed on everything you mentioned. I also commend the State of Nevada for releasing this very transparent security incident report.
I expect government in particular to be highly transparent, as well as most public institutions and organization.
ftcm207 - 1 month ago
This is why I started calling ad blockers "scam blockers" about a year ago.
Online ad systems are automated. Scammers and hackers push malvertising in Google search results and other types of ads.
A client searched for Southwest Airlines and two ads appeared, one in the search result and another on the same page but vertically with graphics, corroborating the search result listing.
My client bought tickets through the imposter.
The year before, I had to downgrade clients' Chrome uBlock Origin (full version, Manifest v2) to uBlock Origin Lite (Manifest v3) because Chrome banished Manifest v2 ad blockers for being too effective and costing Google ad revenue.
But the Manifest v3 uBlock Origin Lite didn't block the scam ads that victimized my client, so I replaced Chrome with Brave browser (still Chromium but it allows Manifest v2 ad blockers and includes its own ad blocking) and installed uBlock Origin (full version, Manifest v2).
On all clients computers since then, I've been replacing Chrome with Brave+full uBlock Origin. Firefox also allows the full version uBlock Origin, as does Chromium-based Edge, in which I also install the full version of uBlock Origin.
In my experience, malvertising has become the main entry conduit of horrendous scams and hacks.
I tell clients that uBlock Origin is a "scam blocker."
Sorry legit pubs that need ad revenue. Scams and hacks aren't worth giving you ad revenue.
PeterAlexLondon - 1 month ago
I know, 'm using Brave now for many years, I have an Adguard liftime, Yeah yeah yeah, I know Russians!! Then guess what AV I use, YEEEAAAH, Kaspersky, the best ever, and eh I don't think they are connected with Putin.
I got myself a Legitimate key for 21/2 IOT LTSC. I'm happy till 2032 after that, I will be 75 and look what's next