Nevada officials have released a comprehensive report on the cyberattack discovered in August that crippled state systems, describing a sophisticated intrusion months in the making and an around-the-clock response that led to full recovery within one month.

The Wednesday report from the Governor’s Technology Office answers many questions that the state had previously declined to disclose because of the investigation’s sensitivity. It reveals that the state did not pay a ransom requested by the attacker, who had first compromised state systems in May — three months before mass outages occurred. The attack shut down state services, including in-person DMV appointments, a background check system and online applications for social services.

The report did not identify the attacker or disclose any consequences against them; they accessed more than 26,000 files and more than 3,200 files were exposed, according to the report. Of the files that were set to be taken out of the state system, only one document contained personal data — and the subject of that data was notified about the breach. The attacker also accessed a password vault server.

The investigation concluded that although sensitive files were “packaged for transport,” there was no evidence of successful extraction of the data or publication on a leak site. In cyberattacks, data is sometimes sold on the dark web.

The state ultimately recovered 90 percent of the affected data. The remaining 10 percent is still in the state’s control, but it was not required to restore essential state services, so it is still being reviewed, the report said.

The state also spent more than $1.3 million on external vendors for cyberattack response, and state employees worked more than 4,200 hours of overtime, which cost more than $200,000, according to the report.

Ultimately, the state reached full recovery in 28 days, a particularly quick timeline for such a sophisticated attack, according to the report.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly — without paying criminals,” Republican Gov. Joe Lombardo said in a statement. “This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans.”

Tim Galluzi, the state’s chief information officer, attributed recovery speed “to leadership from the highest levels of the executive branch, along with years of strategic investment in cybersecurity infrastructure, training, executive-branch wide collaboration, and legislative support.”

“The foresight of Executive Branch Leadership and the State Legislature in funding key cybersecurity initiatives helped ensure a potential full-scale ransomware event was contained and remediated,” Galluzi said in a statement.

Attack details

Although the ransomware attack occurred in the early hours of Aug. 24, investigators determined that it had been in the works for months.

The attacker infiltrated the state’s system as early as May 14, when a state employee unknowingly downloaded a malware tool that installed a “hidden backdoor,” which is a way to gain unauthorized access to a system. Although this malware tool was deleted in late June, the backdoor remained active. 

On Aug. 5, the attacker “installed a commercial remote monitoring software” on a state worker’s system that enabled it to conduct screen recording and log keystrokes. Ten days later, another user was the victim of this software. Both users’ accounts were compromised as a result.

In the eight days leading up to the attack, the attacker used an “encrypted tunnel” that could bypass security controls and allow it to control state computers remotely. The attacker accessed directories, files and servers — including a password vault server — and retrieved passwords from 26 different accounts.

Ahead of the ransomware deployment on Aug. 24, the attacker changed state security settings that allowed unauthorized code to run. Once the code was deployed, state services were disrupted.

The attacker left behind a file with instructions on how it could pay a ransom (the amount requested was not disclosed) to recover the compromised data, which the state discovered about eight hours after the attack occurred.

“The decision not to pay a ransom was not made lightly; it was the result of confidence in the State’s ability to recover through its own capabilities and trusted vendor partnerships,” the report said.

Response efforts

On the day of the attack, state officials created a priority list for recovery efforts. The next day, it started working with outside vendors with cybersecurity experience.

Two days after the attack, the state contracted with Mandiant, a leading cybersecurity firm, to oversee the investigation, which concluded about two weeks later. Mandiant submitted a confidential report to the state on Oct. 10.

On the fourth day, the state finalized its recovery plan with a phased restoration of services, prioritizing ones “that directly impacted public welfare,” according to the report.

Payroll was a top priority for the governor’s office, and state employees isolated payroll processing efforts from other elements of the recovery. Other priorities included the state’s finance and HR systems, the restoration of an Office of Emergency Management webpage that became the one-stop shop for recovery updates and restoring eligibility determinations for social services, such as the food stamps program.

From Aug. 24 through Sept. 20, 50 state employees logged overtime hours on recovery efforts, which the report said allowed for an expedited recovery timeline.

“That surge capacity — nights, weekends and holidays — meant payroll processed on time, public safety communications stayed online, citizen-facing systems returned in phased order, and agencies received daily guidance while core platforms were rebuilt,” the report said. 

The Governor’s Technology Office ensured that access to sensitive systems was limited to “essential personnel,” cleaned up old accounts and reset passwords, according to the report.

It also organized computer systems into different levels based on level of importance (making separate rules to what can and can’t be done in each system) and made new accounts for the most important systems.

The office also:

• Made changes to ensure certain accounts couldn’t be tricked into giving away passwords.
• Took certain powers away from accounts that had too much control.
• Took away extra permissions that certain accounts had received.
• Tightened firewall rules to limit or block unnecessary applications.

In the course of the 28-day recovery period, certain agencies were more affected than others, particularly the DMV, which closed its offices for more than a week after the attack, resulting in canceled appointments.

The state’s sex offender and restraining order databases were also down for weeks after the attack, and the state’s background check system did not come back online until three weeks later.

However, the report noted that the situation could have been far worse. It also called for more efforts to be taken to bolster the state’s cybersecurity systems.

“Looking ahead, the State recognizes that cybersecurity is a continuous journey, not a one-time achievement. While the response to this incident was a success, it also revealed opportunities to further enhance monitoring, detection and response capabilities,” the report said.