LAS VEGAS (KTNV) — The State of Nevada is releasing its action report on the ransomware attack that crippled the state's online infrastructure for weeks in August and September.
To hear it from Gov. Joe Lombardo and state officials, Nevada's pre-planning allowed for a response that Lombardo says "protected core services, paid our employees on time, and recovered quickly — without paying criminals."
Through the report, we're also getting answers to lingering questions about the scope and impact of the attack, including what data was accessed, how bad actors got in, and how long they are believed to have been in the state's network before detection.
How long were hackers in the system, and how did they get in?
Attackers had been in the state's network as early as May 14, the report states, noting that the breach occurred when a state employee "unknowingly downloaded a malware-laced system administration tool from a spoofed website."
ARCHIVE | Hear from a cybersecurity expert who talked to Channel 13 about the cybersecurity breach
When did state IT staff become aware of the breach?
The report indicates the breach was detected on Aug. 24, when "backup volumes" were deleted and ransomware was deployed by the hackers.
Did the state pay any ransom to the hackers?
According to the report released Wednesday, no. This was something state officials previously declined to say when asked questions by Channel 13 reporters, but the complete action report denies any payment of a ransom.
What information was accessed?
Between Aug. 14 and Aug. 24, the report states attackers accessed critical servers, including a password vault server, and were able to retrieve credentials from 26 accounts. A forensic investigation later revealed the attackers had accessed 26,408 files, and 3,241 files were "exposed across multiple systems."
The hackers were able to exfiltrate, or transfer data, from one document with personal information of a former state employee, according to the report. Officials state that the employee was notified.
While monitoring is said to be ongoing, the report states that investigators have not found any evidence of stolen data being published on leak sites.
Officials with the governor's office also note that approximately 90% of impacted data has been recovered.
ARCHIVE | Here's what happened when we brought your concerns about the outage directly to Gov. Lombardo:
What was going on behind the scenes?
In public statements about the ongoing response, state officials offered bits and pieces about the process happening behind the scenes, but the report released Wednesday is the most comprehensive picture of how Nevada responded to the attack to date.
"We executed, then communicated," stated Timothy D. Galluzi, the state's chief information officer. "Our staff and agency partners worked around the clock with expert vendors to contain the threat, rebuild securely, and bring services back online in measured phases."
For those who experienced delays in accessing needed services like the DMV, the time it took to get state websites back up and running may have seemed like a lengthy inconvenience. But the state's report concludes Nevada's response, which took 28 days to achieve full restoration, was "faster than many public-sector timelines for incidents of similar scope."
Local News
Gov. Lombardo defends handling of Nevada cyberattack crisis
Within hours after the breach was discovered, the state had engaged "pre-positioned experts" for support. A forensic investigation by Mandiant concluded on Sept. 9, the report notes. That investigation revealed what files the attackers had accessed.
During the response, state employees worked "around-the-clock" to execute state playbooks for a cyberattack response, officials stated. They note that employee payroll was processed on schedule, and "high-impact" public safety and state websites used by residents were restored in phases based on their importance to the public.
How much did this cost?
According to Nevada officials, "the State avoided hundreds of thousands of dollars" by using state staff for its primary response, rather than relying on outside contractors.
Fifty state employees clocked 4,212 overtime hours over the 28-day response, costing the State an estimated $210,599.87 in direct overtime wages.
Nevada also paid $1,314,200 to "obligated specialized partners" for services like forensics, legal services, engineering and recovery assistance to "accelerate" containment of the breach and rebuild its online infrastructure, the report notes.
What comes next?
In the response, state officials note a hope that the Legislature will support future cybersecurity initiatives. They also outlined a planned next phase of beefing up the state's cybersecurity infrastructure, including proposing a centrally managed Security Operations Center and expanding workforce training to make employees more "resilient against evolving threats."
"Guided by pre-established incident playbooks and vendor agreements, the State did not pay a ransom, restored statewide services within four weeks, and recovered approximately 90% of impacted data," officials concluded. "The remaining items, while still in control of the State, were not required for service restoration and are undergoing risk-based review with continued monitoring; the State will take appropriate notification and remediation actions if new information emerges."
Local News