Nevada's Major Cybersecurity Breach: May 2023 Ransomware Attack Discovered Months Later Costing $1.5 Million to Resolve

Nevada officials maintain the state did not pay the ransom (Representational).

Las Vegas:

Nevada government operations faced significant disruptions as state workers were placed on paid administrative leave, residents were unable to obtain driver's licenses, and employers could not conduct background checks on new hires. These disruptions resulted from a major cyberattack that required nearly a month for complete service restoration.

According to an after-action report released Wednesday, while the ransomware attack was discovered in August, it actually originated in May when a state employee inadvertently downloaded malicious software. The recovery efforts cost the state at least $1.5 million.

Governor Joe Lombardo stated Wednesday, "Nevada's teams protected core services, paid our employees on time, and recovered quickly — without paying criminals. This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans."

This incident adds to a growing list of cybercrimes targeting states and municipalities in recent years.

In 2024, Georgia's largest county experienced a cyberattack where hackers disabled office phone lines and threatened to release sensitive data unless officials paid a ransom. The LockBit ransomware syndicate claimed responsibility for the January attack that temporarily paralyzed government services in Fulton County.

That same year, cybercriminals infiltrated Rhode Island's health and benefits programs system and published files on the dark web.

In 2018, the Colorado Department of Transportation's computer network was targeted by two Iranian computer hackers, though no payment was made and no information was compromised.

When Baltimore fell victim to a ransomware attack in 2019, city services were impaired for a month with estimated costs reaching at least $18.2 million. The previous year, Baltimore's 911 dispatch system had also been hit by a ransomware attack.

Nevada officials maintain they did not pay the undisclosed ransom amount. The perpetrator has not yet been identified, and investigations are ongoing.

Gregory Moody, director of cybersecurity programs at UNLV, described the Nevada incident as a "fairly large ransomware against a state." He noted that the attack spread rapidly due to Nevada's decentralized cyber infrastructure.

Compared to other incidents, Nevada's response was relatively swift. Moody explained that attackers typically remain undetected in systems for seven to eight months, whereas Nevada officials identified the breach more quickly than average.

The report revealed that addressing the attack required 4,212 overtime hours, equating to approximately $211,000 in direct overtime wages, plus $1.3 million for contractor assistance. The governor's office confirmed that the state's cyber insurance covered the $1.3 million expense.

Moody indicated that the financial impact could have been substantially worse. When MGM Resorts, based in Las Vegas, suffered a data breach in 2023, the anticipated cost to the casino company exceeded $100 million.

"I think they got lucky," said Cameron Call, chief technology officer at Las Vegas cybersecurity firm Blue Paladin. "It sounds low compared to some; I don't know that it's taking into account the economic cost for the state being down for as long as it was."

According to the after-action report, the breach began on May 14 when a state employee accidentally downloaded malware disguised as a system administration tool commonly used by IT personnel. This installed a hidden backdoor granting the attacker access, as determined by investigators from the cybersecurity firm Mandiant.

By August, the attacker had established encrypted tunnels and utilized remote desktop protocol to navigate through the state's system, gaining access to the state's password vault server.

The attacker created a compressed file containing sensitive information, including personal data of one former state employee who was subsequently notified. Investigators have not found evidence that data was successfully extracted or published online.

The report outlines measures the state is implementing and recommendations for enhanced protection, such as establishing a centrally-managed security operations center and deploying endpoint detection and response systems to improve threat detection capabilities.

Cybersecurity experts, however, point out that these protocols represent standard practices that should have been implemented by the state years ago.

"The recommendations that they put forward are definitely solid, but, you know, they've been best practice for quite a while," Call remarked.