‘Malicious actors’ moved data out of network, Nevada officials say
Investigators found evidence indicating data was moved outside of Nevada’s state networks by “malicious actors” during a “sophisticated, ransomware-based” cyberattack, officials confirmed Wednesday.
“I need to be very clear on this next point: At this stage of our intensive investigation, we cannot yet identify or classify the specific nature of this data,” Tim Galluzi, executive director of the Governor’s Technology Office, said during a news conference about the attack that has crippled state services for three days.
He added he could not speculate on what data was affected before the state has more proof.
“What I can promise you is this: Our investigation is our No. 1 priority,” he said. “Should we determine that any sensitive personal information of our citizens was compromised, we are prepared to follow the appropriate steps.”
Gov. Joe Lombardo’s office previously said there was no evidence that personal information was compromised in the cyberattack. Galluzi said the realization that an unknown type of data was taken from the system came from the investigation Tuesday night.
When the attack was detected early Sunday, the governor’s technology office activated its cybersecurity incident response plan and worked to contain the threat, he said. They took systems offline to prevent further spread of the intrusion and to protect the foundation of the state’s digital infrastructure, he said.
Officials declined to provide further information about the attack, such as how it happened and if the attackers asked the state for money.
It remains unclear when the attack first occurred, as it can take months to notice, according to Gregory Moody, director of the UNLV Cybersecurity Program.
The cyberattack led to statewide office closures and service disruptions. Officials were unable to provide an estimated timeline for the full restoration of state services.
Lombardo was not present at the Wednesday news conference. Ryan Cherry, his chief of staff, said Lombardo could not attend the media briefing but that he was receiving hourly updates from his staff.
“We are making sure that he is up to speed, and he is providing guidance to us on what he would like to see done in terms of addressing the customer-facing services that Nevadans so desperately need on a daily basis that are impacted by this event,” Cherry said.
FBI assists investigation
The FBI, which is assisting in the investigation, is collecting information about potential threats and sharing information with law enforcement partners, according to Nathaniel Holland, assistant special agent in charge at the FBI.
Holland said that over the past decade, cyberattacks have escalated in scale and impact, and public tips help identify criminal actors. He encouraged anyone with tips to call 1-800-CALL-FBI or contact tips.fbi.gov.
The Cybersecurity and Infrastructure Security Agency, which provides cybersecurity support to state and local governments, is working with officials to restore networks for “lifesaving and critical services,” according to a Wednesday statement.
The agency’s Threat Hunting teams are examining state networks to identify the full scope of the situation and mitigate threats.
Food stamps, driver license renewals impacted
Online applications for Supplemental Nutrition Assistance Program benefits were impacted, though some offices are open with staff assisting with paper applications, according to Richard Whitley, director of the Nevada Department of Human Services.
When the system is up and running, the office will submit the applications on the person’s behalf, Whitley said.
“We are regretful about the delays and ineligibility, but the services themselves, if people need food in real time, we will refer them to the food pantry, transportation, all the services that we don’t provide,” he said.
Offices open to assist with SNAP, Medicaid and Temporary Assistance for Needy Families include offices at 700 Belrose St. and 3330 E. Flamingo Road.
At the Nevada Department of Motor Vehicles, offices remain closed. Drivers’ tests are continuing, and the department is waiving late fees or penalties due to the closure. The department is also asking law enforcement agencies for leniency for individuals with expiring registrations or drivers licenses during the outage, according to Tonya Laney, director of the Nevada Department of Motor Vehicles.
The Nevada Health Authority’s phone lines remain unavailable, but other services are operational, such as the state’s health insurance exchange platform Nevada Health Link. The department has limited essential operations at Medicaid district offices. Medicaid recipients or providers can visit their local district office or email Medicaid@nvha.nv.gov.
Disruptions remain for new enrollees, Nevada Health Authority Director Stacie Weeks said. Paper applications for Medicaid are available at district offices. Additionally, the health authority is working with state hospitals on a work-around process for presumptive eligibility.
The Division of Industrial Relations is open to the public, and staff are able to provide assistance and accept payments. Classes provided by the Safety Consultation and Training Section are proceeding as scheduled.
The Claims and Regulatory Data System, which is used for workers’ compensation claims, is unavailable, and submission deadlines will be extended by one week, according to the department of business and industry.
History of cyberattacks
This isn’t the first cyberattack to occur in Nevada — and it likely won’t be the last.
Las Vegas has experienced several major cyberattacks, including ones carried out against MGM Resorts International in July 2019 and in September 2023.
MGM — with resorts in Las Vegas including MGM Grand and Bellagio — was crippled for nine days by the cyberattack in 2023. Insurance coverage ultimately paid for most of the estimated $100 million in damages brought by the attack.
In August 2023, a similar attack against Caesars Entertainment ended quickly when the company reportedly paid a multimillion-dollar ransom to the attackers. Law enforcement officials advised MGM not to pay, and it didn’t.
Hacker gangs identifying themselves as Scattered Spider and ALPHV claimed responsibility for hacking into the computer systems of both companies.
In October 2023, the Clark County School District was affected by a cyberattack that exposed information from more than 200,000 people and led to the district spending $14.9 million for enhanced cybersecurity software and service, according to the district.
In June 2021, University Medical Center acknowledged that it had experienced a criminal data breach after notorious hacker group REvil began posting personal information purportedly obtained in the attack.
An attack against Universal Health Systems in September 2020 forced the company’s six local hospitals to shut down computer networks for two weeks.
Contact Jessica Hill at jehill@reviewjournal.com. Follow @jess_hillyeah on X. Contact McKenna Ross at mross@reviewjournal.com. Follow @mckenna_ross_ on X. Mary Hynes contributed to this report.
