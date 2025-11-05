A woman arrives at the DMV office on East Sahara Avenue to find it closed because of a massive state cybersecurity breach discovered in August. (Benjamin Hager/Las Vegas Review-Journal)

The “threat actor” who conducted a ransomware attack on the state of Nevada was in the government’s computer systems as early as three months before, the state revealed in an after-action report released Wednesday.

Nevada’s IT infrastructure was affected for 28 days following the Aug. 24 discovery of a suspicious system outage, the Governor’s Technology Office wrote in a 30-page Statewide Cyber Incident After-Action Report on the cyberattack. It said the state did not pay a ransom and recovered about 90 percent of the affected data.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Gov. Joe Lombardo said in a statement announcing the report. “This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans.”

Investigation shows complex ransomware attack

Investigators with Mandiant, a cybersecurity firm under Google Cloud, determined that the malicious actor entered the state’s computer system as early as May 14, when a state employee “unknowingly downloaded a malware-laced system administration tool” from a trusted online resource frequently accessed by state IT personnel.

An anti-malware security tool “quarantined and then deleted” the attacker’s software tool on June 26, but an underlying back door was not removed and continued to remain active.

“Further adding to the complexity of the deception, the (threat actor) leveraged legitimate Google advertisements as a vector to deliver the malware package,” according to the report. “This action immediately configured a hidden backdoor that established a connection to the TA’s infrastructure each time a user logged onto the system.”

Between Aug. 16 and 24, the threat actor accessed “multiple critical servers, including the password vault server, and retrieved credentials from 26 accounts.” Investigators determined more than 26,400 files were accessed, and 3,241 were exposed.

The attacker established encrypted tunnels and used remote access to move laterally through the system, and on Aug. 24, the attacker deleted backup volumes of data and deployed ransomware, disrupting critical services.

Of the sensitive data that the hackers intended to remove from state systems, only one document contained personal identifying information. It was of a former state employee who was notified of the exposure, according to the report.

Nevada spends $1.5 million on cyberattack response

The state spent $1.3 million on external vendor support during the cyberattack’s response. The report states the costs were part of pre-negotiated contracts designed to cover incident response. The funds covered investigative efforts by Mandiant, the cybersecurity firm; infrastructure recovery and hardening done by Microsoft, DART and Dell; specialized recovery and engineering firm from Aeris; and legal counsel by BakerHostetler law firm.

More than 4,200 overtime hours were logged between Aug. 24 and Sept. 20 by 50 state employees, according to the report. Overtime wage costs reached nearly $210,600, or roughly $259,000 with benefits included.

“That surge capacity — nights, weekends, and holidays — meant payroll processed on time, public safety communications stayed online, citizen-facing systems returned in phased order, and agencies received daily guidance while core platforms were rebuilt.”

Report recommendations

The Governor’s Technology Office implemented several recommendations for security hardening measures throughout the incident. The office said it focused on securing critical systems first and ensuring that only authorized people had access to sensitive areas in the system.

First, it determined the state should limit hackers from moving around inside systems by strengthening access control measures. It also recommended powerful accounts were limited with privileged access, securing passwords and reducing the number of accounts with too much control.

“(The Governor’s Technology Office)” made sure that regular user accounts and powerful admin accounts are kept separate,” according to the report. “This is like having different keys for your bedroom and a bank vault — just because someone can enter the house, it doesn’t mean they can open the safe.”

The full report is available online.

Contact McKenna Ross at mross@reviewjournal.com. Follow @mckenna_ross_ on X.