51°F
weather icon Clear
Las Vegas, NV
Nevada

Hackers entered system 3 months before Nevada cyberattack, report says

A woman arrives at the DMV office on East Sahara Avenue to find it closed because of a massive ...
A woman arrives at the DMV office on East Sahara Avenue to find it closed because of a massive state cybersecurity breach discovered in August. (Benjamin Hager/Las Vegas Review-Journal)
More Stories
Gov. Joe Lombardo. Las Vegas Review-Journal
Lombardo urges Colorado River states to come to agreement
(Las Vegas Review-Journal)
Attorney general’s office makes another attempt to overturn NV Energy’s new demand charge
Nevada Attorney General Aaron Ford addresses the media in regards to the indictment of people w ...
Nevada’s ‘fake electors’ case gets Las Vegas hearing date
Fiore requests expedited appeal, citing ‘irreparable harm’ to re-election odds
/ Las Vegas Review-Journal
November 5, 2025 - 2:07 pm
 
Updated November 5, 2025 - 5:40 pm

The “threat actor” who conducted a ransomware attack on the state of Nevada was in the government’s computer systems as early as three months before, the state revealed in an after-action report released Wednesday.

Nevada’s IT infrastructure was affected for 28 days following the Aug. 24 discovery of a suspicious system outage, the Governor’s Technology Office wrote in a 30-page Statewide Cyber Incident After-Action Report on the cyberattack. It said the state did not pay a ransom and recovered about 90 percent of the affected data.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Gov. Joe Lombardo said in a statement announcing the report. “This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans.”

The attack and ensuing state response shut down state services — including DMV in-person appointments, publicly accessible databases and online applications for some state services — for several weeks in late August and early September.

Investigation shows complex ransomware attack

Investigators with Mandiant, a cybersecurity firm under Google Cloud, determined that the malicious actor entered the state’s computer system as early as May 14, when a state employee “unknowingly downloaded a malware-laced system administration tool” from a trusted online resource frequently accessed by state IT personnel.

An anti-malware security tool “quarantined and then deleted” the attacker’s software tool on June 26, but an underlying back door was not removed and continued to remain active.

“Further adding to the complexity of the deception, the (threat actor) leveraged legitimate Google advertisements as a vector to deliver the malware package,” according to the report. “This action immediately configured a hidden backdoor that established a connection to the (threat actor’s) infrastructure each time a user logged onto the system.”

Between Aug. 16 and 24, the threat actor accessed “multiple critical servers, including the password vault server, and retrieved credentials from 26 accounts.” Investigators determined more than 26,400 files were accessed, and 3,200 were exposed.

The attacker established encrypted tunnels and used remote access to move laterally through the system, and on Aug. 24, the attacker deleted backup volumes of data and deployed ransomware, disrupting critical services.

Of the sensitive data that the malicious actor intended to remove from state systems, only one document contained personal identifying information. It was of a former state employee who was notified of the exposure, according to the report.

The report did not state how much was sought in ransom. State officials did not engage with the actor “for a specific demand figure as that action could have triggered additional negative (threat actor) response on critical systems,” a spokesperson said in a statement. “Additionally, sharing a number can incentivize copycats and complicate ongoing work.”

Nevada spends $1.5 million on cyberattack response

The state spent $1.3 million on external vendor support during the cyberattack’s response. The report states the costs were part of pre-negotiated contracts designed to cover incident response. The funds covered investigative efforts by Mandiant, the cybersecurity firm; infrastructure recovery and hardening done by Microsoft, DART and Dell; specialized recovery and engineering support from Aeris; and legal counsel by BakerHostetler law firm.

More than 4,200 overtime hours were logged between Aug. 24 and Sept. 20 by 50 state employees, according to the report. Overtime wage costs reached nearly $210,600, or roughly $259,000 with benefits included.

“That surge capacity — nights, weekends, and holidays — meant payroll processed on time, public safety communications stayed online, citizen-facing systems returned in phased order, and agencies received daily guidance while core platforms were rebuilt,” the report states.

Greg Moody, a cybersecurity expert and professor at UNLV, agreed with the report’s assessment that the response was handled faster than typically expected during attacks of this scale. He said it can take five to six months to recover systems in other instances.

Nevada officials said the remaining 10 percent of affected data is in the state’s control but was not required to restore essential services and is being reviewed on a risk-basis.

“They’re not 100 percent there,” Moody said. “But the more disruption wasn’t because the attackers won, it’s because Nevada noticed the attack and did the safe, precautious thing and turned everything off.”

Report recommendations

The Governor’s Technology Office implemented several recommendations for security hardening measures throughout the attack. The office said it focused on securing critical systems first and ensuring that only authorized people had access to sensitive areas in the system.

First, it determined that the state should limit hackers from moving around inside systems by strengthening access control measures. It also recommended that powerful accounts be limited with privileged access, securing passwords and reducing the number of accounts with too much control.

“(The Governor’s Technology Office) made sure that regular user accounts and powerful admin accounts are kept separate,” according to the report. “This is like having different keys for your bedroom and a bank vault — just because someone can enter the house, it doesn’t mean they can open the safe.”

The report also recommends that the state invest in a security operations center and endpoint detection and response systems. A centrally managed system is used to unify efforts and support proactive defense strategies. Meanwhile, modernizing endpoint detection and response platforms will improve the state’s threat detection and automated containment capabilities, according to the report.

Cameron Call, chief technology officer of the Las Vegas-based cybersecurity firm Blue Paladin, said the attack should be a wake-up call for the state to focus on a centralized system to handle cybersecurity.

“Hopefully they do learn from this and take it to heart and modernize,” he said. “They got lucky in a lot of ways, both in the cost and the recovery. Let’s not give someone a second chance.”

The full report is available online.

Contact McKenna Ross at mross@reviewjournal.com. Follow @mckenna_ross_ on X.

MOST READ
Don't miss the big stories. Like us on Facebook.
THE LATEST
MORE STORIES