Nevada: ‘Network security incident’ was a targeted cyberattack
Officials confirmed Tuesday that the state of Nevada’s computer network was targeted in a cyberattack and is under active state and federal investigation as IT staffers work to restore service.
The announcement came Tuesday evening after government offices were shut down for two days; Department of Motor Vehicles offices are closed until further notice.
Gov. Joe Lombardo’s office has said there is no evidence yet that personal information was compromised in the cyberattack. But beyond that assurance, Nevada residents and state employees remain in the dark about exactly how or when the attack occurred and its possible impact on the security of state data.
“To protect internal systems during an active criminal investigation, the State is unable to provide technical details at this point,” the governor’s office said in the memo released Tuesday evening.
‘Symptoms’ point to ransomware
Before state officials confirmed the attack, cybersecurity experts said all signs pointed to a cyberattack.
Gregory Moody, director of the UNLV Cybersecurity Program, said the state must disclose if data was breached. In accordance with state regulation, the state also must disclose what data was compromised and how it happened, he said.
It’s standard practice to shut down systems when investigating a potential threat. It’s the easiest way to investigate and fix the issue, he said.
“Imagine you’re flying an airplane and an engine blows; it’s a lot easier to fix the engine on the ground than in the air,” Moody said. “So most times when there’s a problem, whether it’s malicious or not, you’d still land the airplane, take it offline, fix it, then you put it back up in the air.”
If this was a ransomware attack, governments are prohibited from negotiating with terrorists, including digital terrorists, Moody said.
Cameron Call, chief technology officer at the Las Vegas-based cybersecurity company Blue Paladin, said the state’s “symptoms definitely line up with a ransomware attack.”
A ransomware attack uses a type of malware that blocks users from accessing their own files and systems, typically by encrypting them, and then demands a ransom in exchange for a decryption key. Security experts typically advise against paying the ransom.
There are two likely ways a ransomware attack could have occurred: either with a phishing email or “unpatched software” put on a public-facing server, Call said.
State governments usually keep detailed backup records to recover from any attack, but it takes time to ensure the hacker is no longer in the system and to figure out how they got in, Call said.
Cybersecurity attacks have increased since the start of the COVID-19 pandemic, when people began working from home and it became easier to get people to fall for social engineering schemes, Moody said. Cyberattacks go through cycles where they target one particular industry — which responds by fixing the issues — and then cyberattackers move on to weaker industries.
“Now, they’re hitting state, local city governments because they may not have patched it up as efficiently as the retail or insurance margin,” Moody said.
Minnesota has experienced a recent string of cyberattacks. One on July 25 cripped the computer systems of the city of St. Paul, according to media accounts. Critical law enforcement tools, such as laptops used in traffic stops and to share case information, were knocked offline, according to news site KSTP.com. Police said the laptops were back in service after a week.
Interlock, a ransomware group on the dark web, had taken credit for the attacks. City leaders said the ransom was not paid.
What we know
The incident began Sunday morning, according to an earlier state announcement, when the Nevada Highway Patrol and Nevada State Police dispatch phone lines for roadside emergency and assistance calls went down. They have since been restored, though in-person and online services remain unavailable.
The FBI is assisting in the investigation as the governor’s technology office continues working to restore operations. Las Vegas FBI Public Affairs Specialist Sandra Breault confirmed Monday that the agency is aiding the state in the investigation but could not provide more information. Breault declined to provide additional information Tuesday morning.
Nevada is working continuously with local and federal partners to restore services and is using temporary routing and operational workarounds to maintain public access where possible, according to the governor’s office.
Sunday’s incident involved state government systems only and does not affect Nevadans’ home internet or mobile phone services, according to the governor’s office.
The office has warned Nevadans to avoid scams, urging them to be cautious of unsolicited calls, emails and texts that ask for personal information or payments.
Cybersecurity experts urged Nevadans to watch their financial records for unusual transactions and check to see if their email was part of a security breach at the website haveibeenpwned.com.
Services affected
In-person services at state offices remained closed Tuesday, with certain websites, online services and office phone lines unavailable or slow, as they were on Monday, according to the governor’s office.
“Critical employees and operations” remained open, the governor’s office said Tuesday morning.
The attack did not affect state payroll, and employees will continue to be paid on time through normal processes.
A representative with the public employee union AFSCME Local 4041 said agency supervisors are working with employees to communicate information as it becomes available.
Critical employees generally include workers in health care, Department of Transportation, IT, payroll and other positions like those considered “essential” during the COVID-19 pandemic. Other workers are on paid administrative leave, the representative said.
The Nevada Department of Motor Vehicles said all offices will remain closed until further notice, according to a Tuesday afternoon post on X. It said all canceled appointments during the outage will be honored as walk-ins for a two-week period following reopening.
All in-person and online transactions, as well as kiosk transactions are unavailable, with the exception of rapid registration and turbo titles. The DMV website was restored, the department said.
The Nevada Health Authority confirmed that existing Medicaid coverage and provider payments remain fully operational, according to the governor’s office. The outage does not affect existing Medicaid recipients’ ability to access covered medical care, and they can attend all scheduled appointments as usual.
For health care providers, claims and payments for services rendered to Medicaid recipients are being processed without delay, the governor’s office said.
University Medical Center CEO Mason Van Houweling said the incident has not disrupted patient care at UMC, the state’s largest public hospital. It has, however, affected UMC’s ability to complete the temporary Medicaid eligibility process for qualifying patients, Van Houweling said.
“In some cases, this is delaying patients from being discharged to post-hospital care settings,” he said in a statement. “UMC’s team members continue to screen patients for Medicaid eligibility and will process the applications once access is restored.”
Nevada’s online sex offender registry and Department of Corrections inmate search also were down as of 4 p.m. Tuesday.
North Las Vegas police said Tuesday the network outage affected their ability to access DMV records, but officers are still able to enforce observed traffic violations. The department’s ability to check national criminal record databases also has been affected, but it is able to use databases within its own jurisdiction.
The Regional Transportation Commission temporarily disconnected traffic cameras and electronic freeway signs “out of an abundance of caution,” the commission announced Monday. A few were in operation by Tuesday afternoon, mostly in rural Nevada.
The Nevada Department of Transportation posted Monday on X that some services, such as Southern Nevada traffic cameras, may still be intermittently unavailable as recovery continues. They remained inoperative Tuesday.
Regarding voter data, the secretary of state’s office said its website and protected data are on separate infrastructure from the affected state systems.
“Our teams are working diligently to ensure they remain secure,” the office said in a Tuesday statement.
The Nevada Gaming Control Board said on X it is implementing a “temporary workaround” for gaming employee registration to ensure operations can continue without disruption.
Local municipalities, including the cities of Las Vegas and Henderson, told the Las Vegas Review-Journal they were not affected by the incident.
Jennifer Cooper, a spokesperson for Clark County, said there are no known impacts to the county’s IT infrastructure. The county is monitoring potential impacts to departments connected to state programs, she said.
An earlier version of this story misstated when Lombardo’s office said there had been no sign personal information had been compromised.
Contact Jessica Hill at jehill@reviewjournal.com. Follow @jess_hillyeah on X. Staff writers Mary Hynes, McKenna Ross, Ricardo Torres-Cortez, Isaiah Steinberg, Tony Garcia and Arlette Yousif contributed to this report.
