Nevada state employee installed ‘malware-laced’ sys admin tool, spurring ransomware attack
The Nevada state government’s major ransomware attack last August was precipitated by a state employee who unknowingly downloaded malware from a spoofed website, according to a report published Wednesday by the Nevada Governor’s Technology Office.
The report, which details the state’s four-week response and recovery following the discovery on Aug. 24 that a threat actor had breached its network defenses, provides a handful of new details, such as how the incident began and what the state has done in response and plans to do in the months ahead. Though the state discovered the attack in August, after the actor had deleted the state’s backup volumes, encrypted its virtual machines and deployed the ransomware, investigators discovered the incident began as early as May 14.
An employee had downloaded a “malware-laced system administration tool” twice from a fraudulent website that had made itself visible through a search engine optimization poisoning campaign, in which the website enjoyed a higher-than-usual ranking in search results. The fake website’s seeming authenticity was also boosted, the state found, by the threat actor’s use of legitimate Google ads.
Running the malware on state systems bypassed Nevada’s endpoint defenses and allowed it to “immediately” configure a backdoor that the threat actor was able to use to access state systems each time the associated user logged on. The state’s Symantec Endpoint Protection tool on June 26 quarantined the malware the user had downloaded, yet the backdoor continued to allow the outside actor access.
The attacker installed remote monitoring software, which included keyloggers and screen-capture capabilities, on two state systems, which compromised the accounts of both standard and privileged users. By mid-August, investigators found, the attacker had established encrypted tunnels and began using Windows’ Remote Desktop Protocol to “move laterally” across systems, “accessing sensitive directories and even the password vault server.”
The actor obtained the credentials of 26 accounts, accessing more than 26,000 files and exposing more than 3,200 files. The investigators reported that only one document is thought to contain sensitive personal information. That document, the report notes, identified a former state employee, who was reportedly notified. The attacker created a zip file and split into six parts, to contain the stolen files. Investigators “found no confirmation” that the data had been successfully exfiltrated or that it’s been posted to any leak site.
It’s possible, though, that the actor managed to extract the data and hide the evidence. Investigators found that throughout the attack, the actor had “meticulously cleared event logs to obscure their activities.”
To further system recovery, the state managed to recover 90% of its data. The remaining 10% of affected data was not required to restore services, the report notes, and is still being reviewed “on a risk-basis.”
The attack was highly disruptive to the state government’s operations and the availability of its services. The investigation began with the state discovering the attack on Aug. 24 and notifying its cybersecurity insurance provider, who recommended it contact Mandiant, citing the cybersecurity firm’s “deep” expertise in handling ransomware threats. The state’s technology agency did so, and eventually recruited the effort of a total of 14 vendors in its response, including Microsoft’s Disaster and Recovery Team, Aeris, Broadcom, Cisco and Dell, along with the usual cohort of local, state and federal law enforcement agencies, including the FBI and Department of Homeland Security.
The state tallied 60 of its agencies that had been affected, including some of its most critical: Health and Human Services, Motor Vehicles, and Public Safety. Residents were, for weeks in some instances, unable to access healthcare services, transportation or enjoy the usual level of public safety services.
The report, which is credited primarily to Mark Hellbusch, director of cybersecurity and privacy services at Info-Tech Research Group, along with input from key officials at the Governor’s Technology Office, is frequently self-congratulatory, pointing out that the state’s recovery period of 28 days is under the national average, and that relatively little sensitive data seems to have been compromised.
“The foresight of Executive Branch Leadership and the State Legislature in funding key cybersecurity initiatives helped ensure a potential full-scale ransomware event was contained and remediated,” the report reads. “The resilience shown throughout this event reflects Nevada’s technical capabilities and the dedication of the teams responsible for protecting them.”
The report’s writers estimate that the total cost of external vendor support for the incident was approximately $1.3 million. In a state legislative hearing last month, state Chief Information Officer Timothy Galluzi said he expected that the state’s $7 million cybersecurity-insurance policy would easily cover recovery costs.
The state saved on its recovery costs by using its own workforce, rather than outsourcing much of the extra work to vendors. During the four weeks of recovery, state workers involved in the effort logged more than 4,200 overtime hours, costing the state more than $200,000, as they worked nights, weekends and holidays. The report estimates that relying heavily on vendors would have cost the state an additional $478,000.
The report notes that staff were working at an “emergency operations tempo.” During last month’s hearing, Galluzi said he was proud of the staff involved, who had not been required to work overtime.
“They worked 18, 20-plus hour days for weeks,” Galluzi told lawmakers during an Oct. 16 hearing before the state’s interim finance committee. “They didn’t take days off. They didn’t take vacation. They gave up holidays, they gave up everything just to get Nevada back to work, just to get all of those things back online for Nevadans. It wasn’t required of them. They volunteered it. And it was out of that sacred sense of duty, out of that sacred mission that they all believed in. It’s because they cared.”
The state was presented with a note demanding a ransom, but the report does not disclose how much the actor wanted, nor any other details. Ceding to the actor’s demands was apparently never a serious consideration. The report notes the state’s “firm position” against paying ransoms.
The report credits the state’s rapid response in August with its solid incident response plan, which was created over the last five years. The report notes that this episode “underscores the importance of having a well-rehearsed incident response plan and trusted partnerships with legal and cybersecurity professionals,” and that the plan had “minimized the impact” of the attack.
The attack naturally led the state to shore up many of its defenses, the report notes, including instating changes to impede lateral movement on its networks, better protecting and preventing the sharing of privileged accounts, better securing passwords, fixing the privileges of accounts that had been granted more privileges than they needed, and instating a “principle of least privilege,” ensuring that users are only granted access to the data and services they absolutely need.
The attack is also leading to additional investments in cybersecurity, including the creation of a statewide cybersecurity operations center, intended to “unify monitoring efforts, reduce response times, and support proactive defense strategies. It will also facilitate better coordination across agencies and vendors, ensuring a consistent security posture statewide,” the report reads.
The state also plans to boost its cybersecurity training campaign, drawing on educational resources from Microsoft.
Lawmakers last month approved the state technology office’s requests to use more than $300,000 in already approved federal cyber funding to further its SOC and endpoint-detection projects.
