The State of Nevada has published an after-action report detailing how hackers breached its systems to deploy ransomware in August, and the actions taken to recover from the attack.
The document is one of the few completely transparent technical report from a federal government in the U.S. on a cybersecurity incident, describing all the steps of the attacker and setting an example on how cybersecurity incidents should be handled.
The incident impacted more than 60 state government agencies and disrupted essential services, from websites and phone systems to online platforms. 28 days later, without paying a ransom, the state recovered 90% of the impacted data that was required to restore affected services.
In a report today, the State of Nevada details with full transparency how the initial compromise occurred, the threat actor's activity on its network, and the steps taken after detecting the malicious activity.
Ransomware attack unfolding
Although the breach was discovered on August 24, the hacker had gained initial access on May 14, when a state employee used a trojanized version of a system administration tool.
According to the report, a State employee searched Google for a system administration tool to download and was instead shown a malicious advertisement that led to a fraudulent website impersonating the legitimate project.
This fake website offered a malware-laced version of the admin utility, which deployed a backdoor on the employee's device.
Threat actors have increasingly begun to use search advertisements to push malware disguised as popular system administration tools, like WinSCP, Putty, RVTools, KeePass, LogMeIn, and AnyDesk. However, malware is installed instead of the desired program, giving threat actors initial access to corporate networks.
As these tools are designed for system administrators, the threat actors hope to gain elevated access on the network by targeting these IT employees.
... continue reading