Hackers Take 60 Credit Unions Offline in a Single Attack on IT Provider

Ransomware operators took down 60 credit unions across the US after hacking their services provider – a classic supply chain attack.

A spokesperson for the National Credit Union Administration (NCUA) revealed Friday that “approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider.”

That provider is the Trellance-owned Ongoing Operations, which touts itself on offering “complete disaster recovery/business continuity and cloud solutions.” The company was founded to mainly serve credit unions, but other types of organizations use its services as well.

“On November 26, 2023, we were victimized by a sophisticated ransomware attack,” the company told its customers in a letter.

“Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event. We also notified federal law enforcement.”

“At this time, our investigation is currently ongoing, and we will continue to provide updates as necessary,” the statement continues. “Please know that at this time, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.”

Credit unions across the US – many of which are experiencing ongoing downtime days after the attack – are notifying their clients and partners of the incident.

According to The Register, the cloud service provider was likely infiltrated via the Citrix Bleed vulnerability.

Inquired by the British news outfit, a spokesperson for Ongoing Operations said the incident is “isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems.”

The company is now working around the clock to determine what data (if any) the attackers got their hands on. According to the spokesperson, the organization is also busy implementing “additional measures designed to increase our data security and block further unauthorized access to our systems moving forward.”

Mother-company Trellance, which acquired Ongoing Operations in 2022, has yet to issue a statement about the breach.