Credit union operations restored after tech supplier ransomware attack

The federal agency that oversees credit unions said operations at about 60 of the organizations have been restored following a ransomware attack last month.

The National Credit Union Administration (NCUA) told Recorded Future News that it has been in regular contact with all of the affected financial institutions, helping them get their systems and operations back online “as quickly as possible.”

“As of December 12, and based on our outreach to affected credit unions regarding their operating status, the affected credit unions are fully operational and serving member needs,” NCUA spokesperson Joseph Adamoli explained.

“The credit unions have sufficient liquidity to meet the cash and payment needs of their members; members have access to their funds and to ATMs.”

Ongoing Operations, a cloud services provider owned by credit union technology firm Trellance, revealed earlier this month that a ransomware attack was the cause of widespread outages reported by several credit unions.

An Ongoing Operations spokesperson declined to answer several questions about the incident, instead directing Recorded Future News to a statement the company published on December 7.

The company hired cybersecurity experts to investigate the incident and said it is “isolated to a segment of the Ongoing Operations network” and does not impact the products or services of Trellance.

The cyberattack was discovered on November 26 and Ongoing Operations immediately reported the incident to federal law enforcement agencies — something Adamoli confirmed.

“Our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems. We will notify impacted individuals once we confirm the scope of the incident,” Ongoing Operations said on Dec. 7.

“The investigation to determine what impact this incident may have had on information stored on our network systems is ongoing.”

The statement added that it will take a “substantial amount of time” to fully investigate the situation and review the files that were accessed by the hackers. The company said it was making “significant progress” in re-establishing services for its customers.

All impacted customers were notified of the incident and any who were not contacted were not affected by the attack, the company claimed.

“Ongoing Operations will assist impacted credit unions with member notification and will offer complimentary credit monitoring and identity restoration services to those who are impacted,” they statement adds.

One of the credit unions affected — Peru, New York-based Mountain Valley Federal Credit Union (MVFCU) — published a notice to its customers on Sunday confirming that services had been restored late on Saturday night.

“We realize this has been an extremely long process, however we truly appreciate your patience and understanding during this time,” MVFCU CEO Maggie Pope wrote to members.

No ransomware gang has taken credit for the attack on Ongoing Operations.

The NCUA warned in August that it was seeing an increase in cyberattacks against credit unions, credit union service organizations (CUSO), and other third-party vendors supplying financial services products.

On Tuesday, the Lorenz ransomware gang took credit for an attack on Bayer Heritage Federal Credit Union, which confirmed it was attacked on November 1.

The attack brought down the credit union’s systems and phone lines, forcing them to operate most services manually in person.

“Bayer Heritage Federal Credit Union experienced a cyber incident that resulted in our phones and systems being disrupted unexpectedly. With the assistance of our 3rd party vendors, we have contained the situation and are performing forensic investigations to determine what, if any, data has been compromised,” they said.

Phone service was restored by November 15 and the credit union said late fees on payments would be waived.