Cyber Incident Victim: Tri Counties Bank
Date:
Feb 2023
Location:
United States of America
Summary
Tri Counties Bank experienced a cyberattack involving the Black Basta ransomware group, resulting in a data breach where stolen identity documents such as passports and driver's licenses were published. The attack caused system outages impacting ATM access, though the relationship between these disruptions and the ransomware incident remains unclear. The bank engaged third-party forensic experts to determine the full scope of compromised data. Black Basta, which has ties to the Conti ransomware group and employs malware like Qakbot, has targeted multiple organizations, including other financial entities. The group's activities highlight broader cybersecurity threats to the financial sector, with investigations ongoing to clarify the extent of the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2023, Tri Counties Bank in Chico, California, experienced a cybersecurity incident resulting in a data breach. The criminal group Black Basta claimed responsibility, publishing images of stolen identity documents, including passports and driver’s licenses, though the full extent of compromised data remained undetermined. The bank acknowledged the breach and engaged third-party forensic specialists to investigate the scope of exfiltrated information. This incident followed a February outage affecting the bank’s ATM network and other systems, though a direct link to the ransomware attack was unconfirmed. Brett Callow, a threat analyst at Emsisoft, highlighted the incident’s timing amid low public confidence in banks, warning that ATM inaccessibility could exacerbate customer concerns. Black Basta, active since April 2022, had previously targeted over 200 organizations, including Advance America, a South Carolina-based lender also impacted earlier in 2023.
The attackers employed Qakbot malware, which the U.S. Department of Health and Human Services (DHHS) noted had been used extensively against U.S. entities since 2020. A DHHS report released shortly before the bank’s breach detailed Black Basta’s ties to the Conti ransomware group, which disbanded in 2022 following internal discord over Russia’s invasion of Ukraine. While the report stopped short of confirming Black Basta as a Conti successor, it cited technical and operational overlaps suggesting collaboration. Tri Counties Bank’s forensic review continued as Black Basta’s broader campaign underscored persistent threats to financial and healthcare sectors, with stolen data exposure risks lingering for customers. Advance America did not publicly comment on its breach, leaving the impacts of both incidents partially unresolved.