Cyber Incident Victim: Federal Computing Solutions

A ransomware attack on November 26, 2023, disrupted operations for approximately 60 U.S. credit unions after compromising systems at Trellance, a third-party IT provider serving the industry. The attack impacted Trellance-owned subsidiaries FedComp Inc. and Ongoing Operations, triggering nationwide outages that prevented credit unions from accessing critical operating systems. FedComp’s data center experienced technical difficulties resulting in a "country-wide outage," according to a since-removed website notice, which confirmed the unavailability of email support and unspecified restoration timelines. Mountain Valley Federal Credit Union (MVFCU) attributed the disruption to a ransomware incident targeting Trellance, with CEO Maggie Pope stating FedComp and Trellance personnel were working continuously to restore systems. The National Credit Union Administration (NCUA) publicly acknowledged the attack on November 24, linking it directly to Trellance’s infrastructure. Cybersecurity researcher Kevin Beaumont identified the exploitation of CVE-2023-4966 (CitrixBleed), a critical vulnerability in Citrix Netscaler application delivery controllers, as the attack vector. Logs indicated Ongoing Operations last modified its Netscaler devices on May 12, 2023, prior to the November 26 compromise, leaving the systems unpatched against the flaw. Ongoing Operations confirmed the ransomware incident was isolated to a segment of its network but noted an ongoing investigation to determine potential data impacts. The NCUA coordinated with the Treasury Department, FBI, and Cybersecurity and Infrastructure Security Agency (CISA) following the attack.

The incident caused prolonged operational disruptions affecting millions of credit union members, with Ongoing Operations’ offline Netscaler devices preventing routine financial transactions. FedComp’s technical support remained partially accessible via phone despite email system failures. NCUA emphasized federally insured deposits remained protected up to $250,000 per account under the National Credit Union Share Insurance Fund. Trellance issued a statement confirming round-the-clock remediation efforts but provided no restoration timeline. The attack occurred amid heightened NCUA warnings about escalating cyber threats to credit unions, including a August 2023 advisory urging "immediate and comprehensive action" to safeguard systems and member data. NCUA’s mandatory 72-hour cybersecurity incident reporting requirement, implemented earlier in 2023, yielded 146 submissions within its first month, reflecting sector-wide vulnerability. This incident followed a pattern of third-party supply chain compromises, including May 2023 MOVEit file-transfer attacks affecting multiple credit unions. CitrixBleed exploitation also aligned with recent ransomware incidents at Boeing and Fidelity National Financial, prompting CISA’s November warnings for organizations to patch vulnerable systems. NCUA Chair Todd Harper cited the agency’s established incident response framework to manage such events, though specific mitigation actions taken during this attack were not disclosed.