CU Experts See Dramatic Increase in Cyberattacks in Recent Weeks

The Russian military aggressions into Ukraine over the past week appeared to follow a significant uptick in cyberattacks happening in several sectors, including the financial industry.

In an interview with CU Times, Chris Sachse, CEO of the Baltimore-based cloud and cybersecurity organization Think|Stack, said, “We have seen hundreds upon hundreds of percentage increase in attacks over the last two to three weeks. We are seeing the activity levels in ways that we haven’t seen.”

He added, “We are continuing to see that trend and we are continuing to see a spike in the number of attacks that are occurring way more so since the conflict.”

The Department of Justice, FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency released a series of cybersecurity warnings last month during Russia’s build-up to invade Ukraine.

During the Munich Security Conference in February, Deputy Attorney General Lisa Monaco said, “Given the very high tensions that we are experiencing, companies of any size and of all sizes would be foolish not to be preparing right now as we speak to increase their defenses, to do things like patching, to heighten their alert, to be monitoring in real time, their cybersecurity.”

The concerns over a possible and massive cyberattack were top-of-mind at the general session of CUNA’s Governmental Affairs Conference on Monday. After greeting the crowd, NCUA Chairman Todd Harper immediately addressed his growing unease of a pending cyberattack.

“Before I begin today, I want to discuss the current situation in Ukraine,” Harper said. “The conflict there has raised concerns about potential cyberattacks here in the U.S., including those against the financial services sector.”

Harper continued, “I cannot stress this enough: All credit unions and vendors, regardless of size, are vulnerable to cyberattacks. Given the events over the last few days, attacks on financial institutions are potentially imminent. So, all parties within the system must maintain the highest level of alertness.”

Sachse agreed with Harper on the vigilance needed at this time. He pointed out that historically hackers conduct phishing scams or tap into an organization’s system to steal cash.

“In this case, I’m not worried about the Russians stealing our money,” said Sachse. “I’m worried about them creating so much disruption to a system simultaneously that it causes panic.”

His worry concerned Russia’s ability to conduct a locally-focused attack on credit unions, health care providers, energy companies and school systems. Sachse said, for instance, what if Russia or another group decided to focus on one city and hit the credit unions there with ransomware at the same time? In that case, people wouldn’t have access to their accounts for days. “The panic that would have ensued I think would have created the type of situation that Russia is really looking for – which is somewhat like a terrorist attack.”

He said Russia appears to be focused on pure disruption, especially since the U.S. and several other countries have imposed economic sanctions against Russia, which has potentially caused an almost instant recession for the country.

“Their banking system now feels threatened, so they’re going to hit ours,” Sachse warned.

Sachse said Think|Stack is advising its clients and the credit union industry at large to take steps to ensure systems are as secure as possible, including the following:

• Make sure systems are up-to-date with the latest programs and security patches.
• Review your credit union’s incident response plan and conduct table-top exercises.
• Evaluate your most recent vulnerability scans and security assessments.
• Install multi-factor authentication for employees and members.

Sachse said now is not the time to be complacent with cybersecurity measures.

“What we’ve seen by and large is somewhat of a false sense of security with a lot of credit unions to be honest with you,” he said. “Because they’re regulated, a lot of the boards and executive teams are sitting back and saying, ‘We’re good! The regulators were out here.’ Unfortunately, the regulators aren’t cybersecurity professionals.”