News Hub

China’s biggest bank faces ransomware attack, disrupts US treasury market

Written by Tue 14 Nov 2023

A division of the Industrial and Commercial Bank of China (ICBC) has experienced a ransomware attack. The attack caused disruptions in the US Treasury market, resulting in the clearing of fixed-income and equity trades.

The ransomware attack on 9 November disrupted ICBC Financial Services critical systems, including corporate email and trading platforms. ICBC Financial Services is the US unit of ICBC and the world’s largest commercial lender by total assets.

Bloomberg reported that this forced the ICBC Financial Services to use unconventional methods like resorting to messengers that hand delivered settlements on thumb drives to relevant parties.

“We successfully cleared US Treasury trades executed Wednesday 8 November and repo financing trades on Thursday 9 November,” said ICBC Financial Services in a statement.

Corporate email also stopped working and forced employees to switch to Google Mail, two people familiar with the situation told Reuters. However, ICBC Financial Services said business and email systems operate independently of the wider ICBC group

“The systems of the ICBC Head Office and other domestic and overseas affiliated institutions were not affected by this incident, nor was the ICBC New York Branch,” said ICBC Financial Services.

However, The Financial Times said the ransomware attack hindered the ICBC division’s ability to settle Treasury trades on behalf of other market participants.

What was the Response to the ICBC Ransomware Attack?

ICBC Financial Services initiated an immediate investigation upon discovering the attack. In response, the affected systems were disconnected and isolated to contain the incident.

“ICBC Financial Services has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts,” said ICBC Financial Services.

On a Friday industry call, ICBC informed market participants that it was collaborating with the cybersecurity firm MoxFive to establish secure systems.

Sources told Reuters these measures were to ensure normal business operations on Wall Street. The ICBC expected the process to become operational on Monday at the earliest. ICBC Financial Services has also reported this incident to law enforcement.

“We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation,” said the US Department of Treasury to CNBC.

ICBC asked its client to temporarily suspend business and clear trades elsewhere. Sources told Reuters other market participants looked through their books to see if they were liable to any exposure and to reroute trades. The other market participants were not identified. 

The ransomware attack resulted in ICBC Financial Services temporarily owing The Bank of New York Mellon £7.3 billion ($9 billion). This figure is significantly larger than its net capital.

On Friday, China’s Foreign Ministry said ICBC is striving to minimise risk impact and losses after the attack.

“ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” said Wang Wenbin, Ministry Spokesperson.

Who was Responsible for the ICBC Ransomware Attack?

Hacking group LockBit is suspected to be behind the ICBC attack. However, ICBC did not confirm whether LockBit was responsible for the hack. This is a common practice among targets not to disclose cybercrime gang names. 

Founder of Swedish cybersecurity firm Truesec, Marcus Murray, told CNBC the ransomware used against ICBC is called LockBit 3.0. Murray said this information has come from sources with relationships to Truesec.

Murray was unable to reveal who those sources were due to confidentiality reasons. The Financial Times also confirmed that LockBit 3.0 was used during the attack.

A LockBit representative told Reuters on the online messaging app Tox that ICBC paid the ransom, which essentially closed the deal.

Recently, members of the Counter Ransomware Initiative (CRI) signed a joint statement denouncing ransomware and payments being made to cybercriminals.

What is LockBit Ransomware?

LockBit operates on a ransomware-as-a-service business model. It sells its malicious software to affiliates, enabling them to execute cyberattacks. The group is also responsible for the malicious malware of the same name.

The ransomware attack uses extortion tactics once the malware is in place, making it more lethal. It is dangerously self-spreading in organisations and targeted at victims or their systems specifically looking for vulnerabilities such as being able to bypass authentication like in this attack.

LockBit then automatically spreads the infection and encrypts all accessible computer systems on the network. Once data has been stolen, the extortion tactics occur in order to make more money even if a backup process is in place.

This ransomware method is primarily used for attacks against enterprises and other organisations. The groups’ threat actors have been affiliated with previous hacks on Royal Mail and Boeing last year.

“Preventive measures to ensure companies are protected against any ransomware or malicious attacks are vital but mistakes can happen and sophisticated criminal groups will relentlessly target any given vulnerability,” said Jake Moore, Global Cybersecurity Advisor at ESET.

Such measures as using strong unique passwords in alliance with multi factor authentication are key to protecting systems. Systems need constant updating with the appropriate patches to ensure protection. Offsite and disconnected backups and a tested restore process are also vitally important.

Preventing Ransomware Attacks

The ransomware attack on ICBC, followed recent attacks on MGM Resorts, Caesars Entertainment, Marina Bay Sands, and Clorox earlier this year. It underscores the persistent threat from sophisticated cybercrime groups and emphasises the critical need for robust cybersecurity measures.

“The ransomware scourge is increasing according to recently published data showing a big spike in attacks year over year in 2023 as compared to last year. I caution anyone from jumping to rash conclusions as we don’t have many details on whether there were material losses associated with the attack,” said Jim Doggett, CISO of Semperis.

To better prepare for the inevitable attack, organisations should regularly review business risk, including the impact ransomware could have on their business.

Even if a company reviewed business risks in October, do it again because something that was not obvious then, might be now.

“I speak to companies regularly that do not believe they are in the crosshairs of ransomware threat actors, but they are,” added Doggett.

Companies should also learn to prioritise. If ransomware is a greater risk than another threat, then they should prioritise ransomware. 

“This sounds easy, but it requires fortitude to help senior management understand this approach,” said Doggett.

Companies should aim to eliminate single points of failure from critical services and have contingencies in place if their business becomes disrupted.

“If critical services go down, the business stops. Have a plan for ‘what to do if…’. This does not have to be perfect, but think now about what to do if email goes away or a customer portal or CRM tool gets locked,” added Doggett.

Active Directory environments are some of the most vulnerable entry points and negatively impactful attacks. Hackers frequently target these environments, making it imperative that organisations have real-time visibility to changes to elevated network accounts and groups.

Image Credit: Reuters

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Tue 14 Nov 2023

Send us a correction Send us a news tip