New York (USA), China
Industrial and Commerce Bank of China (ICBC) Financial Services Division, Lockbit Ransomware gang
On 8/11/2023, ICBC's Financial Services (FS) division in New York City was hit by a ransomware attack, leading to disruptions in specific systems within the division. ICBC FS immediately isolated the impacted systems to contain the incident.
The attack was so extensive that it disrupted not only financial services systems, but also the corporate email, forcing employees to switch to Google Mail.
On 9/11/2023, the ransomware attack caused disruptions in US Treasury markets. Some traders were unable to place or clear trades through ICBC and received emergency notices about connectivity issues. The blackout caused by the ransomware attack led to a temporary $9 billion debt to BNY Mellon, significantly larger than ICBC Financial Services' net capital.
ICBC's parent company in China provided a cash injection to help repay BNY Mellon and manually processed trades with the custody bank's assistance.
On 10/11/2023, ICBC confirmed details of the attack and made them public. The company stated it was investigating and progressing with recovery. The bank successfully cleared Treasury trades executed on November 8 and repo financing trades done on November 9. However, some market participants reported unsettled trades, affecting market liquidity.
On 13/11/2023, A LockBit ransomware gang representative claimed that ICBC paid a ransom. This claim is not independently verified, and ICBC has, as of 17/11/2023, not immediately responded to requests for comment.
On 14/11/2023, ICBC's management team flew to the US to address the fallout.
LockBit is a sophisticated threat actor, operating primarily as a Ransomware-as-a-Service (RaaS) model, enabling affiliates to carry out attacks using its malware in exchange for a share of the profits.
Since its emergence in 2019, LockBit has rapidly evolved into one of the world's most prominent ransomware threats, known for its aggressive tactics. The group's activities often target critical infrastructure and major corporate entities, resulting in significant operational and financial impacts.
It's widely speculated in the cybersecurity community that the group operates with a degree of impunity within Russia, as long as their attacks are primarily focused outside of Russian territory. This perceived tolerance by the Russian authorities is a common trait among several ransomware groups.
LockBit has targeted businesses in several sectors throughout the European Union, including real estate, manufacturing, and logistics.
In 2021, LockBit targeted Irish corporation Accenture, one of Europe’s largest IT consultancy firms. The ransom demanded by LockBit was 50 million dollars. Upon failing to pay the ransom, massive amounts of the exfiltrated data was leaked, which included proprietary information from an unspecified number of firms.
This particular incident is unique in that a major Chinese institution was attacked by an entity that has some degree of cooperation with the Russian government. US and Chinese authorities are both likely to respond with some degree of force.
The costs of cyberattacks globally continue to rise. Paired with the recent DP World Australia attack, this is likely the second event in only two weeks to have over one billion dollars in potential impact.
The attackers exploited a vulnerability known as Citrix Bleed, which allows attackers to hijack authenticated connections and bypass authentication measures. These hijacked sessions can persist even after patching, enabling further network penetration and escalation of privileges. The attackers could potentially have access to ICBC’s systems in the future.
While the specific financial implications for ICBC's parent company in China are not expected to be crippling due to the swift response, the attack underscores the growing cybersecurity threats to global payment networks and financial institutions. As global payment systems increase interconnectivity, even between entities in Chinese, North American, and EU markets, the potency of cyberthreats such as ransomware will increase. The incident raises concerns about the resilience of the Treasury market and is likely to attract regulatory scrutiny. The event also has the potential to open doors for international cooperation in the field of cybersecurity enforcement. While the US and China have a history of being competitors in the cyber domain, the need for cooperation in this incident may establish some of the legal precedence for a combined response.