On November 8th, the Industrial and Commercial Bank of China (ICBC) was impacted by a ransomware attack that disrupted a subset of their Financial Services (FS) systems. ICBC is China’s largest bank with the Financial Services unit based in New York City. ICBC FS has many operations but has a significant hand in the U.S. Treasury market.
As the Financial Times first reported, the ransomware attack against ICBC FS came in the form of LockBit 3.0 malware, a product of the notorious LockBit ransomware group.
According to Jake Moore, Global Cybersecurity Advisor at ESET, “LockBit is a ransomware attack which uses extortion tactics once the malware is in place making it more lethal. It is dangerously self-spreading in organisations and targeted at victims or their systems specifically looking for vulnerabilities such as being able to bypass authentication.”
He explained that LockBit will then automatically spread the infection and encrypt all accessible computer systems on the network. “Once data has been stolen, the extortion tactics occur.”
In a statement on the ICBC FS website, the bank announced that following the discovery of the ransomware attack on Wednesday, they immediately “disconnected and isolated systems to contain the incident.”
Significantly, the attack has impacted the U.S. Treasury market, resulting in ICBC FS clients having to reroute trades through different banking services. Some financial experts are concerned the fallout of this incident will impact liquidity of US Treasuries.
“The attack on ICBC, China’s largest bank, shows that no organisation is ever safe from the threat of ransomware,” said Camellia Chan, CEO and Co-Founder of Flexxon. “Both old and new gangs and threat actors are always plotting their next move. In fact, ransomware had a record month in September. And we all know the consequences can be disastrous. Just look at MOVEit from earlier this year – cybercriminals accessed data from a whole host of businesses and governments, including Shell and the United States Department of Energy, and is still being felt today across the supply chain.”
While ICBC FS is a subsidiary of the Industrial and Commercial Bank of China group, its business and email systems operate independently. According to the notice, neither the ICBC Head Office nor the ICBC New York Branch were impacted in the attack.
This is a developing story and ICBC FS may still come out with more news yet. Fortunately, the bank’s notice includes reassurance that they are, “conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts.”
The incident has also been reported to law enforcement.
Roger Grimes, Data-Driven Defence Evangelist at KnowBe4, thinks that this is a surprisingly big and powerful target for LockBit to have gone after.
“Incidents like this, where there’s “real” money involved, often don’t work out long-term for the ransomware gang involved,” Grimes said in a comment to IT Security Guru.
He explained, saying, “The authorities not only get involved, but there’s big pressure for people to be arrested and the gang shutdown. I’m surprised the ransomware gang went ahead with the exploitation. Perhaps they didn’t realize what they had and what they would be interrupting. But the Chinese certainly have their own great hackers they can use as an offensive resource and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases.”
However, Chan offered an additional perspective, pointing out that “The ICBC attack has already disrupted trades in the US Treasury market, who is to say the damage will stop there? The good news is, it appears the bank acted swiftly by isolating affected systems, and investigations are ongoing – but this will no doubt shake organisations across the globe. To meet the fast-evolving threat landscape, organisations need to be proactive in recognising security gaps and must address those with innovative, proven solutions at both the software and the hardware layer.”
