World’s Largest Bank, China’s ICBC, Targeted in Cyberattack Impacting Treasury Markets, 2023.
In a recent cyberattack, ICBC Financial Services, the U.S. financial arm of China’s Industrial and Commercial Bank of China (ICBC), encountered a ransomware assault, causing disruptions to certain systems and reportedly impacting Treasury markets.
As the world’s largest bank by assets, ICBC revealed the attack, emphasizing that it promptly isolated affected systems to contain the incident.
Ransomware attacks involve hackers seizing control of systems or data, releasing them only upon ransom payment. Although ICBC did not disclose the attackers’ identity, it affirmed an ongoing investigation supported by information security experts to facilitate recovery. Collaboration with law enforcement is also underway.
Despite successful clearance of U.S. Treasury and repo financing trades following the incident, reports from various outlets indicated disruptions to Treasury trades. The Financial Times noted that the ransomware attack prevented ICBC’s division from settling Treasury trades on behalf of other market participants.
The U.S. Treasury Department acknowledged the cybersecurity issue, stating ongoing contact with key financial sector players and regulators while monitoring the situation closely.
ICBC clarified that its U.S. financial services arm operates independently of its China operations, ensuring that the email and business systems of its U.S. division, including the ICBC New York branch, remained unaffected. The cyberattack did not extend to the head office or other domestic and overseas affiliated institutions.
China’s Ministry of Foreign Affairs spokesperson, Wang Wenbin, remarked that ICBC is actively minimizing the impact and losses incurred, emphasizing the bank’s effective emergency response and supervision.
Regarding the ransomware attack’s attribution, no entity has claimed responsibility, and ICBC has not identified the perpetrators. Cybersecurity challenges in tracing attackers often arise due to masking techniques that hackers employ to conceal their locations and identities.
The ransomware employed in the attack, identified as LockBit 3.0, poses difficulties for analysis due to its unique password requirement for each instance. Security experts, including Marcus Murray of Truesec and sources cited by the Financial Times, pointed to LockBit 3.0 as the likely culprit, though independent verification remains pending.
LockBit, a prominent ransomware strain, operates on a “ransomware-as-a-service” model, selling its malicious software to affiliates who execute cyberattacks. The group, led by “LockBitSup” on dark web forums, operates in Russian and English, claiming to be based in the Netherlands and disavowing political motivations.
LockBit primarily targets small and medium-sized businesses and has previously claimed responsibility for attacks on entities like Boeing and the U.K.’s Royal Mail.
Notably, LockBit has faced legal consequences, with the U.S. Department of Justice charging a Russian national for deploying LockBit ransomware in numerous cyberattacks globally. The group’s extensive track record includes over 1,400 attacks, issuing ransom demands exceeding $100 million and receiving substantial payments in bitcoin.
As the investigation unfolds, the ICBC cyberattack underscores the evolving threat landscape posed by sophisticated ransomware actors like LockBit, prompting increased vigilance and cooperation within the financial sector to enhance cybersecurity defenses and respond effectively to emerging threats.
