Ransomware attack on major Chinese lender disrupts financial markets

A suspected LockBit ransomware attack on ICBC Financial Services, the US arm of the Industrial and Commercial Bank of China (ICBC), a leading state-owned bank, disrupted activity in the US Treasury market on Thursday 9 November, allegedly forcing the bank to resort to using USB drives carried by messengers to settle trades.

One of the largest lenders in the world, state-owned ICBC books annual revenues exceeding $200bn, and in terms of market capitalisation is third only to Bank of America and JPMorgan Chase.

In a brief statement, ICBC Financial Services said: “On November 8, 2023, US Eastern Time (November 9, 2023, Beijing Time), ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems.

“Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident. ICBC FS has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts.

“ICBC FS has also reported this incident to law enforcement. We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09).”

The organisation said its business and email systems operate independently of the wider ICBC organisation so systems at its parent’s head office and other locations in China and around the world were unaffected.

A spokesperson for the US Treasury said the organisation was aware of the cyber attack and was in touch with stakeholders and regulators.

At the time of writing, the involvement of LockBit has only been confirmed by sources in contact with the Financial Times. However, the Russian-speaking ransomware crew – which famously attacked Royal Mail earlier this year – has in the past targeted financial services organisations, wreaking havoc in the City of London in February 2023 when it hit financial software firm Ion.

More recently, it attacked aviation giant Boeing, stealing data from the organisation’s parts and distribution business, and “Magic Circle” law firm Allen & Overy.

The ransomware-as-a-service (RaaS) operation is one of the world’s most prolific and profitable, and remains an “enduring threat”, according to the UK’s National Cyber Security Centre (NCSC) and its partner agencies.

Steve Stone, head of Rubrik Zero Labs, commented: “LockBit tends to target sensitive data and information for the simple reason that it holds the most value to its customers and business operations.

“Large organisations are high on professional and well-resourced groups’, like LockBit’s, hit lists. LockBit has proven its ability and willingness to purchase and leverage zero-day threats against victims… They’ve used other groups, most notably initial access brokers, on multiple past occasions to achieve this.

“With all breaches and attacks, especially where an organisation houses so many sensitive data records, it is imperative that organisations plan for ransomware encryption events and data theft or leak extortion demand situations in their resiliency efforts as we commonly see both leveraged against victims,” he said.

Precisely how the attackers were able to access ICBC’s systems has not been formally confirmed. However, security researcher and commentator Kevin Beaumont yesterday posted evidence drawn from Shodan that shows ICBC was running a Citrix NetScaler appliance that had not been patched against CVE-2023-4966.

CVE-2023-4966 is one of a pair of recently disclosed vulnerabilities in Citrix NetScaler Application Delivery Controller and NetScaler Gateway, and at the end of October, observers warned that exploitation of these vulnerabilities was ramping up.