On November 8, 2023, the Industrial and Commerce Bank of China (ICBC)’s Financial Services (FS) division in New York City fell victim to a ransomware attack that disrupted specific systems within the division.

In response, ICBC FS promptly isolated the affected systems to contain the incident. The extent of the attack was severe, impacting not only financial service systems but also corporate email services, forcing employees to switch to Google Mail.

The fallout continued on November 9, 2023, as the ransomware attack rippled through the US Treasury markets. Traders faced challenges placing or clearing trades through ICBC, receiving emergency notices about connectivity issues. This blackout resulted in a temporary $9 billion debt to BNY Mellon, significantly exceeding ICBC Financial Services‘ net capital. ICBC‘s parent company in China injected cash to repay BNY Mellon and facilitated manual processing of trades in collaboration with the custody bank.

On November 10, 2023, ICBC publicly confirmed the details of the attack, revealing ongoing investigations and recovery efforts. The bank successfully cleared Treasury trades executed on November 8 and repo financing trades from November 9. However, unsettled trades were reported by some market participants, impacting market liquidity.

On November 13, 2023, a representative of the LockBit ransomware gang claimed that ICBC paid a ransom. This assertion remains unverified independently, and as of November 17, 2023, ICBC has not responded to requests for comment. Since its emergence in 2019, LockBit has rapidly grown into one of the world’s prominent ransomware threats, infamous for its aggressive tactics. The group frequently targets critical infrastructure and major corporate entities, resulting in significant operational and financial disruptions.

On November 14, 2023, ICBC‘s management team flew to the United States to address the consequences of the attack.

Typical LockBit 3.0 warning when a target receives a ransom

LockBit 3.0’s Growing Profile

LockBit is a formidable threat actor known for its Ransomware-as-a-Service (RaaS) model, allowing affiliates to execute attacks using its malware in exchange for a share of the proceeds.

In the cybersecurity community, there is widespread speculation that LockBit operates with a degree of tolerance from Russian authorities as long as their attacks primarily target entities outside Russian territory. This perceived leniency toward ransomware groups is a common theme among several such groups.

LockBit has previously targeted various sectors within the European Union, including real estate, manufacturing, and logistics.

In 2021, LockBit targeted Irish corporation Accenture, one of Europe’s largest IT consultancy firms, demanding a $50 million ransom. Failing to pay, the group leaked vast amounts of exfiltrated data, including proprietary information from unspecified firms.

This incident is unique as it involves a major Chinese institution being targeted by an entity with potential ties to the Russian government. Both US and Chinese authorities are likely to respond with force.

Global cyberattack costs are on the rise, and coupled with the recent DP World Australia attack, this marks the second event in just two weeks with a potential impact exceeding one billion dollars.

The attackers exploited a vulnerability known as Citrix Bleed, enabling them to hijack authenticated connections and bypass authentication measures. These hijacked sessions can persist even after patching, potentially granting future access to ICBC‘s systems.

While ICBC‘s parent company in China is not expected to face crippling financial consequences due to its swift response, the incident raises concerns about the Treasury market’s resilience and is likely to attract regulatory scrutiny. It also opens doors for international cooperation in cybersecurity enforcement. Despite historical competition in the cyber domain, the need for collaboration in this incident may establish legal precedents for a unified response between the US and China.