A recent ransomware attack on Industrial & Commercial Bank of China Ltd. (ICBC) demonstrates that cyber criminals are not entirely ignoring major Chinese businesses, and that the largest banks in the world can still fall victim to them.
In this case, it appears that the hackers targeted the US unit of ICBC. Reporting from security researchers indicates that this may have followed on from the discovery of an internet-facing server sporting a known Citrix bug. Trading has been disrupted as the bank quickly pulled systems offline to contain damage and is gradually restoring function.
ICBC attributes ransomware attack to LockBit, negotiations may be underway
ICBC has publicly named LockBit as the source of the ransomware attack, but the group has not yet posted any information about it to the dark web. This suggests that negotiations may be underway, as LockBit is known to dump stolen data if not paid (as it just recently did following its October breach of Boeing).
The hacking group has become both one of the world’s largest and one of the most longevous, first spotted in action at the beginning of 2020. The highly skilled hackers have racked up thousands of victims around the world to date, including a similar financial industry breach of ION Trading that also disrupted markets.
Some security researchers believe that the Citrix Bleed bug, which has already been responsible for multiple breaches and ransomware attacks since August, is what opened the doors to the world’s largest bank for LockBit. A vulnerable ICBC Citrix server was spotted online just days before the US branch’s ransomware attack.
Couriers called in to keep trades going at world’s largest bank
ICBC’s Manhattan operation temporarily had to revert to using manual couriers to complete all trades toward the end of last week, a throwback for the world’s largest bank to half a century ago when firms would hire hundreds of people just to process all of the in-person paperwork associated with trades.
ICBC has said that it is consulting with China’s Ministry of State Security about protecting other business units in the wake of the ransomware attack, and US authorities have also been notified about the incident. Right now, only the US branch of ICBC has been compromised. The bank operates in numerous countries around the world and collectively holds the largest amount of assets of anyone in the financial industry, but the US operation specifically is not among the biggest banks in the country and has only a relative handful of locations.
ICBC has said in recent months that it has a renewed focus on cybersecurity given the movement of so much customer activity to online banking and digital platforms. Ransomware groups tend to steer clear of large Chinese companies even when they are as flush with cash as the world’s largest bank, simply because they want cryptocurrency payments for a smooth getaway and Chinese companies are forbidden by the government from dealing in crypto. It is unclear if ICBC’s US branch or other foreign branches would have any latitude to consider making such a payment.
While the ransomware attack proved to be a major inconvenience for at least several days, Treasury Secretary Janet Yellen has said that it had only a minimal disruptive impact to the overall market.