US Treasury trades disrupted by ransomware attack on China’s biggest bank

Yesterday, reports confirm that the US arm of banking giant The Industrial and Commercial Bank of China (ICBC) was hit by ransomware that disrupted trades in the US treasury markets.
ICBC Financial Services, the US unit of China’s largest commercial lender by assets, said some of its systems were disrupted and they are making progress towards recovering from it. The incident has yet to appear on a leak site, and it’s unclear if data was stolen.

“ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” China’s foreign ministry Wang Wenbin said today.

While some market participants said trades going through ICBC were not settled, the bank said it had successfully cleared Treasury trades executed on Wednesday and repurchase agreements financing trades done on Thursday.

There’s a lot of commentary about this. Let’s start with Steve Hahn, Executive VP, BullWall:

“China is the most prolific hacker of the US but it’s completely nation-state motivated. Meaning it’s the Chinese government behind it, so getting a ransom paid is not appealing to them. Stealing IP and trade secrets is, as is finding ways to hack our infrastructure and defense systems. They don’t care about the money, so you just don’t hear about it. They steal secrets or plant back doors and then move on silently, never making the news. However, I’ve seen some mind-blowing hacks from the Chinese that if the public knew would shock them to their core. Think- disabling our defense systems with a kill switch. That’s more their speed.

   “LockBit is a Russian speaking group. They do not attack Russian assets and it’s often speculated they are run at the top level by ex-KGB, which Putin infamously led before the Soviet Union disbanded. What is very clear is that Putin gives them diplomatic and prosecutory cover. If he doesn’t pull the strings on this organization, then at least they are bed fellows in the “enemy of my enemy is my friend” sort of way.

   “LockBit has ransomed close to 2,000 companies in recent years, making them the most prolific operators, and they are one of the main drivers on why successful Ransomware attacks have doubled over the last two years. On top of this, they are taking down GIANTS in Aerospace, Infrastructure, Banking and Government – companies who spend tens of millions of dollars on prevention technologies. LockBit slowly and methodically circumvents these prevention technologies, and even uses the good-guys tools against themselves to extract admin level credentials. Once they have admin credentials, they have the keys to the kingdom. They can disable security tools, create white lists for their applications and exfiltrate data till their hearts content. These large companies may spend $10’s, even $100s of millions on security but they are no match for a threat actor who rakes in billions. For even the largest companies, it’s not a matter of “if” but “when” they’ll be hit, and companies big and small have to be thinking about how to contain these events quickly, how to recover quickly and how they respond. Prevention can never be 100% effective, 100% of the time.

   “LockBit has clearly tried to impact supply chains as well, which at times has exacerbated our already record-breaking inflation. Their targets are primarily for financial gain but when they can hurt the US economy, they do as retaliation for our support of Ukraine. This is one of those instances where the impact to the US treasury market is substantial so you can see the motivation. However, Russia has fewer allies these days and China is far and away the most important. They may have crossed the line in attacking the World’s largest bank as Xi Jinping will not be pleased with this attack – to say the least. This could have billions of dollars’ worth of impact on global financial markets, but this impact includes China and I would not be surprised if we see another mysterious Russian airplane crash-type event with the threat actors behind this attack (like we saw with Yevgeny Prigozhin when he embarrassed Putin).

Jason Keirstead, VP Collective Threat Defense, Cyware follows with this:
   “Despite a wide volume of available knowledge about the techniques used in the malware, LockBit Black continues to wreak havoc globally. We recommend leveraging CISA’s resources and advice to guard against LockBit (available at The widespread prevalence of this particular strain of ransomware further emphasizes the need for rapid industry adoption of a collective defense posture, so that enterprises do not need to re-invent defenses that have already been developed and deployed by their industry peers.

   “LockBit is a Ransomware-as-a-service (RaaS) group that uses independent affiliates to deploy their ransomware in exchange for various forms of commission. Affiliates may use classic techniques like spear-phishing or remote vulnerability exploitation, but they also increasingly are simply recruited as employees of the victim companies, paid to purposefully deploy the software either on their personal device or on an internal asset that they have access to.

   “Ransomware is a financially motivated criminal activity that does not know or respect borders. While ransomware groups can sometimes be attributed to geographical regions, it is not always true that a group can operate with impunity from regional law enforcement. One such example is REvil which was a Russian ransomware gang eventually dismantled by the Russian FSS. LockBit in particular claims to be based in the Netherlands. This further emphasizes why industry needs to improve all forms of collaboration in cybersecurity – we are all trying to defend against similar – and in many cases, identical – adversaries. Enterprises should not be going it alone. They should be collaborating with their peers in ISACs and ISAOs, and working toward true collective defense.”

Stephen Gates, Principal Security SME, adds this:

   “The latest string of ransom-based attacks impacting every type and size of organization worldwide are not the opportunistic type of endpoint-targeting, malware-based attacks from the previous decade. These attacks are much different in nature because they have an enterprise-wide focus in mind.

   “In these attacks, extortionists have figured out a way to monetize the persistent footholds they maintain within the bowels of a network. These are 100% human-operated attacks that most often begin with low-level credential theft. Once they’re in a network, attackers land and expand, pivot then move laterally, and eventually find the data, exfiltrate the data, prove they have the data, break into critical systems, and most often take over the entire environment (e.g., full domain compromise).That is why there are new movements beginning to surface whereby commercial and public sector entities are being called upon to continuously assess themselves.

   “This is not being recommended so they can tick a checkbox or find an overabundance of low level non-exploitable vulnerabilities in their networks. This is being done so organizations can find their weaknesses that are completely exploitable. Organizations are now looking to autonomous systems to safely peruse their networks just like any attacker would. These systems use the same tactics, techniques, and procedures attackers use and their sole purpose is to help organizations see their networks through the eyes of an attacker. Autonomous systems tirelessly attack every single endpoint, reach out to cloud instances looking for weaknesses there, and in nearly every case, are able to find a previously unknown, yet completely exploitable weakness that would lead to domain compromise.”

Craig Harber, Security Evangelist: Open Systems has this to say:

   “Every week, there is another report of a ransomware attack targeting the industrial sector. It raises many questions about these companies’ resiliency and readiness to operate in today’s hostile environment where ransomware gangs seem to have the upper hand. Companies must make the necessary cybersecurity investments to protect their critical systems and sensitive data.

   “The latest victim is ICBC Financial Services. Reports indicate the ransomware attack disrupted trades in the U.S. Treasury market this week. To date, there are no details on the attack, or a data leak site published on the dark web. Often, this lack of attack details or ransomware gang taking credit for the attack strongly indicates that the victim, ICBC Financial Services, made a risk decision to pay the ransom.

   “The decision to pay ransomware gangs is always complex. There are many factors to consider, not the least of which is you are negotiating with a cybercriminal. There is no guarantee that even if you pay the ransom, these cybercriminals will restore systems and return stolen company data. It is best to heed law enforcement advice and not pay because doing so only encourages continued criminal activity.”

This example illustrates how devastating a ransomware attack can be. This also illustrates why prevention, not to mention swift detection and remediation is very important. That way you are not in the position to have to potentially pay the ransom. Which for the record, you should never do as crime should never pay.

UPDATE: I got additional commentary from Anurag Gurtu, CPO, StrikeReady on this:

The ransomware attack on the Industrial & Commercial Bank of China (ICBC) stands as a significant event in the landscape of cyber threats, particularly given the scale and impact of the incident. 

Ransomware attacks on large financial institutions like major banks have been relatively rare compared to other sectors, such as healthcare or education. This rarity is partly due to the robust cybersecurity measures typically employed by these institutions. However, the ICBC incident marks a concerning escalation, indicating that even the most fortified entities are not immune. While the focus in recent times has been on sectors like hospitality and entertainment, with incidents like the MGM Casino attack, the breach at ICBC underscores a potential shift in target preference by cybercriminals.

The disruption in U.S. Treasury trading due to the ICBC ransomware attack is particularly alarming. The U.S. Treasury market is crucial for global finance, influencing everything from mortgage rates to the cost of government borrowing. An attack that impedes this market’s operations can have far-reaching consequences, including potential fluctuations in bond prices and yields. It also raises serious concerns about the security of critical financial infrastructure and the potential for ripple effects across global financial systems.

This attack serves as a stark reminder of the evolving nature of cyber threats and the need for continuous vigilance and investment in cybersecurity measures, especially for institutions integral to global financial stability. It highlights the need for enhanced cross-border cooperation in cyber defense and more robust contingency planning for such critical sectors.

Leave a Reply

%d bloggers like this: