In a shocking turn of events, the U.S. financial services division of the Industrial and Commercial Bank of China (ICBC) fell victim to a sophisticated cyberattack, causing disruptions in the trading of Treasurys. The world’s largest lender by assets, ICBC, revealed on Thursday that its financial services arm, ICBC Financial Services, had experienced a ransomware attack that led to disruptions in certain systems.
Immediately responding to the breach, ICBC took swift action by isolating the affected systems to contain the incident. Ransomware attacks involve hackers taking control of systems and demanding a ransom for their release, a menace that has surged in popularity among cybercriminals in recent years.
While the Chinese bank did not disclose the identity of the attackers, it assured the public that a thorough investigation was underway, with recovery efforts being actively pursued by a team of information security experts. ICBC has also engaged with law enforcement agencies to address the issue.
Despite ICBC claiming the successful clearance of U.S. Treasury trades executed on Wednesday and repo financing trades on Thursday, several news outlets reported disruptions to Treasury trades. The Financial Times, citing traders and banks, noted that the ransomware attack prevented ICBC’s division from settling Treasury trades on behalf of other market participants.
The U.S. Treasury Department responded to the situation, stating, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.”
ICBC emphasized that the email and business systems of its U.S. financial services arm operate independently from its China operations. The cyberattack did not affect the systems of its head office, the ICBC New York branch, and other domestic and overseas affiliated institutions.
The Chinese government weighed in on the matter through Wang Wenbin, spokesperson for China’s Ministry of Foreign Affairs. Wenbin stated that ICBC is actively working to minimize the impact and losses caused by the attack, commending the bank’s handling of the emergency response and supervision.
The identity of the attackers remains unknown, a common challenge in the cybersecurity realm where hackers employ techniques to mask their locations and identities. However, cybersecurity experts have identified the ransomware used in the attack as LockBit 3.0. Marcus Murray, founder of Swedish cybersecurity firm Truesec, revealed that sources related to Truesec confirmed the use of LockBit 3.0, a claim also supported by information from The Financial Times.
LockBit 3.0, a highly evasive and modular ransomware, poses a challenge for cybersecurity researchers due to its unique password requirements for each instance. The U.S. government’s Cybersecurity and Infrastructure Security Agency describes LockBit 3.0 as “more modular and evasive,” making detection difficult.
LockBit, the group behind the ransomware, operates on a “ransomware-as-a-service” business model. This means that it sells its malicious software to other hackers, known as affiliates, who then carry out cyberattacks on its behalf. The leader of the group, known as “LockBitSup” on dark web hacking forums, claims the group is located in the Netherlands and is not politically motivated, according to Flashpoint, a cybersecurity firm.
As ICBC works diligently to recover from this cyberattack, the incident highlights the ongoing challenges and threats faced by financial institutions in the increasingly complex and perilous landscape of cybersecurity.
(Source: Arjun Kharpal | CNBC | Costas Mourselas | Kate Duguid | Joshua Franklin | Hannah Murphy | Financial Times)
