On November 10, 2023, news emerged that the Industrial and Commercial Bank of China (ICBC) had suffered a cyber incident. One of the results of the hack was that the bank was on the line for 9 billion USD in unsettled trades.
The immediate ramifications of the attack meant that BNY Mellon was owed 9 billion USD just so that normal business could resume. It was later discovered that the cyber incident was a ransomware attack.
The ransomware gang LockBit claimed the attack; more on this later. Another immediate result of the attack was the ripples sent through the US Treasury Department. ICBC acts as a broker for hedge funds and other market participants, helping them trade in the securities.
While ICBC is seen as a medium-sized institution and the impacts are limited to only a few parties, the incident has caused several prominent voices to question how resilient financial institutions are when facing cybercrime.
Returning to the ransomware attack, when the threat actors initiated the final encryption process, they effectively blocked ICBC staff from accessing their IT systems. As mentioned, the bank owes 9 billion USD in unsettled trades.
The Chinese bank had to quickly inject capital into the system to cover the 9 billion USD. During a meeting organized by the Securities Industry and Financial Markets Association (SIFMA), ICBC representatives said that they had hired a cybersecurity firm to assess to ensure that its systems are safe, three sources familiar with the matter said.
Further, ICBC said it hopes to be done as soon as the weekend following the attack. It was noted that it could take longer, given the complexity of the task. The sources said they also told market participants about the capital injection but did not disclose the amount or the reason for it.
Speaking to Reuters, Jack McIntyre, a fixed-income portfolio manager at Brandywine, said,
These cyberattacks are scary…he good news would be that I guarantee you primary dealers are having (a) discussion to make sure this cannot happen to them. I'm sure everybody's doing a deep dive on their security systems.
As to why attacks on the financial sector are scary, in a separate news article by Reuters, journalists noted,
When ICBC's trades got stuck, it became BNY Mellon's issue, too, since it is the sole settlement agent for Treasury securities. The bank played a crucial role in helping sort through the mess, deploying a manual process to clear trades one by one, the market participants said…ICBC's inability to access its systems meant securities from the Chinese firm's repo trades were getting delivered to BNY for settlement, but no cash was coming in from the broker-dealer, one of the sources said.
This meant that the reality was that BNY was loaning ICBC the cash secured by Treasuries; any delay in providing capital by the bank to cover the shortfall could have had dire ramifications for the financial market as a whole. Fortunately, the matter was resolved quickly and without fallout impacting the markets.
LockBit's Crime Spree
The first instances of LockBit attacks were discovered in 2020. Soon, they became one of the major ransomware gangs and a scourge in the corporate world.
The gang primarily targets organizations in North America, with 1,700 organizations experiencing a LockBit attack since the gang's founding. Not only is ICBC a recent victim, but so is Boeing.
On November 10, 2023, news emerged that LockBit had released data stolen from Boeing during a ransomware attack to the public. According to LockBit affiliates, the data stolen would be released should Boeing not pay the ransom by November 2.
Boeing stated the following regarding the matter,
We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems. We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate.
At the time of the information's release, it could not be independently verified, but much of the data dates back to October. Over the last three years, LockBit has developed quite a reputation for targeting large corporations.
Experts have attributed much of LockBit's success to its use of affiliates. These are individuals who use ransomware to infect victims. Affiliates will often handle the initial compromise of a victim, the stealing of data, and the encryption of data.
This is done for the lion's share of the proceeds, while the malware developers and gang admins take a smaller percentage. LockBit has managed to attract highly skilled affiliates that have affected the ransomware's success.