ICBC Hack Raises Questions As To US Treasury Cyber Readiness

On November 10, 2023, news emerged that the Industrial and Commercial Bank of China (ICBC) had suffered a cyber incident. One of the results of the hack was that the bank was on the line for 9 billion USD in unsettled trades.

The immediate ramifications of the attack meant that BNY Mellon was owed 9 billion USD just so that normal business could resume. It was later discovered that the cyber incident was a ransomware attack.

ICBC Hack Raises Questions As To US Treasury Cyber Readiness

The ransomware gang LockBit claimed the attack; more on this later. Another immediate result of the attack was the ripples sent through the US Treasury Department. ICBC acts as a broker for hedge funds and other market participants, helping them trade in the securities.

While ICBC is seen as a medium-sized institution and the impacts are limited to only a few parties, the incident has caused several prominent voices to question how resilient financial institutions are when facing cybercrime.

Returning to the ransomware attack, when the threat actors initiated the final encryption process, they effectively blocked ICBC staff from accessing their IT systems. As mentioned, the bank owes 9 billion USD in unsettled trades.

The Chinese bank had to quickly inject capital into the system to cover the 9 billion USD. During a meeting organized by the Securities Industry and Financial Markets Association (SIFMA), ICBC representatives said that they had hired a cybersecurity firm to assess to ensure that its systems are safe, three sources familiar with the matter said.

Further, ICBC said it hopes to be done as soon as the weekend following the attack. It was noted that it could take longer, given the complexity of the task. The sources said they also told market participants about the capital injection but did not disclose the amount or the reason for it.

Speaking to Reuters, Jack McIntyre, a fixed-income portfolio manager at Brandywine, said,

These cyberattacks are scary…he good news would be that I guarantee you primary dealers are having (a) discussion to make sure this cannot happen to them. I'm sure everybody's doing a deep dive on their security systems.

As to why attacks on the financial sector are scary, in a separate news article by Reuters, journalists noted,

When ICBC's trades got stuck, it became BNY Mellon's issue, too, since it is the sole settlement agent for Treasury securities. The bank played a crucial role in helping sort through the mess, deploying a manual process to clear trades one by one, the market participants said…ICBC's inability to access its systems meant securities from the Chinese firm's repo trades were getting delivered to BNY for settlement, but no cash was coming in from the broker-dealer, one of the sources said.

This meant that the reality was that BNY was loaning ICBC the cash secured by Treasuries; any delay in providing capital by the bank to cover the shortfall could have had dire ramifications for the financial market as a whole. Fortunately, the matter was resolved quickly and without fallout impacting the markets.

LockBit's Crime Spree

The first instances of LockBit attacks were discovered in 2020. Soon, they became one of the major ransomware gangs and a scourge in the corporate world.

The gang primarily targets organizations in North America, with 1,700 organizations experiencing a LockBit attack since the gang's founding. Not only is ICBC a recent victim, but so is Boeing.

On November 10, 2023, news emerged that LockBit had released data stolen from Boeing during a ransomware attack to the public. According to LockBit affiliates, the data stolen would be released should Boeing not pay the ransom by November 2.

Boeing stated the following regarding the matter,

We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems. We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate.

At the time of the information's release, it could not be independently verified, but much of the data dates back to October. Over the last three years, LockBit has developed quite a reputation for targeting large corporations.

Experts have attributed much of LockBit's success to its use of affiliates. These are individuals who use ransomware to infect victims. Affiliates will often handle the initial compromise of a victim, the stealing of data, and the encryption of data.

This is done for the lion's share of the proceeds, while the malware developers and gang admins take a smaller percentage. LockBit has managed to attract highly skilled affiliates that have affected the ransomware's success.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal