Ransomware attack against China's largest bank.
By Tim Nodar, CyberWire senior staff writer
Nov 13, 2023

A ransomware attack against a major bank has effects on the financial services sector as a whole.

Ransomware attack against China's largest bank.

A ransomware attack hit the Industrial & Commercial Bank of China (ICBC) last week, disrupting trades in the US Treasury market, Reuters reports

LockBit is believed to be responsible. 

The LockBit ransomware gang is believed to be behind the attack, although the gang itself hasn’t claimed responsibility. A US Treasury spokesperson told Reuters, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.” ICBC said in a notice on its website that the bank is “progressing its recovery efforts with the support of its professional team of information security experts.”

Reuters says the hack left the bank’s US broker-dealer, ICBC Financial Services, “temporarily owing BNY Mellon (BK.N) $9 billion, an amount many times larger than its net capital.” The brokerage received a cash injection from its Chinese parent to pay back BNY.

When availability is critical, pressure to settle increases.

Craig Harber, Security Evangelist at Open Systems, wrote, in emailed comments, “To date, there are no details on the attack, or a data leak site published on the dark web. Often, this lack of attack details or a ransomware gang’s taking credit for the attack strongly indicates that the victim, ICBC Financial Services, made a risk decision to pay the ransom.”

Harber sees the decision to pay or not pay as a complicated one. “The decision to pay ransomware gangs is always complex. There are many factors to consider, not the least of which is you are negotiating with a cybercriminal. There is no guarantee that even if you pay the ransom, these cybercriminals will restore systems and return stolen company data. It is best to heed law enforcement advice and not pay because doing so only encourages continued criminal activity.”

Recall that financial services amount to critical infrastructures. Jon Miller, CEO and Co-founder of Halcyon, wrote that this makes them attractive targets for ransomware operators. “Critical infrastructure providers like the financial, manufacturing, healthcare and energy sectors remain top targets for ransomware operators because the pressure to quickly resolve the attacks and resume operations increases the chances victim organizations will pay the ransom demand.”

“Ransomware is a multi-billion dollar business that rivals and even exceeds many legitimate market segments,” Miller added. “We have witnessed ransomware attacks evolve from nuisance attacks with little impact on business operations and minimal ransom demands to become one of the biggest threats to businesses and our critical infrastructure with ransom demands now well into the tens of millions.”

Treating ransomware as a business risk.

Semperis CISO Jim Doggett observed that many companies still discount the threat of ransomware. “I speak to companies regularly that don’t believe they are in the crosshairs of ransomware threat actors, but they are,” he pointed out. “To better prepare for the inevitable attack, organizations should regularly review business risk, including the impact ransomware could have on their business. Even if a company reviewed business risks in October, do it again because something that wasn't obvious then, might be now. And learn to prioritize. If ransomware is a greater risk than another threat, prioritize ransomware. This sounds easy but it requires fortitude to help senior management understand this approach.”

Alastair Williams, Vice President of Worldwide Systems Engineering at Skybox Security, explained some of the distinctive risks the financial sector faces. “The recent ransomware attack on the Industrial and Commercial Bank of China (ICBC) underscores the significant financial risks associated with cyber threats targeting financial services. Organizations in the financial sector are a prime target for threat actors, as they handle substantial amounts of money and sensitive personal information. As ransomware attacks continue to proliferate, financial organizations must prioritize robust security measures to protect their business continuity and customers.”

“To fortify their defenses,” Williams added, “organizations should adopt a proactive security stance against prevalent threats. When evaluating the severity of vulnerabilities, it is crucial to consider factors such as network accessibility, exposure, exploitability, and potential commercial repercussions.”

Anurag Gurtu, CPO at StrikeReady, pointed out that the threat to trading is disturbing, because it’s not easy to contain. “The disruption in U.S. Treasury trading due to the ICBC ransomware attack is particularly alarming. The U.S. Treasury market is crucial for global finance, influencing everything from mortgage rates to the cost of government borrowing. An attack that impedes this market's operations can have far-reaching consequences, including potential fluctuations in bond prices and yields. It also raises serious concerns about the security of critical financial infrastructure and the potential for ripple effects across global financial systems.”

Ransomware operators have their own risk calculus.

Roger Grimes, data-driven defense evangelist at KnowBe4, believes the ransomware gang in this case may have bitten off more than they can chew:

“Incidents like this, where there's ‘real’ money involved, often don't work out long-term for the ransomware gang involved. The authorities not only get involved, but there's big pressure for people to be arrested and the gang shut down. I'm surprised the ransomware gang went ahead with the exploitation. Perhaps they didn't realize what they had and what they would be interrupting. But the Chinese certainly have their own great hackers they can use as an offensive resource and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases.”

Different states have different cyber states of mind.

Steve Hahn, Executive VP at BullWall, notes that, while the Chinese government is itself a major cyber actor, Russia tolerates and even encourages privateering.

“China is the most prolific hacker of the US but it’s completely nation-state motivated,” Hahn wrote. “Meaning it’s the Chinese government behind it, so getting a ransom paid is not appealing to them. Stealing IP and trade secrets is, as is finding ways to hack our infrastructure and defense systems. They don’t care about the money, so you just don’t hear about it. They steal secrets or plant back doors and then move on silently, never making the news. However, I’ve seen some mind-blowing hacks from the Chinese that if the public knew would shock them to their core. Think- disabling our defense systems with a kill switch. That’s more their speed.”

The Russian cybercriminals inhabit a different world. “LockBit is a Russian speaking group. They do not attack Russian assets and it’s often speculated they are run at the top level by ex-KGB, which Putin infamously led before the Soviet Union disbanded. What is very clear is that Putin gives them diplomatic and prosecutorial cover. If he doesn’t pull the strings on this organization, then at least they are bedfellows in the ‘enemy of my enemy is my friend’ sort of way....”

Hahn concluded, “LockBit has clearly tried to impact supply chains...which at times has exacerbated our already record-breaking inflation. Their targets are primarily for financial gain but when they can hurt the US economy, they do as retaliation for our support of Ukraine. This is one of those instances where the impact to the US treasury market is substantial so you can see the motivation. However, Russia has fewer allies these days and China is far and away the most important. They may have crossed the line in attacking the World’s largest bank as Xi Jinping will not be pleased with this attack - to say the least. This could have billions of dollars’ worth of impact on global financial markets, but this impact includes China and I would not be surprised if we see another mysterious Russian airplane crash-type event with the threat actors behind this attack (like we saw with Yevgeny Prigozhin when he embarrassed Putin).”

And retailers would do well to take notice as the holiday season approaches.

(Added, 12:00 noon, September 13th, 2023.) Semperis Director of Security Research Yossi Rachman draws some lessons for the adjacent retail sector:

"The recent cyberattack on DP World will catch the attention of every retailer given the proximity to the start of the holiday shopping season. While specific details of this hack are scant and the investigation is ongoing, DP World took the precautionary step of disconnecting its network to limit potential damage, which left the company unable to import or export thousands of containers over the past several days. Today, they are still not operating at full capacity and that means massive revenue losses. 

"Cyberattacks against port authorities aren’t new and cyber criminals are fully aware of the disruptions that attacks cause. In fact, during this time of year, hackers will be attacking retailers and their suppliers with a fury because according the National Retail Federation, holiday shopping revenues are expected to top $957 billion in the U.S. alone. Criminals also know that more retailers are likely to pay a ransom during the busy holiday season because they cannot afford any downtime. 

"It is essential for retailers to know what their critical systems are (including infrastructure such as Active Directory) before attacks occur. If any retailer hasn’t taken this necessary step, it is too late for the 2023 holiday season, but that doesn’t mean they can’t start preparing now for 2024. Tabletop exercises that simulate critical systems’ recovery before an incident occurs are important. By preparing in advance, defenders can make their organizations so difficult to compromise that hackers will look for softer targets. Companies should also monitor for unauthorized changes occurring in their Active Directory environment which threat actors use in most attacks - and have real time visibility to changes to elevated network accounts and groups. In addition, roll out security awareness training to all employees in 2024 as the weakest link in an organization’s ecosystem are employees that unsuspectingly click on malicious links."