Understanding the Ransomware Attack Fallout on China’s ICBC

On Nov. 9, the Industrial and Commercial Bank of China (ICBC) Financial Services (FS), the lender’s US arm, was hit with a ransomware attack. The attack had a wide-reaching impact, disrupting the US Treasury market. ICBC FS has been investigating and working through recovery efforts, according to a notice on its website.

The attack is being attributed to LockBit, and Reuters reports that cybercrime gang claims ICBC made a ransom payment. What does the fallout of this ransomware attack look like thus far?

A Citrix Vulnerability

The ICBC FS ransomware attack is linked to a Citrix vulnerability referred to as “CitrixBleed.” In October, the cloud computing company released a security bulletin on two vulnerabilities CVE-2023-4966 and CVE-2023-4967, which impacted Citrix NetScaler ADC and NetScaler Gateway. Citrix urges customers to install updated versions of the NetScaler ADC and NetScaler Gateway in the security bulletin.

Exploitation of CitrixBleed has impacted other major organizations, including logistics firm DP World, law firm Allen & Overy, and Boeing, according to TechCrunch. LockBit published Boeing on its site on Oct. 27, according to Bleeping Computer. The cybercrime leaked more than 43GB of stolen data following the aerospace company’s refusal to pay the demanded ransom.

Related:International Operation Dismantles Ragnar Locker Ransomware Group

Thousands of organizations have yet to patch the vulnerability, which suggests threat actors like LockBit could continue to take advantage of the bug.

“The reminder is that even large, what we would assume are completely secure, institutions can fall victims to cybercriminals,” says Craig Jones, vice president of security operations at Ontinue, a managed extended detection and response provider. 

While some victims, like Boeing, refuse to pay, LockBit has successfully extorted ransoms from others. The group was first observed in the US in January 2020, and since then, the group has raked in $91 million in US ransom payments, according to the Cybersecurity and Infrastructure Security Agency (CISA).

ICBC FS reportedly paid LockBit the demanded ransom. The bank did not immediately respond to InformationWeek’s request for comment.

“ICBC been quite quiet about the attack. We heard from the threat actor that ICBC had paid, and one thing I would always implore organizations to do is to be as open as they can about the ransomware attack as it happens,” says Jones.

A Ripple Effect

Ransomware attacks have direct consequences to victims: lost revenue, reputational damage, and regulatory scrutiny among the principal damage. But the increasingly interconnected nature of business operations and financial systems means that ransomware can have a ripple effect. The target organization is not the only one impacted.

Related:LockBit Redux: Ransomware Gang Demands $80M, Leaks CDW Data

The effects of the ICBC FS ransomware attack were felt on an international scale. The attack disrupted the US Treasury market, preventing it from settling trades for other market players. “We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09),” according to the notice on the ICBC FS website.

This kind of ripple effect is not likely to be unique. Threat actors will continue to target financial institutions, and a single successful attack could be felt on a global level.

“Attacks targeting systemically important financial institutions or infrastructure in major economies like the US, EU, China, etc., could have cascading effects worldwide if they disable banking operations, undermining trust and stability,” Nick Edwards, vice president at browser security provider Menlo Security, tells InformationWeek via email. “Attacks that tamper with transaction ledgers or systems that settle trades could cause massive disruption to flows of global finance and commerce.”

Such widespread impact demonstrated by the ICBC ransomware attack and the potential for similar largescale disruption stemming from future attacks could capture the attention of regulators.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

“It’s probably going to lead us to more stringent cybersecurity requirements for financial institutions,” Jones anticipates. “I do think that will probably have a ripple effect to smaller businesses that maybe are suppliers to financial institutions.”

An Expanding Attack Surface

Third-party risk and supply chain vulnerability are significant contributions to the growing attack surface. Banks are typically thought of as some of the most secure organizations, but they rely on third-party tools to conduct business. A vulnerability, like CitrixBleed, or a new zero day could result in another ransomware attack like the one executed against ICBC.

Jim Doggett, CISO of Semperis, an active directory security and recovery platform, stresses the importance of understanding the risk of ransomware and prioritizing resilience.

“Yes, it hurts if someone breaks into our company and they steal data that’s important to us, but the concept that they can break in and shut us down is a whole different level of risk,” he says. “I think that requires us as CISOs to step back and reevaluate: What is our risk model?”

This kind of risk often transcends borders. Cybersecurity incidents that kick off global financial issues require international cooperation. “Threat intelligence sharing and coordinated policy efforts help everyone raise the baseline,” says Edwards.

While international cooperation is vital, rising geopolitical tensions call into question how interconnected systems could be targeted by nation states to cause harm. “I absolutely think that’s another vector that we’ve got to consider in the future: What if China wishes to do harm to us?” says Doggett.

Cyberattacks against financial instructions threaten markets, liquidity, and economic stability, but Edwards points out that there is hope for the future. “The global financial system has proven resilient, and cybersecurity is improving, so I would not assume catastrophic outcomes as inevitable. However, risks are real and should be addressed through continuous security enhancement and cooperation.”