9 billion dollars of overdraft and trading via USB-drives: The American division of the world's largest bank ICBC suffered from a cyber-ransomware attack.
The American division of the Industrial and Commercial Bank of China (Industrial and Commercial Bank of China, ICBC) was attacked by cyber ransomware. The attackers disrupted the bank's infrastructure and caused trading to fail on the US Treasury bond market, where ICBC acts as a broker for hedge funds and other market participants.
ICBC is one of the largest financial institutions in China. In 2022, the bank's revenue was $ 214.7 billion.
Information about the attack appeared on November 8, however, the situation became clear only in the morning of the next day. The Securities Industry and Financial Markets Association (SIFMA), which represents the interests of many banks and investment funds, warned its members about the incident after some transactions on the US government bond market failed to clear.
After detecting the hack, ICBC immediately isolated the affected systems to contain the incident. To minimize damage and risks, the bank's employees started using alternative information transmission channels - transaction data was recorded on USB drives, which were then sent via a courier service.
One of the consequences of the incident was also a complete disruption of corporate email. For some time, employees were forced to communicate via Google services.
Unfortunately, despite the actions taken, unpleasant consequences could not be avoided. Due to the fact that the American division of ICBC was unable to access its systems, the bank has a temporary debt of $ 9 billion for unresolved transactions of BNY Mellon. The Depository Bank is the sole settlement agent for Treasury bonds. The Industrial and Commercial Bank of China was forced to invest $ 9 billion in its US division to help The Bank of New York Mellon (BNY Mellon) pay a fine for unsettled transactions. ICBC has also hired a cybersecurity company to investigate the incident and help the unit resume operations after the cyberattack.
What are the dangers of ransomware attacks?
Recall that during ransomware attacks, attackers first introduce a virus into the company's IT network, which blocks the system and encrypts all the information contained in it. The hackers then offer the victims to pay a ransom in exchange for providing access to the data. As a result, the company's IT infrastructure is in most cases partially or completely paralyzed. Often, cybercriminals first copy confidential data, and then use the threat to make the information public as an additional lever of pressure on the victim.
Who hacked ICBC and how?
It should be noted that the results of the official investigation of the incident are still unknown. However, cybersecurity experts suggest that the LockBit group may be behind the incident. In 2023, this gang conducted several large-scale attacks on government agencies and commercial organizations, and LockBit hackers were significantly ahead of other ransomware groups in terms of activity.
Cybersecurity expert Kevin Beaumont discovered a vulnerable Citrix Netscaler server in the ICBC infrastructure. This server has a known security issue CVE-2023-4966 (CitrixBleed), which allows attackers to easily bypass authentication procedures and gain unauthorized access to sensitive data. Perhaps this loophole was fatal and helped LockBit ransomware get into the bank's system. After Beaumont's message, ICBC disabled the vulnerable resource, but it is not yet known whether this will help minimize risks in the future.
Did ICBC pay the ransomware?
A few days after the incident, it was reported that ICBC bank agreed to the ransomware terms in order to save itself and preserve the stability of the market. A representative of the hacker group Lockbit told reporters that the bank paid the ransom and the case was closed. However, this information has not been officially confirmed.
It should be noted that the authorities usually ask not to make contact with criminals and not to agree to their terms, especially if it concerns a cash ransom. Most hackers require payment in cryptocurrency, which provides them with complete anonymity and complicates the work of law enforcement agencies.
However, some organizations still make concessions to avoid reputational risks and even greater financial losses. And if a company doesn't have backups of its most important files, it has no choice at all.
Market implications
Although market participants and officials say that the impact of the ICBC hack on the treasury market was limited, the extent of this impact is still unclear. There is still some debate about the possible impact of the attack on a major treasury bond auction on November 9.
However, according to market participants, this attack is likely to attract more attention to cyber threats to financial institutions and become a new aspect of the regulatory review.
It is also possible that after the incident, the Securities and Exchange Commission will decide to increase the number of treasury bond transactions through centralized clearing, where a third party acts as a seller for each buyer and a buyer for each seller.
Darrell Duffy, a Stanford professor of finance who studies the market and advises regulators, believes that other companies in the ICBC situation may not have enough capital to cover large deficits and the risk of default.
"Any default that may occur after such an event, if it cannot be centrally regulated, can set off a chain reaction of defaults," Duffy said. "This hack clearly demonstrates the benefits of broader centralized clearing, which are important for financial stability," the professor said.
The American division of the Industrial and Commercial Bank of China (Industrial and Commercial Bank of China, ICBC) was attacked by cyber ransomware. The attackers disrupted the bank's infrastructure and caused trading to fail on the US Treasury bond market, where ICBC acts as a broker for hedge funds and other market participants.
ICBC is one of the largest financial institutions in China. In 2022, the bank's revenue was $ 214.7 billion.
Information about the attack appeared on November 8, however, the situation became clear only in the morning of the next day. The Securities Industry and Financial Markets Association (SIFMA), which represents the interests of many banks and investment funds, warned its members about the incident after some transactions on the US government bond market failed to clear.
After detecting the hack, ICBC immediately isolated the affected systems to contain the incident. To minimize damage and risks, the bank's employees started using alternative information transmission channels - transaction data was recorded on USB drives, which were then sent via a courier service.
One of the consequences of the incident was also a complete disruption of corporate email. For some time, employees were forced to communicate via Google services.
Unfortunately, despite the actions taken, unpleasant consequences could not be avoided. Due to the fact that the American division of ICBC was unable to access its systems, the bank has a temporary debt of $ 9 billion for unresolved transactions of BNY Mellon. The Depository Bank is the sole settlement agent for Treasury bonds. The Industrial and Commercial Bank of China was forced to invest $ 9 billion in its US division to help The Bank of New York Mellon (BNY Mellon) pay a fine for unsettled transactions. ICBC has also hired a cybersecurity company to investigate the incident and help the unit resume operations after the cyberattack.
What are the dangers of ransomware attacks?
Recall that during ransomware attacks, attackers first introduce a virus into the company's IT network, which blocks the system and encrypts all the information contained in it. The hackers then offer the victims to pay a ransom in exchange for providing access to the data. As a result, the company's IT infrastructure is in most cases partially or completely paralyzed. Often, cybercriminals first copy confidential data, and then use the threat to make the information public as an additional lever of pressure on the victim.
Who hacked ICBC and how?
It should be noted that the results of the official investigation of the incident are still unknown. However, cybersecurity experts suggest that the LockBit group may be behind the incident. In 2023, this gang conducted several large-scale attacks on government agencies and commercial organizations, and LockBit hackers were significantly ahead of other ransomware groups in terms of activity.
Cybersecurity expert Kevin Beaumont discovered a vulnerable Citrix Netscaler server in the ICBC infrastructure. This server has a known security issue CVE-2023-4966 (CitrixBleed), which allows attackers to easily bypass authentication procedures and gain unauthorized access to sensitive data. Perhaps this loophole was fatal and helped LockBit ransomware get into the bank's system. After Beaumont's message, ICBC disabled the vulnerable resource, but it is not yet known whether this will help minimize risks in the future.
Did ICBC pay the ransomware?
A few days after the incident, it was reported that ICBC bank agreed to the ransomware terms in order to save itself and preserve the stability of the market. A representative of the hacker group Lockbit told reporters that the bank paid the ransom and the case was closed. However, this information has not been officially confirmed.
It should be noted that the authorities usually ask not to make contact with criminals and not to agree to their terms, especially if it concerns a cash ransom. Most hackers require payment in cryptocurrency, which provides them with complete anonymity and complicates the work of law enforcement agencies.
However, some organizations still make concessions to avoid reputational risks and even greater financial losses. And if a company doesn't have backups of its most important files, it has no choice at all.
Market implications
Although market participants and officials say that the impact of the ICBC hack on the treasury market was limited, the extent of this impact is still unclear. There is still some debate about the possible impact of the attack on a major treasury bond auction on November 9.
However, according to market participants, this attack is likely to attract more attention to cyber threats to financial institutions and become a new aspect of the regulatory review.
It is also possible that after the incident, the Securities and Exchange Commission will decide to increase the number of treasury bond transactions through centralized clearing, where a third party acts as a seller for each buyer and a buyer for each seller.
Darrell Duffy, a Stanford professor of finance who studies the market and advises regulators, believes that other companies in the ICBC situation may not have enough capital to cover large deficits and the risk of default.
"Any default that may occur after such an event, if it cannot be centrally regulated, can set off a chain reaction of defaults," Duffy said. "This hack clearly demonstrates the benefits of broader centralized clearing, which are important for financial stability," the professor said.
