A notorious criminal hacking gang said to have ties to Russia is believed to be behind a cyber attack on the US unit of the Industrial and Commercial Bank of China (ICBC) – news that sent a shockwave through banks worldwide.
Ransomware experts and analysts said Lockbit, an aggressive and prolific cyber gang accused of targeting hundreds of US firms, was thought to be responsible for the hack, which disrupted US Treasury trades on Thursday.
ICBC is reportedly the latest in a string of victims of the group’s hackers, who lock up an organisation’s systems in such attacks and demand ransom for unlocking it. They also steal sensitive data for extortion and allegedly struck US aviation giant Boeing just last month.
ICBC Financial Services, the US unit of China’s largest commercial lender by assets, said it was investigating the attack that disrupted some of its systems, and making progress toward recovering from it.
While Lockbit is believed to be behind the hack, the gang’s dark-web-site where it typically posts names of its victims did not mention ICBC as a victim as of Thursday evening. Lockbit did not respond to a request for comment sent via a contact address posted on its site.
“We don’t often see a bank this large get hit with this disruptive of a ransomware attack,” Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future, said.
Liska, who also believes Lockbit was behind the hack, said ransomware gangs may not name and shame their victims when they are negotiating with them on the ransom demand.
“This attack continues a trend of increasing brazenness by ransomware groups,” he said. “With no fear of repercussions, ransomware groups feel no target is off limits.”
Ransomware attacks are said to have shot up this year. Research firm Chainalysis said recently it has recorded nearly $500 million in ransom payments through the end of September, close to 50% more than the same period in 2022.
Hundreds of companies hit in all sectors every year
US authorities have struggled to curb a rash of cybercrime, chiefly ransomware actors, who hit hundreds of companies in nearly every industry annually.
Just last week US officials said they were working on curtailing the funding routes of ransomware gangs by improving information-sharing on such criminals across a 40-country alliance.
The ICBC did not comment on whether Lockbit was behind the hack. It is common for victim organisations to refrain from publicly disclosing the names of cybercrime gangs.
Since Lockbit was discovered in 2020, the group has hit 1,700 US organizations, according to the US Cybersecurity and Infrastructure Security Agency (CISA). Last month it threatened Boeing with a leak of sensitive data it said it had found by breaching the company.
A CISA spokesperson referred questions about the ICBC hack to the US Treasury Department.
Market sources said the impact of the hack appeared limited, but it signalled how vulnerable systems at large organizations such as the bank continue to be to cyber hackers.
Thursday’s incident is likely to raise questions over market participants’ cybersecurity controls and draw regulatory scrutiny.
ICBC said it had successfully cleared Treasury trades executed on Wednesday and repurchase agreements (repo) financing trades done on Thursday.
“In general, the event had a limited impact on the market,” said Scott Skrym, executive vice president for fixed income and repo at broker-dealer Curvature Securities.
Some market participants said trades going through ICBC were not settled due to the attack and affected market liquidity. It was not clear whether this contributed to the weak outcome of a 30-year bond auction on Thursday.
“There could have been maybe some technical issues with some participants not being able to access the market fully on the day,” said Michael Gladchun, associate portfolio manager, core plus fixed income, at Loomis Sayles.
The Financial Times reported earlier on Thursday that the US Securities Industry and Financial Markets Association (SIFMA) told members that ICBC had been hit by ransomware that disrupted the US Treasury market by preventing it from settling trades on behalf of other market players.
“We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation,” a Treasury spokesperson said in a response to a question about the FT report. SIFMA declined to comment.
The Treasury market appeared to be functioning normally on Thursday, according to LSEG data.
- Reuters with additional editing by Jim Pollard
NOTE: There were minor edits to this report on November 10. 2023.