LockBit on a Roll – ICBC Ransomware Attack Strikes at the Heart of the Global Financial Order

The LockBit ransomware attack on the Industrial & Commercial Bank of China demonstrates the weakness of global financial system to cyberattacks.

The ransomware breach that crippled U.S. Treasury trading operations at an American subsidiary of Industrial & Commercial Bank of China Ltd. on November 8 has laid bare the vulnerability of the global financial system to cyberattacks. LockBit ransomware group claimed responsibility for the attack against ICBC, the largest lender in the world by assets, with $5.7 trillion under management. This ominous cyber-event sent shockwaves through the $26 trillion U.S. Treasury market.

According to the report released by Resecurity, a Los Angeles-based company protecting Fortune 500 and governments worldwide, the attack against ICBC may be a precursor for significant malicious cyber activity against global financial system. The experts called it ‘prepositioning’ to analyze the response from financial organizations globally and the reaction of the market.

LockBit specifically targeted ICBC Financial Services (ICBC FS), a wholly owned U.S. subsidiary of the state-owned lender, which plays a critical role in the world of international finance. “ICBC FS primarily engages in providing global clearing, execution and financing services to institutional clients,” according to credit-ranking agency Fitch Ratings. The Financial Times reported that this ICBC unit is an “intermediary for governments, hedge funds, and proprietary traders wanting to buy and sell U.S. debt.”

According to the Treasury, the LockBit attack exploited a known vulnerability in the Citrix NetScaler product suite. The ransomware disruption temporarily prevented bank employees from accessing their corporate email accounts and connecting to the Depository Trust and Clearing Corporation to resolve large batches of U.S. Treasury trades. Bundled in this trade backlog were systemically vital repurchase agreement (repo) transactions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Industrial & Commercial Bank of China)