image

World's Largest Bank Discloses Crippling Ransomware Attack

The ransomware attack caused the US arm of the Industrial and Commercial Bank of China (ICBC) to resort to unconventional USB stick transactions.

China’s largest bank, the Industrial and Commercial Bank of China (ICBC), has reportedly become a victim of a ransomware attack. The ICBC is the world’s largest bank in terms of assets. According to Bloomberg, the Russia-linked LockBit ransomware gang is responsible for the attack.

This gang offers ransomware-as-a-service and has been involved in many incidents targeting high-profile organizations, including the IT giant AccentureBoeingBangkok Airways, the UK’s Royal Mail, German firm Continental, etc.

Ironically, the cyberattack on ICBC occurred just a week after the US announced an alliance of 40 countries to combat ransomware threats, emphasizing a stance against paying ransom to threat actors.

It is worth noting that the US trading arm of the ICBC has been targeted in the attack, forcing it to conduct trades within Manhattan through messengers carrying USB flash drives. The incident recalls the events of 2018 when employees at two municipalities in Alaska were forced to resort to using typewriters following a massive ransomware attack.

A message was posted on the ICBC Financial Services website, revealing that its systems were disrupted on 8 November 2023. The bank intends to conduct a thorough investigation to determine the root cause of the security incident. Relevant authorities have been informed as well.

After the attack, the bank could not clear pending US Treasury trades because the concerned entities got disconnected from the impacted systems, forcing the bank to send them settlement details via USB sticks. The company quickly isolated the systems from ICBS’s head office. However, the bank’s overseas units weren’t impacted.

It is suspected that the attackers may have exploited the Citrix Bleed vulnerability (CVE-2023-4966). Security researcher Kevin Beaumont states that the ICBC may not have patched the flaw in its Citrix NetScaler Gateway appliance.

 

A patch for the flaw was released by Citrix last month. It is a serious vulnerability, given that hackers/ransomware gangs can easily exploit it to bypass authentication and break into corporate systems. This vulnerability has been exploited several times recently in attacks against unpatched government and corporate networks.

According to Bloomberg’s report, the incident has disrupted the US Treasury market. A statement from the Securities Industry and Financial Markets Association on Thursday revealed that the bank was targeted by ransomware software, preventing it from settling treasury trades on behalf of other market participants, which can drastically impact US Treasuries’ liquidity.

Regarding this incident, KnowBe4’s Data-Driven Defense Evangelist, Roger Grimes, shared with Hackread.com that such incidents can financially benefit the perpetrators.

“Incidents like this, where there’s “real” money involved, often don’t work out long-term for the ransomware gang involved. The authorities not only get involved but there’s big pressure for people to be arrested and the gang shut down.”

“I’m surprised the ransomware gang went ahead with the exploitation. Perhaps they didn’t realize what they had and what they would be interrupting. But the Chinese certainly have their own great hackers they can use as an offensive resource, and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases,” Grimes noted.

The incident highlights the growing risk of cyberattacks on financial institutions, and the importance of having robust cybersecurity measures in place.