Experts told CNN that a ransomware attack on a US branch of the influential Industrial and Commercial Bank of China, which may have played a role in the short-lived sell-off of the market on Thursday, marked a significant uptick in the activity of cybercriminals and demonstrated how major hacks can cause business disruptions for even the most well-resourced organisations.
Senior US and Chinese officials, as well as regulators, expressed alarm about the occurrence right once. It sparked a rush of behind-the-scenes communication regarding the threat with the impacted bank and the whole financial industry.
Big banks from all over the world make up the industry group FS-ISAC, which is responsible for exchanging cyberthreat intelligence. A representative for the group told CNN on Friday that the group has been providing data on the attack to its members and reminding them “to stay current on all protective measures and patch critical vulnerabilities immediately.”
The official described intelligence sharing on hacks such as these as “critical,” considering the possibility of causing disruptions to system availability.
The financial industry, and its major banks in particular, has long been regarded as one of the more resilient economic sectors in the world against cyberattacks. However, the threat posed by ransomware has affected almost every industry and presented new difficulties for financial institutions’ cyber defences.
According to Jon Miller, CEO of US cybersecurity company Halcyon, “even sectors like financial and banking, which typically have the most mature security programmes, are not going to be able to defend against a determined and well-resourced threat actor because of the combination of advanced [hacking] techniques and security solutions that were not designed to address ransomware specifically.”
The hackers targeted ICBC Financial Services, a Chinese state-owned company with headquarters in New York and a subsidiary of the largest bank in the world by assets. The bank claimed in a statement on Thursday that was still available on its website as of Friday afternoon that the recovery was still in progress.
The statement read, “We successfully cleared [repurchase agreements] financing trades done on Thursday and US Treasury trades executed on Wednesday.”
CNN contacted ICBC Financial Services on Friday, but they did not provide a statement.
The ICBC subsidiary’s restoration to regular business operations may take several days, according to a Friday report from Reuters. The wire agency stated that as a result of the intrusion, at least one bank, BNY Mellon, was manually settling trades of Treasury securities with the ICBC.
A person with knowledge of the situation told CNN that ICBC Financial is not now linked to BNY Mellon’s Treasury settlement platform as a result of the breach. The insider said that BNY Mellon is assisting ICBC Financial in manually processing its Treasury deals.
A top cybersecurity officer at a major US financial institution told CNN, “We’ve been tracking [the ransomware attack on the ICBC subsidiary] for a couple of days now.” Speaking under anonymity due to their lack of authorization to address the media, the executive stated, “We’re looking at the response and the broader impact given ICBC’s size and role in the global financial sector.”
The ransomware assault was attributed to LockBit, a well-known cybercriminal gang, on Friday. Although some of LockBit’s members speak Russian, the group also has “affiliates,” or criminal partners, spread across several nations who rent out the ransomware and utilise it in assaults. According to cybersecurity experts, one of those affiliates is situated in China.
Which LockBit affiliate executed the hack is unknown.
Cybersecurity experts told CNN that the hackers could have overplayed their hand by pursuing such a large target since this might have angered the Chinese authorities.
Allan Liska, a ransomware expert with cybersecurity firm Recorded Future, noted that although the Russian government has frequently rejected US government requests to crack down on ransomware gangs operating from US soil, the hackers may come under increased scrutiny following this incident due to Russia and China’s closer relationship.
Liska told CNN, “If China views this as a black eye, they may demand action from the Russian government.” “The bad relations between the United States and Russia have greatly benefited the team behind LockBit.”
The financial industry was awakened more than ten years ago by a string of disruptive cyberattacks on US banks, which the US initially attributed to Iran. Since then, the industry has invested billions of dollars on defences. According to its website, JPMorgan Chase alone spends $600 million annually on cybersecurity.
However, organisations like as LockBit frequently target large corporations in an attempt to demand millions of money from them. The ransomware known as LockBit was the most often used worldwide in 2022, as per US cybersecurity experts.
Will Thomas, a cybersecurity specialist who frequently monitors ransomware groups, told CNN that “LockBit and its affiliates continue to garner headlines unabated, despite recent trends suggesting that some ransomware groups are shifting to go after medium-size, less well-defended organisations.”
When CNN questioned the FBI on Friday about whether it was looking into the event, the agency declined to comment. The Treasury Department was contacted by the federal Cybersecurity and Infrastructure Security Agency, which also handles significant attacks in the private sector. As of press time, the Treasury Department had not responded to inquiries.