A ransomware attack on a US branch of the Industrial and Commercial Bank of China, a major global bank, caused a brief market sell-off and emphasized the potential disruption that cybercriminals can inflict even on well-prepared companies, according to experts interviewed by CNN. Regulators and officials from both the US and China were alarmed by the incident and engaged in extensive coordination with the impacted bank and the financial sector as a whole to address the threat.
The FS-ISAC, a global consortium of major financial institutions dedicated to sharing cyberthreat intelligence, has been actively distributing information about the attack to its members. In addition, they have emphasized the importance of staying updated on protective measures and promptly addressing critical vulnerabilities. According to a spokesperson from the group, this intelligence sharing is crucial, as it plays a vital role in safeguarding system availability and minimizing potential disruptions.
The financial sector, including its major banks, has traditionally been seen as having strong defenses against cyberattacks. However, the rise of ransomware has brought new challenges to the cybersecurity efforts of financial institutions. This is because traditional security solutions were not originally created to specifically address the threat of ransomware. As a result, even sectors like finance and banking, which typically have highly developed security programs, may struggle to protect themselves against determined and well-equipped cybercriminals. Jon Miller, the CEO of US cybersecurity firm Halcyon, highlighted this issue in a statement to CNN.
The statement issued by the bank on Thursday, which is still available on its website as of Friday afternoon, announced that New York-based ICBC Financial Services, a subsidiary of the largest bank in the world in terms of assets and a Chinese state-owned institution, had been targeted by hackers. However, the bank assured that the recovery process was underway and mentioned the successful clearance of US Treasury trades executed on Wednesday as well as the repurchase agreements financing trades conducted on Thursday.
ICBC Financial Services refrained from providing a comment in response to CNN's request on Friday. Reuters reported on Friday that it may take several days for the ICBC subsidiary to resume its regular business operations. According to the wire service, BNY Mellon, one of the banks, resorted to settling trades of Treasury securities with the ICBC manually due to the cyber attack.
According to a source familiar with the situation, ICBC Financial is currently not connected to BNY Mellon's Treasury settlement platform as a result of a cyberattack. However, BNY Mellon is assisting ICBC Financial by manually processing its Treasury trades, the source stated.
"We have been monitoring the ransomware attack on the ICBC subsidiary for a few days now," a cybersecurity executive from a major US financial institution told CNN. The executive, who preferred to remain anonymous due to lack of authorization to speak to the press, added, "We are assessing the response and potential broader impact considering ICBC's significance and role in the global financial sector."
LockBit, a highly active group of cybercriminals, has declared themselves accountable for the ransomware attack on Friday. While LockBit primarily consists of Russian-speaking members, it has "affiliates" across different nations who lease the ransomware and employ it for their own malicious activities. Some cybersecurity experts strongly suspect that one of these affiliates may have originated from China. The specific identity of the LockBit affiliate responsible for executing this particular hack remains uncertain.
Cybersecurity analysts told CNN that the hackers may have taken a risk by targeting such a significant entity, potentially angering the Chinese government. Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, mentioned that even though the Russian government has previously been reluctant to cooperate with the US in curbing ransomware groups based in the US, the closer alliance between Russia and China could result in increased scrutiny for these hackers.
Liska told CNN that if China perceives this as a negative reputation, they may require the Russian government to take action. The LockBit group has greatly profited from the strained relations between the United States and Russia.
The financial sector received a wake-up call when a string of disruptive cyberattacks targeted US banks over a decade ago, with Iran being held responsible by the US. Since then, the sector has invested billions of dollars in strengthening defenses. JPMorgan Chase, for instance, allocates $600 million annually for cybersecurity, as stated on its website.
LockBit ransomware has gained notoriety for specifically targeting influential companies in an effort to extort large sums of money. US cybersecurity officials have identified LockBit as the most prevalent form of ransomware globally in 2022. Despite a shift in some ransomware groups focusing on smaller, less protected organizations, LockBit and its affiliates remain in the spotlight without any signs of slowing down, according to cybersecurity expert Will Thomas, who closely monitors ransomware groups.
The FBI chose not to comment on Friday when CNN inquired about their investigation into the incident. The federal Cybersecurity and Infrastructure Security Agency, which also handles major private-sector hacks, redirected questions to the Treasury Department, who declined to comment before the press deadline.
Note: The content has been rewritten to provide a clearer and more concise explanation of the original information.