Industrial and Commercial Bank of China faces LockBit ransomware attack


One of the world’s largest banks is facing a ransomware attack, according to media reports Thursday.

The Financial Times first reported that the Industrial and Commercial Bank of China (ICBC), China’s largest, with revenues of $214.7 billion in 2022, was hit by ransomware this week.

The Securities Industry and Financial Markets Association, a trade group representing securities firms, banks and asset management firms, reportedly sent a message to its members about the incident after some Treasury market trades American could not be compensated.

ICBC, the Securities Industry and Financial Markets Association and the U.S. Treasury Department did not respond to requests for comment.

Sources told the Financial Times that the LockBit ransomware gang was behind the attack. The group made several major attacks on governments, businesses and organizations throughout 2023, far exceeding any other ransomware gang currently active.

Bloomberg reported that the bank informed several customers that a cybersecurity issue would force them to reroute certain transactions. ICBC said the attack began Wednesday evening, the outlet reported.

Several cybersecurity researchers said reports of the attack had been circulating for days. Malware Research Platform Experts vx-underground said they were informed of stock traders who were unable to place trades or clear previous trades through ICBC.

The bank reportedly sent an emergency notice stating that the incident “affected all ICBC clearing customers” and that due to the attack, they were temporarily not accepting orders.

Kevin Beaumont, cybersecurity expert sharing a Shodan search showing that ICBC had a Citrix Netscaler box that was not patched for CVE-2023-4966 — a bug known by experts as “CitrixBleed” which affects NetScaler ADC and NetScaler Gateway appliances. The products are used by businesses to manage network traffic.

Beaumont said the box was now removed from the Internet, but noted that ransomware gangs were exploiting the issue because it “allows all forms of authentication to be completely and easily bypassed.” More than 5,000 organizations have yet to patch the vulnerability, he added.

“It’s as simple as pointing and clicking to find your way inside organizations – it gives attackers a fully interactive remote desktop PC on the other end,” Beaumont explain.

Jon Miller, CEO of Halcyon, told Recorded Future News that the alleged attack on ICBC “has the potential to have a serious impact on global financial markets, as US Treasuries are at the heart of the global banking and financial system.

“Critical infrastructure providers like the financial, manufacturing, healthcare and energy sectors remain prime targets for ransomware operators as the pressure to quickly resolve attacks and recover operations increases the chances that victim organizations will pay the demanded ransom,” he said.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment