Security professionals were “very concerned” Friday that this week’s ransomware attack against the U.S. branch of the Industrial and Commercial Bank of China (ICBC) was orchestrated by LockBit linked to Russia, a notorious ransomware-as-a-service (RaaS) gang that took the credit for disrupting ICBC’s trading system.
Ira Winkler, chief information security officer at CYE, said what’s important here is that the criminals gained access to a critical system, as opposed to a random user’s device.
“While there have been ransomware attacks against large banks, they have generally been contained,” Winkler said. “Large banks have offices all over the world and have varying capabilities to contain all possible attacks. However, they have good resilience to prevent any successful attack from becoming a major incident, in most cases.
The November 8 attack on ICBC Financial Services disrupted trading, with Bloomberg Report that exchanges managed by ICBC crossed Manhattan on a USB stick.
In a statement, ICBC Financial Services said it “disconnected and isolated affected systems” to contain the incident and reported the attack to law enforcement. They said they successfully cleared U.S. Treasury trades executed on November 8 and Repo funding trades executed on November 9.
Craig Jones, Vice President of Security Operations at Ontinue, highlighted that this incident not only disrupted ICBC’s operations, but also had ripple effects on the US Treasury market, highlighting the far-reaching impact cyberattacks on critical financial systems.
“This reminds us that even large, supposedly secure institutions can fall victim to cybercriminals,” Jones said. “This attack is part of a worrying trend where groups like LockBit, which has targeted numerous US organizations since 2020, are using RaaS models to amplify their reach.”
LockBit continues to wreak havoc
LockBit has been considered the leading RaaS group for at least a year now, and shows no signs of slowing down.
Dean Webb, cybersecurity solutions engineer at Merlin Cyber, said Russian-backed LockBit has been around since 2019, but started making headlines when its LockBit 2.0 was released in 2021. Webb said this tool could encrypt quickly and was behind attacks against Accenture, Thales. , La Poste Mobile, Pendragon PLC, the California Finance Administration, the Port of Lisbon and the Hospital for Sick Children in Toronto. The latter allowed the group to stop the attack and provide a free decryption key.
When LockBit 3.0 was released in June last year, Webb said it has grown as an organization, improving its recruitment and retention, running a beta program for LockBit 3.0 and even introducing a bonus program. bugs for ransomware development. Webb said LockBit version 3.0 was involved in attacks on Royal Mail, a southern French water utility, China Daily, TSMC, the Port of Nagoya and now ICBC.
“The Chinese attacks are interesting because Russian hacker groups have in the past refrained from attacking Russian allies,” Webb said. “It may be that non-governmental entities in China are now seen as fair game targets, or that the group feels bold enough to no longer comply with Russian foreign policy. I guess Putin’s weakened leadership following the Ukraine debacle and the Wagner Group’s attempted coup earlier in the year sent a message to Russian hacker gangs that Putin has his hands pretty full with his own problems, he won’t. be able to repress them.
Steve Hahn, executive vice president of BullWall, said that Russia-linked LockBit has acquired nearly 2,000 companies in recent years, making it one of the most prolific operators, and that they are l one of the main factors why successful ransomware attacks doubled during the period. last two years.
On top of that, Hahn said they’re taking out “giants” in aerospace, infrastructure, banking and government — companies that spend tens of millions of dollars on prevention technology.
Here’s how they work: LockBit slowly and methodically circumvents these prevention technologies, and even uses the tools of the “good guys” against themselves to extract administrator-level credentials. Once they have admin credentials, they have the keys to the kingdom. They can disable security tools, create whitelists for their applications and exfiltrate data almost at will, Hahn explained.
“These large companies can spend tens or even hundreds of millions of dollars on security, but they are no match for a threat actor raking in billions,” Hahn said. “Even for the largest companies, the question is not if they will be affected but when they will be affected, and companies large and small need to think about how to quickly contain these events, how to recover quickly and how they respond.”
Amelia Buck, cybersecurity expert at Menlo Security, also pointed out that Today, LockBit reportedly released 40 gigabytes of data stolen from Boeing, making ICBC the latest high-profile victim. “The infiltration of a financial giant like ICBC is a reminder that no target is off-limits in the eyes of these groups,” Buck said.