Finance & Banking , Fraud Management & Cybercrime , Industry Specific

US Treasuries Trading Affected by Ransomware Hack

The LockBit Ransomware Operation May Have Exploited Citrix Bleed
US Treasuries Trading Affected by Ransomware Hack
Industrial and Commercial Bank of China-Financial Services in New York experienced a ransomware attack Nov. 8 disrupting the market for U.S. Treasuries. (Image: Shutterstock)

A ransomware attack affecting the New York financial services subsidiary of the Industrial and Commercial Bank of China resulted in disruptions to the U.S. Treasuries market.

See Also: The Evolution of Online Fraud in 2023 and Best Practices to Plug the Gaps

China's largest commercial lender said hackers had penetrated certain trading systems on Wednesday, causing it to disconnect and isolate affected computers. It successfully cleared Treasury trades executed on Wednesday and repo financing on Thursday, a notice on the bank's website states.

Reuters reported Friday that some market participants said trades going through ICBC were not settled due to the attack, affecting market liquidity.

With 2022 revenue amounting to $214.7 billion and profits of $53.5 billion, ICBC is the largest commercial bank in the world by revenue, according to Fortune. The Financial Times reported that its New York financial services division has become a key player on Wall Street in clearing Treasuries for Chinese lenders.

"We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation," a U.S. Department of the Treasury spokesperson told multiple news outlets.

The Biden administration has sought to tamp down ransomware through a growing coalition of global partners. Members of the International Counter Ransomware Initiative met just days ago, as security researchers warned that the volume of known ransomware attacks has surged to record-breaking levels (see: Global Government Coalition Launching New Ransomware Efforts).

Ransomware monitor vx-underground tweeted that it had received confirmation from ransomware group LockBit that it is responsible for the attack. The group has not listed Industrial and Commercial Bank of China on its leak website, but that absence is not authoritative, said Allan Liska, a ransomware analyst at cybersecurity firm Recorded Future. "It is still very early in the attack so it is unlikely that they would appear on the site at this point. That may change because of all the attention the attack has received," he told Information Security Media Group.

The attack, likely from a LockBit affiliate, "shows the increasing sophistication of ransomware groups and their ability to gain access to even the most difficult targets," he added.

A spokesman for the Chinese Ministry of Foreign Affairs told reporters Friday that "ICBC is closely following this and has taken effective emergency response measures and engaged in proper supervision and communication in order to minimize risk," according to an official translation of the ministry's daily press briefing. ICBC Financial Service's business and email systems operate independently of its parent company, so other domestic and overseas affiliated institutions were not affected by this incident, the financial institution said.

British security researcher Kevin Beaumont said in a Mastodon post that through a query on internet of things search engine Shodan he had spotted an unpatched Citrix NetScaler box on the ICBC-FS network. Ransomware hackers are exploiting a recently patched vulnerability in NetScaler devices known as Citrix Bleed (see: Ransomware Groups Exploiting Unpatched NetScaler Devices).

Beaumont on Thursday reiterated that Citrix Bleed allows hackers to bypass "all forms of authentication," since they can steal session tokens. "It is as simple as pointing and clicking your way inside orgs - it gives attackers a fully interactive Remote Desktop PC the other end," he said.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.