LockBit takes credit for ransomware attack on US subsidiary of Chinese bank

Ransomware attack

Security pros on Friday were “very concerned” that this week’s ransomware attack on the U.S. subsidiary of the Industrial & Commercial Bank of China (ICBC) was engineered by Russia-linked LockBit, a notorious ransomware-as-a-service (RaaS) gang that took credit for disrupting ICBC’s trading system.

Ira Winkler, chief information security officer at CYE, said what’s important here is that the criminals accessed a critical system, as opposed to a random user device.

“While there have been ransomware attacks against major banks, they have generally been contained,” said Winkler. “Major banks have offices all over the world and varying ability to contain every possible attack. However, they do have a good resiliency in place to stop any successful attack from becoming a major incident, in most cases.”

The Nov. 8 attack on ICBC Financial Services disrupted trading, with Bloomberg reporting that trades managed by ICBC traversed Manhattan on a USB stick.  

In a statement, ICBC Financial Services said it “disconnected and isolated impacted systems” to contain the incident and has reported the attack to law enforcement. They said they successfully cleared U.S. Treasury trades executed on Nov. 8 and Repo financing trades done on Nov. 9.

Craig Jones, vice president of security operations at Ontinue, pointed out that this incident not only disrupted ICBC's operations, but also had ripple effects in the U.S. Treasury market, underlining the far-reaching impact of cyberattacks on critical financial systems.

“It serves as a reminder that even large, presumably secure institutions can fall victim to cybercriminals,” Jones said. “This attack is part of a worrying trend where groups like LockBit, which has targeted numerous U.S. organizations since 2020, use RaaS models to amplify their reach.”

LockBit continues to wreak havoc

LockBit has been considered the leading RaaS group for at least a year now, and they show no signs of slowing down.

Dean Webb, cybersecurity solutions engineer at Merlin Cyber, said Russia-backed LockBit has been around since 2019, but started making big headlines when their LockBit 2.0 was released in 2021. Webb said that tool could encrypt rapidly and was behind attacks on Accenture, Thales, La Poste Mobile, Pendragon PLC, California Finance Administration, the Port of Lisbon, and Toronto’s Hospital for Sick Children. That last one resulted in the group stopping the attack and providing a free decryption key.

When LockBit 3.0 came out in June of last year, Webb said it grew as an organization, improving its recruiting and retention, running a beta program for LockBit 3.0, and even introducing a bug bounty program to ransomware development. Webb said the 3.0 version of LockBit was involved in attacks on Royal Mail, a water utility in Southern France, China Daily, TSMC, Port of Nagoya, and now ICBC.

“The Chinese attacks are interesting, as Russian hacking groups have in the past refrained from attacking Russian allies,” said Webb. ”It may be that the non-governmental entities in China are now seen as fair game, or the group feels bold enough to no longer toe the line on Russian foreign policy. I’ll speculate that Putin’s weakened leadership in the wake of the Ukraine debacle and the Wagner Group coup attempt from earlier in the year has sent a message to Russian hacker gangs that Putin has his hands full enough with his own problems, he won’t be able to crack down on them.”

Steve Hahn, executive vice president at BullWall, said Russia-linked LockBit has ransomed close to 2,000 companies in recent years, making them one of the most prolific operators, and they are one of the main drivers on why successful ransomware attacks have doubled over the last two years.

On top of this, Hahn said they are taking down “giants” in aerospace, infrastructure, banking and government — companies that spend tens of millions of dollars on prevention technologies.

Here’s how they work: LockBit slowly and methodically circumvents these prevention technologies, and even uses the "good-guy" tools against themselves to extract admin level credentials. Once they have admin credentials, they have the keys to the kingdom. They can disable security tools, create white lists for their applications and exfiltrate data almost at will, said Hahn.

“These large companies may spend tens, even hundreds of millions of dollars on security, but they are no match for a threat actor who rakes in billions,” said Hahn. "For even the largest companies, it’s not a matter of ‘if’ but ‘when’ they’ll be hit, and companies big and small have to thinking about how to contain these events quickly, how to recover quickly and how they respond.”

Amelia Buck, cybersecurity expert at Menlo Security, also pointed out that today, LockBit reportedly released a staggering 40 gigabytes of data stolen from Boeing, which makes ICBC the latest high-profile casualty. "The infiltration of a financial giant like ICBC serves as a reminder that no target is deemed off-limits in the eyes of these groups," said Buck.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.