Ransomware Attack Targeting ICBC Disrupts US Treasury Market


November 9, 2023

World map

A ransomware attack on the Industrial and Commercial Bank of China (ICBC) is reportedly disrupting the US Treasury market.

“The Securities Industry and Financial Markets Association told members on Thursday that ICBC, China’s largest bank, had been hit by ransomware software, which paralyses computer systems unless a payment is made, according to several people familiar with the discussions. The attack prevented ICBC from settling Treasury trades on behalf of other market participants, according to traders and banks.” FT reports.

“This is a large party on [the Fixed Income Clearing Corporation], so certainly of major concern... and potentially impacting liquidity of US Treasuries.”  

Takeaway: The alleged attack on the ICBC has the potential to have a serious impact on worldwide financial markets, as US Treasuries are central to the global banking and finance system.

“The combination of advanced [hacking] techniques and security solutions that were not designed to address ransomware specifically means even sectors like financial and banking, which typically have the most mature security programs, are not going to be able to defend against a determined and well-resourced threat actor,” Jon Miller, CEO of US cybersecurity firm Halcyon, told CNN.

“Critical infrastructure providers like the financial, manufacturing, healthcare and energy sectors remain top targets for ransomware operators because the pressure to quickly resolve the attacks and resume operations increases the chances victim organizations will pay the ransom demand,” Miller told The CyberWire.

"Ransomware is a multi-billion-dollar business that rivals and even exceeds many legitimate market segments. We have witnessed ransomware attacks evolve from nuisance attacks with little impact on business operations and minimal ransom demands to become one of the biggest threats to businesses and our critical infrastructure with ransom demands now well into the tens of millions."

"There is no limit to the disruptive power and financial impact of ransomware attacks. New RaaS groups emerge all the time, introducing new tactics, techniques, and procedures, including automation of aspects of the attacks - like exploiting vulnerable software like MoveIT and GoAnywhere - and custom tooling for more efficient data exfiltration," Miller told CPO Magazine.

They have also expanded their addressable target range by introducing Linux versions, which puts the most critical systems at risk. Linux runs approximately 80% of web servers, most smartphones, supercomputers, and many embedded and IoT devices used in manufacturing.  

Linux is also favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and even the backbone of the internet.  

The "always on" nature of Linux systems not only provides a strategic beachhead for moving laterally throughout the network, but attacks on Linux systems would also disrupt the most critical parts of an organization's network.  

Security operations put a great deal of resources into the detection/prevention side of the cyberattack equation, and rightly so.  

But given the fact that a determined attacker with the enough time and resources is all but guaranteed to eventually be successful in their attacks means that orgs also need to take measures to be truly resilient and recover from an attack as quickly as possible.

Critical infrastructure providers need to have the capability to respond quickly and decisively to ensure that any potential disruption to operations is kept to an acceptable minimum. A robust defense is key, but resilience is how we will win the battle and remove the economic incentive for further ransomware attacks.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.