On Wednesday, November 8, 2023, the Industrial and Commercial Bank of China (ICBC), the largest global lender by asset size, experienced a significant ransomware attack by the ransomware gang LockBit. In the two weeks since the attack, more is known:
- ICBC Financial Services was the affected entity
- The ransomware operator, LockBit, reported ICBC paid a ransom, though the amount is undisclosed
- The ransomware attack exploited a Citrix vulnerability referred to as Citrix Bleed
- Cybersecurity firm MoxFive was retained to help ICBC recover from the attack and resume business
- On October 10, 2023, Citrix released a security bulletin regarding the vulnerability
- ICBC is still recovering affected systems
- U.S. Treasury and Repo financing trades were completed on November 9, 2023
- The attack made BNY Mellon collateral damage since it is the sole settlement agent for Treasury securities; BNY Mellon was forced to use manual processes to individually clear trades
- ICBC’s head office made an emergency US$9 billion capital infusion to cover uncleared trades; BNY Mellon was forced to loan ICBC money to clear the trades as they could transfer money to settle
- ICBC head office and other domestic and overseas affiliated institutions were not affected
- ICBC executives from China made an emergency trip to New York to claim the market and reassure clients of its financial services business
- ICBC requested customers clear their trades elsewhere, resulting in direct business loss and financial impacts
ICBC was not the only organization to succumb to the CitrixBleed vulnerability. The aircraft manufacturer Boeing, the Emirati logistics company DP World, and international law firm Allen & Overy also experienced Citrx Bleed exploits. This vulnerability is largely left unpatched by thousands of organizations worldwide.
Over the past three years, LockBit has extorted over US$91 million from organizations. ICBC has not disclosed that it paid the ransom. One can assume, if paid, that it was sizable. LockBit likely took notice of the press this event caused and will use that to its advantage when planning future attacks.
On November 17, 2023, LockBit struck Chicago trading company Alphadyne Asset Management. According to financial information on its website, the company had about US$24.5 billion in assets as of June 30, with US$480.7 million of net capital. It also had credit lines from affiliates of US$450 million and the ability to borrow overnight funds from an affiliate. What if LockBit had hit a larger treasury market participants?
The irony of the largest Chinese bank experiencing a cyberattack is not lost on this analyst, nor is the common refrain that yet another major cyberattack is caused by an unpatched vulnerability. Calls for transparency in cybersecurity practices and resiliency of participants in the US$26 trillion treasury market are heard loud and clear across Wall Street.