On November 8, 2023, ICBC Financial Services (FS), a division of the world’s largest commercial bank by revenue, was targeted in a ransomware cyberattack. This event caused significant interruptions to specific systems within the FS unit. To mitigate further damage, ICBC FS promptly isolated the affected systems upon detection of the breach.

The bank has engaged a team of cybersecurity professionals to conduct an exhaustive investigation and facilitate the restoration process. Additionally, this cybersecurity incident has been reported to the relevant law enforcement agencies. Despite the disruption, ICBC FS affirmed that it successfully processed U.S. Treasury trades from November 8 and Repo financing transactions from November 9.

ICBC clarified that this incident was confined to ICBC FS and did not affect the ICBC New York Branch, the bank’s Head Office, or any other affiliated entities globally. The isolated nature of the FS systems ensured that the larger network of ICBC remained secure.

The ransomware attack had a ripple effect in the financial markets, particularly impacting the U.S. Treasury market and complicating the process of equities clearing. This situation was first brought to light by a report in the Financial Times. The Securities Industry and Financial Markets Association, upon learning of the incident, alerted its members.

An emergency notice highlighted that ICBC faced difficulties connecting to DTCC/NSCC, affecting all its clearing customers. In response, [censored] temporarily halted all inbound FIX connections and order processing, awaiting resolution of the issue.

The Chinese banking giant, which holds a significant position in global finance with revenues of $214.7 billion and profits of $53.5 billion in 2022, was unable to settle U.S. Treasury trades for its clients due to the cyberattack. The U.S. Treasury, keeping abreast of the situation, remained in constant communication with key financial sector players and federal regulators.

Although ICBC has not officially confirmed the ransomware attack, multiple independent sources confirmed the incident to BleepingComputer. Security analyst Kevin Beaumont pointed out that an unpatched ICBC Citrix server vulnerable to the ‘Citrix Bleed’ bug, a severe security flaw, was likely exploited in the attack.

ICBC, listed on both the Shanghai Stock Exchange and the Hong Kong Stock Exchange since October 27, 2006, operates a vast network. This includes 17,000 domestic branches and additional branches in 41 countries, covering both the East and West coasts of the United States and serving over 10.7 million corporate and 720 million individual customers globally. The recent cyberattack underscores the growing threat landscape in the financial sector and the critical need for robust cybersecurity measures, like TrollEye Security’s continuous security solutions including, Penetration Testing as a Service, Dark Web Analysis, DevSecOps as a Service, and Managed SIEM (Purple Teaming).