The Industrial and Commercial Bank., China’s largest bank, has been struck by a ransomware attack that disrupted U.S. Treasury markets.
The attack prevented ICBC from settling Treasury trades on behalf of other market participants, with some equity trades also affected. To overcome the inability of ICBC to settle trades, market participants are said to have rerouted trades. Although the attack did have some effect on Treasury market liquidity, it did not impair the market overall.
The form of ransomware has not been disclosed, with an emergency notice issued to traders only referring to it as an “incident.” The notice said that ICBC could not connect to the Depository Trust & Clearing Corporation and the National Securities Clearing Corporation and, as such, was suspending all inbound FIX connections. FIX connections allow market participants to send and receive messages from the DTCC, such as trade orders, settlement instructions and account statements.
ICBC was starting to restore services as of Thursday afternoon. The bank has yet to comment on the attack.
The form of ransomware used in the attack is currently not known, security researcher Kevin Beaumont on Mastodon points to a possible attack path, a Citrix Netscaler box run by ICBC, which, at least as of Monday, was unpatched for the Citrix Bleed vulnerability. Notably, the Netscaler box is currently offline.
Citrix Bleed, tracked as CVE-2023-4966, was discovered in October and was highlighted in an alert from the U.S. CISA on Nov. 7. The vulnerability is described as a sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway.
However, other security experts are suggesting that it’s too early to know precisely what has happened. To better prepare for the inevitable attack, organizations should regularly review business risk, including the impact ransomware could have on their business.”