ICBC Ransomware Attack Strikes at the Heart of the Global Financial Order - LockBit on a Roll

Cyber Threat Intelligence

Financial sector, Ransomware, LockBit, China, Financial market, CVE-2023-4966, CVE-2023-4967, Trading, Lending, Financial Industry

ICBC Ransomware Attack Strikes at the Heart of the Global Financial Order - LockBit on a Roll

Executive Summary

The ransomware breach that crippled U.S. Treasury trading operations at an American subsidiary of Industrial & Commercial Bank of China Ltd. on November 8 has laid bare the vulnerability of the global financial system to cyberattacks. LockBit ransomware group claimed responsibility for the attack against ICBC, the largest lender in the world by assets, with $5.7 trillion under management. This ominous cyber-event sent shockwaves through the $26 trillion U.S. Treasury market.

LockBit specifically targeted ICBC Financial Services (ICBC FS), a wholly owned U.S. subsidiary of the state-owned lender, which plays a critical role in the world of international finance. “ICBC FS primarily engages in providing global clearing, execution and financing services to institutional clients,” according to credit-ranking agency Fitch Ratings. The Financial Times reported that this ICBC unit is an “intermediary for governments, hedge funds, and proprietary traders wanting to buy and sell U.S. debt.”

According to the Treasury, the LockBit attack exploited a known vulnerability in the Citrix NetScaler product suite. The ransomware disruption temporarily prevented bank employees from accessing their corporate email accounts and connecting to the Depository Trust and Clearing Corporation to resolve large batches of U.S. Treasury trades. Bundled in this trade backlog were systemically vital repurchase agreement (repo) transactions.

Bloomberg also reported that the attack forced ICBC FS to send the required settlement details to trade counterparties by a “messenger carrying a thumb drive” to complete the transactions. Ultimately, ICBC had to inject $9 billion into its U.S. unit to reimburse Bank of New York Mellon for unsettled trades. In 2017, Bloomberg noted that ICBC FS had rapidly become a “go-to dealer” in the U.S. repo market. Repos are a “crucial source of funding and liquidity for the U.S. financial system,” according to the Office of Financial Research, a U.S. government agency.

Per the OFR, the repo market currently “provides more than $3 trillion in funding” daily. Resecurity will explain repo financing mechanisms later in this white paper. This attack also happened to coincide with a scheduled auction of 30-year Treasury bonds on November 9th. Auctions for 30-year Treasuries occur on a quarterly basis. Notably, this auction was “among the worst in a decade,” according to Bloomberg. Demand for these bonds was so weak that “the U.S. government had to entice investors with a premium over the market to buy their debt,” reported Barron’s.

Barron’s also noted that primary dealers, “who buy up supply not taken by investors, had to accept 24.7% of the debt on offer, more than double the 12% average for the past year.” Bloomberg said there was widespread speculation among market participants that the ICBC cyberattack was the “catalyst” for the poor sales performance. As a result of the LockBit attack, Bloomberg reported that “US Treasury repo fails — the amount of US debt that wasn’t delivered to fulfill trade contracts — rose to $62.2 billion, the highest since March and up from $25.5 billion a day earlier.”

Despite only claiming $24.5 billion in total assets as of its latest filing in June 2023, the bank’s ransomware disruption sent major shockwaves through Treasury and related repo markets. This is even more unsettling considering the firm isn’t even ranked anywhere in the top 20 of U.S. capital markets, according to WSJ sources. Thus, the attack spotlights the important role Treasury and repo markets play in the global financial system.

In fact, the U.S. Treasury market is the “most liquid sovereign debt market in the world,” according to the DTCC’s Fixed Income Clearing Corporation (FICC) website. Meanwhile, repos, a type of short-term secured loan, have become a major source of hedge fund borrowing. With four trillion dollars in total assets under management (AUM), high-frequency trading (HFT) networks that enable investors to buy and sell at nanosecond speeds, and the ability to tap limitless financing from Wall Street, the hedge fund industry may be the center of gravity for modern capital markets.

As such, dislocations in the repo market, as the LockBit attack illustrated, have the potential to crash the financial system. Given the essentiality of Treasuries and related repo financing to the plumbing system of global finance, the LockBit ransomware attack is likely the most significant cyberattack to ever target the industry.

In the following white paper, Resecurity will discuss the Citrix vulnerabilities exploited by LockBit, evaluate LockBit’s claims about ICBC, demystify repo markets and their regulatory access models, and assess systemic risks posed by cyberattacks to the finance industry amidst historic volatility in U.S. Treasury markets.

Key Takeaways

  • LockBit affiliates ransomed ICBC Financial Services (ICBC FS), a wholly owned U.S. subsidiary of ICBC, on November 8th

  • The gang is believed to have compromised two CVEs impacting the Citrix NetScaler product suite: CVE-2023-4966 and CVE-2023-4967

  • ICBC FS employees were temporarily unable to access their corporate emails or connect their systems to the DTCC to clear Treasury and repo trades

  • ICBC required a $9 billion injection to pay back Bank of New York Mellon, which is the sole clearing bank in the U.S. for Treasury repo settlement

  • As a result of the LockBit attack, US Treasury repo fails — the amount of US debt that wasn’t delivered to fulfill trade contracts — rose to $62.2 billion

  • Repos are short-term secured loans, typically issued in line with the overnight, bank-to-bank federal funds rate

  • The repo market currently provides more than $3 trillion in funding daily, and is a major source of hedge fund borrowing

  • Four segments of the repo market span the different combinations of centrally cleared and non-centrally cleared, tri-party and bilateral transactions

  • ICBC FS claims to have manually cleared nearly 90% of the trades in its backlog as of November 21

  • LockBit claims ICBC FS paid the ransom

  • LockBit announced two new victims a week after the ICBC FS attack, Alphadyne Asset Management and Chicago Trading Company. Curiously, these firms operate within the same specialized finance sectors as the ICBC FS’ core customer segments

Citrix Bleed

In an email submitted to financial services executives and trade organizations on November 13, the Treasury assessed that the attack on ICBC FS “stemmed from Lockbit 3.0 ransomware and two tactics that target users of services managed by Citrix, a cloud-computing company,” according to the Wall Street Journal.

The two Citrix common vulnerabilities and exposures (CVEs) believed to have been exploited by the LockBit 3.0 variant to compromise ICBC FS include “CVE-2023-4966, an information disclosure vulnerability, and a second bug tracked as CVE-2023-4967, a denial-of-service vulnerability,” per Computer Weekly reports. These attack paths have not been officially confirmed but CW reported that “authorities appear to be confident that this will be confirmed imminently.”

On November 11, the LockBit spokesperson confirmed to a respected cyber-threat researcher that they ransomed ICBS FS. However, the spokesperson did not specify their affiliate’s intrusion vector. The spokesperson also suggested that the ICBC attack was conducted by a Chinese affiliate of the group. In Resecurity’s assessment, the attack scenario floated by LockBit is implausible, given the risk a China-based threat actor would be assuming in targeting the most systemically significant Chinese bank. The threat researcher provided a screenshot of their chat with LockBit on X.

LockBit claims credit for the ICBC FS attack, source: VX-Underground

As for CVE-2023-4966, this vulnerability is more commonly known as “Citrix Bleed.” Researchers first noted exploitation of Citrix Bleed back in August. According to the Cybersecurity Infrastructure & Security Agency, this vulnerability “provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563].”

After obtaining access to valid cookies, noted CISA, LockBit 3.0 affiliates “establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens [T1539].” CISA also said that affiliates manage to establish authenticated sessions by “sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information [T1082].” Information obtained through this exploit “contains a valid NetScaler AAA session cookie,” according to CISA.

CVE-2023-4967 is a more straightforward DoS exploit and thus not as sophisticated. Citrix publicly disclosed CVE-2023-4966 and CVE-2023-4967 on Oct. 10, 2023, cataloguing these exploits on the Citrix Security Bulletin. This disclosure also includes guidance on patching the CVEs, in addition to detailing affected products, indicators of compromise (IOCs), and related recommendations.

Ransom Paid?

Since the LockBit attack, the ICBC FS website launches with a pop-up notice that acknowledges the breach and the unfolding incident response investigation. The notice also says that ICBC FS successfully “cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09).”

The pop-up notice acknowledging the breach

The WSJ reported that ICBC FS hosted a call with finance industry executives on November 21, where a representative for the firm said they “had manually cleared nearly 90% of the trades in its backlog, and encouraged clients to contact the firm directly.” Thus, it is widely believed in the cybersecurity community that ICBC FS paid the ransom.

On November 13, just five days after the initial attack, the same threat researcher who previously confirmed LockBit’s involvement in the ICBC FS hack provided screenshots from a chat conversation, where the group’s spokesperson claimed ICBC FS paid to restore and/or prevent the leakage of their sensitive data.

LockBit claims ICBC FS paid the ransom, source: VX-Underground

When the researcher asked how much, the LockBit spokesperson responded “TLP RED,” which is an abbreviation for Traffic Light Protocol: Red. TLP:Red is jargon officialized by CISA, which the agency uses to designate information that is “not for disclosure, restricted to participants only.”

It is not exactly clear what data LockBit managed to compromise, but it is noteworthy that ICBC FS employees were temporarily unable to access their email accounts, and to connect to the DTCC. Also, given how quickly ICBC FS is believed to have paid the ransom and thus restored their network operations, Resecurity assesses with low-to-medium confidence that it may have been mission-critical firm and, potentially, client data.

Alternately, Bloomberg recently reported that a “person familiar with the hack and investigation said a reason the bank could get back online quickly was that a key part of its trading system was unaffected by the attack.” The Bloomberg narrative is that ICBC FS was relying on a “server that was more than 20 years old, made by now-defunct IT equipment maker Novell Inc.” This server allegedly contained a significant amount of the bank’s trading data, yet it was “so old that LockBit’s ransomware didn’t work on it,” reported Bloomberg.

Still, the general sentiment in the cybercriminal community is that ICBC FS paid some ransom amount. In the XSS cybercriminal forum post below, community member ‘nylawfirm’ notes the difference in how Boeing, which LockBit recently added to their darknet leak site (DLS), and ICBC FS responded to their ransomware incidents.

Cybercriminal forum discussion about the ICBC FS ransomware attack, source: XSS

Nylawfirm said “few people understand the meaning of paying the ransomware. For example, everyone at Boeing is hired employees - the loss of their company’s data is not their problem; no one will judge them personally. That's why Chinese ICBC paid - that's an interesting topic.”

The forum member is suggesting that ICBC was motivated to pay the ransom quickly because client and counterparty data may have been compromised in the ransomware attack. XSS member ‘barnaul’ responded to Nylawfirm’s comment by saying “there are a ton of factors there, starting from the importance of the locked unit, its entire network or segment, and ending with the locking of infrastructure-important units. That’s why Boeing didn’t pay, but China did.”

Cybercriminal discussion about the ICBC FS ransomware attack, source: XSS

Nevertheless, the important takeaway here is that this breach could have been prevented had ICBC FS been more vigilant about its cyber-risk posture. As previously noted, the Citrix Bleed vulnerability was disclosed by Citrix a month before the attack. Still, the firm left some of their Citrix assets exposed. After the attack, a Shodan search revealed these unpatched assets. Shodan is a search engine for web-connected devices.

While Fitch, the rating agency, does not consider a temporary failure to make a payment due to operational disruptions “outside of the issuer’s control” to represent a default so long as the funds are repaid within 30 calendar days, ICBC FS and its parent company still face regulatory scrutiny on multiple fronts. On Breach Forums, community member ‘blackboar’ suggested that losing connectivity to the DTCC immediately triggers fines from “regulatory bodies.”

Blackboar speculates on regulatory fallout from ICBC attack, source: Breach Forums

Oversight bodies could even probe whether any ransom payment, in the event ICBC FS caved to LockBit’s demands, could have violated sanctions. In the post below, XSS member nylawfirm highlights the sanctions statutes ICBC may violated if they gave into LockBit’s extortion demands.

XSS user Nylawfirm cites sanctions statutes, source: XSS

The firm has also suffered extensive reputational damage, and has “been unable to convince some market participants that it’s safe to reconnect their computer networks to the bank’s US unit,” following the cyberattack, according to Bloomberg reports. The attack ultimately spotlighted the important role Treasury and repo markets play in the global financial system, a topic Resecurity will demystify next.

What are Repos?

A 2022 U.S. resolution plan published by ICBC said that ICBC FS that is primarily funded by “selling, or ‘Repoing out,’ U.S. Government securities and Agency securities under Repos.” The bank first plunged into this line of business in 2010. An FT report about the LockBit attack noted that this ICBC unit “works closely with US-based Chinese banks, which deal with Treasury holdings on behalf of the offshore units of Chinese state-owned companies.”

“Almost all collateral underlying ICBC FS’s Repos and reverse Repos is composed of U.S. Treasury and Agency securities,” notes ICBC’s resolution plan. In this context, it’s noteworthy that ICBC became a vital link for the Chinese government as it started “hoovering up US Treasuries,” according to the FT. Today, the bank is the second-largest holder of U.S. debt, owning about $805.4bn in Treasuries as of August.

But while researching this topic, Resecurity discovered that general understanding of the repo market is hazy and unclear even at the regulatory level. This market ecosystem is rife with complex terminology that, at the same time, seems contradictory and counterintuitive. As such, it’s important to properly dissect and define the industry lexicon of terms used to describe repo market mechanics on a granular level.

Repos are short-term secured loans, typically issued in line with the overnight, bank-to-bank federal funds rate. In repo trades, financial institutions (FIs) like banks, broker-dealers, and hedge funds borrow cash from money market funds (MMFs) or large pension and insurance funds, with the condition that they buy the securities they pledged at a slightly higher price. Just like ICBC FS’ financing model, U.S. Treasuries frequently serve as collateral in repo transactions.

In rule comments the DTCC submitted to the Securities Exchange Commission last year, the clearing agency noted that MMFs are the most “crucial cash providers in repo markets—a role that has only increased over the last 20 years—accounting for nearly 22% of total repo assets.”

According to the Federal Reserve, the U.S. repo market has four distinct segments. “One way of describing these segments is to distinguish between transactions that are settled on the books of a third party and transactions that are settled on a delivery-versus-payment (DVP) basis,” notes the Fed. Another way of conceptualizing these transactions is those that clear centrally through a central clearing counterparty (CCP) and those that clear non-centrally, or bilaterally between two counterparties.

DVP, meanwhile, is settlement method that involves the simultaneous disbursement of cash from the lender with the posting of securities collateral by the borrower. In finance terminology, clearing is the “correct and timely transfer of funds to the seller and securities to the buyer.” The FICC is considered a CCP and has been designated by the U.S. government as a Systemically Important Financial Market Utility (SIFMU).

In fact, the FICC currently serves as the sole CCP “for outright purchases and sales and repo transactions in U.S. Treasury securities,” according to a white paper published by the agency in September. Specifically, the FICC’s Government Securities Division (GSD) is the unit responsible for clearing Treasury trades. As noted by the FICC website, “US Government Securities is the largest sector of the fixed income market.” U.S. Treasury transactions cleared through the FICC exceeded $1.5 quadrillion in 2022, according to the FICC website.

The FICC also notes that Treasuries are a “key tool to implement monetary policy and the federal government relies on the sale of Treasuries to finance essential services.” Thus, the continuous “functioning of these markets is critically important to the strength and stability of the entire U.S. economy,” according to the FICC. Overall, the U.S. Treasury Market is “split between two disparate clearing processes: bilaterally cleared transactions and centrally cleared transactions via FICC,” said the clearing house.

Repo Market Segments

Currently, the “four segments of the repo market span the different combinations of centrally cleared and non-centrally cleared, tri-party and bilateral,” according to a rule change proposed by the OFR in January 2023. For the centrally cleared tri-party repo market and bilateral repo market, the FICC is the CCP that clears those trades.

Background on U.S. repo market segments, source:

As noted by the OFR’s proposed rule change, the “centrally cleared bilateral repo market is provided by FICC's DVP Service and includes a sponsored service, which offers eligible clients the ability to lend cash or eligible collateral via FICC-cleared delivery-versus-payment (DVP) repo transactions in U.S. Treasury and agency securities on an overnight and term basis.”

Meanwhile, the rule change notes that the “centrally cleared tri-party repo market is operated through FICC's GCF Repo Service, which also includes the Centrally Cleared Institutional Tri-Party Service, through which institutional counterparties (other than investment companies registered under the Investment Company Act of 1940) can participate as cash lenders in general collateral finance repo on a specified-counterparty basis.”

GCF stands for general collateral financing, which are repos “executed without the designation of specific securities as collateral,” according to Investopedia. Regarding the U.S. non-centrally cleared tri-party repo market, BNY Mellon (BONY in the chart above) “serves as the tri-party custodian and transaction-level data is collected under the supervisory authority of the Federal Reserve Board of Governors (Federal Reserve Board),” notes the OFR’s proposed rule.

Overall, the roughly $1.5 trillion in overnight Treasury repos, “much of which goes through BNY Mellon,” on a tri-party basis, per the WSJ, set the Secured Overnight Financing Rate. Wall Street uses the SOFR as a key benchmark for corporate loans.

Tri-Party Opacity

The largest segment of the repo market, providing over 70% of its intraday trading volume, are non-centrally cleared bilateral repurchase agreements (NCCBRs) settled by BNY Mellon. NCCBRs transactions are a “major source of hedge fund borrowing,” according to a report co-authored by the Federal Reserve Bank New York and the OFR.

Bilateral clearing versus central clearing, source: Bank of England

As of 2018, BNY Mellon is the sole provider for clearing tri-party, or non-centrally cleared repos. Specifically, BNY Mellon formed a specialized clearing bank unit in 2017, calling their new subsidiary BNY Mellon Government Securities Services Corp. The bank created this unit after J.P. Morgan Chase exited this seemingly esoteric settlement business at the end of 2017. J.P. Morgan closed its tri-party settlement business due to regulatory constraints caused by post-crisis reforms in the financial industry.

According to the Fed, the non-centrally cleared segment is “traditionally referred to as the tri-party repo (because of the involvement of a clearing bank).” “Although tri-party repo transactions are bilaterally negotiated,” noted the Fed, “they are settled through a clearing bank.” Clearing banks like BNY Mellon, meanwhile, are industry utilities that provide “US Treasury settlement clearing and tri-party management services,” according to the International Capital Market Association.

The ICMA also said a tri-party repo is a “transaction for which post-trade processing --- collateral selection, payments and deliveries, custody of collateral securities, collateral management and other operations during the life of the transaction --- is outsourced by the parties to a third-party agent.” But here is where it gets confusing. In 2017, the FICC launched a CCIT repo service.

A fact sheet published by the clearing house the same year states that the CCIT offering expanded their GCF services and FICC’s CCP “guarantee of completion of eligible trades to tri-party repo transactions between GSD dealer members and eligible tri-party money lenders.” So basically, even though the Fed is saying that ‘tri-party’ and ‘non-centrally cleared’ are interchangeable definitions, the FICC has a special service that centrally clears repo transactions on a tri-party basis.

Most FICC Customers Don’t Understand Their Access Models

Despite being a member of the DTCC’s FICC, the primary CCP for processing U.S. Treasuries in the world, the hack revealed that ICBS FS is engaging BNY Mellon as a partner for tri-party repo settlement. The ICBC FS website notes that the firm provides “tri-party financing for cash investors,” but their repo services may be more diverse. The FICC’s GSD offers four different membership tiers for direct and indirect participants: Netting, CCIT, Sponsoring, and Sponsored.

Per the Fed, netting refers to a “method of reducing credit, settlement and other risks of financial contracts by aggregating (combining) two or more obligations to achieve a reduced net obligation.” The above membership tiers are demarcated by varying degrees of capital and operational requirements, with the threshold for Netting enrollment, the most direct form of FICC participation requiring the strongest financial base.

The FICC also considers CCIT members to be direct participants, but with less access than Netting members. Meanwhile, the FICC considers Sponsoring and Sponsored members to be indirect participants. The clearing house’s Sponsored Service “offers eligible clients the ability to lend cash or eligible collateral via FICC-cleared DVP repo throughout the day,” according to an FICC explainer.

The FICC explainer also noted that sponsoring members “facilitate their sponsored clients’ GSD trading activity and act as processing agents on their behalf for all operational functions, including trade submission and settlement with the CCP.” Based on comments made by ICBC in response to a Capped Liquidity Contingency Facility (CCLF) reform that was proposed and ultimately approved by the Securities & Exchange Commission in 2017, they appear to have been a “smaller netting member” of the FICC at the time.

But it’s unclear how the rule’s approval in November of that year impacted ICBC FS’ membership. Either way, the firm appears to be settling multi-billion-dollar trading volumes via BNY Mellon. This suggests ICBC FS is financing a significant number of repos in an NCCBR capacity. However, Resecurity has not confirmed this.

Ultimately, it’s worth noting that even the FICC admits that their membership tiers and access models are confusing. In the white paper the FICC published in September, the agency disclosed survey responses from its members and highlighted this “key finding”:

FICC’s various access models and available services are not broadly understood, and a majority of FICC members remain unsure which of FICC’s access models they want to use for the indirect participant activity. Specifically, 52% indicated they were unsure as it relates to Treasure Reverse Repo and Treasury Repo activity and 58% indicated they were unsure as it relates to indirect participant Treasury cash activity.”

Major Source of Hedge Fund Borrowing

Drilling back down into NCCBRs, over 80% of these tri-party trades, are overnight agreements, according to the Fed. With four trillion dollars in total AUM, magnified by limitless leverage, the hedge fund industry may have usurped investment banks as Wall Street’s titans.

Percentage of Tri-Party Repo Trades vs GCF Repos, source

In this light, a 2021 Fed report noted that “hedge funds play an increasingly important role in U.S. Treasury (UST) cash and futures markets, a role that has been widely discussed following the March 2020 U.S. Treasury sell-off.” A later Fed report published in August 2023 said “hedge funds borrow in repo almost exclusively through two venues: FICC's sponsored DVP repo service (a centrally cleared bilateral market) and the non-centrally cleared bilateral repo market.”

Tri-Party Repo vs GCF Repo fund flows, source:

“While the non-centrally cleared bilateral market is a larger source of funding for hedge funds than sponsored repo, sponsored repo serves an important role because it allows dealers to net their lending to one entity against borrowing from another for calculating certain regulatory ratios,” noted the Fed.

In fact, sponsored repos are increasingly being used to finance a highly popular hedge fund trade that used to be largely funded by NCCBRs. The so-called “basis trade” is an increasingly controversial investment strategy that exploits “the price difference between Treasury bonds and futures tied to those same bonds,” according to Bloomberg. Occasionally, a “bond future’s price rises above the underlying bond price because of heavy futures purchasing by pension funds, insurance companies and other institutional investors,” Bloomberg said.

Thus, the basis trade is ultimately an arbitrage play where hedge funds sell Treasury futures on one hand, while simultaneously buying the underlying bond assets, on the other. While proponents of the basis trade insist it’s an “essential market lubricant as a source of demand for Treasuries,” Bloomberg also noted that regulators are concerned about the “combination of high leverage — as much as $50 borrowed for every $1 in capital invested — and heavy reliance on short-term borrowing.”

As an example, take a scenario where the banking system is experiencing deficit in liquidity and there isn’t enough cash to loan out. This would deliver a shock to the repo market, causing funding costs to rise abruptly and ultimately render the trade unviable. This precise chain of events unfolded in the early months of the Coronavirus pandemic in 2020. As uncertainty proliferated throughout the market, investors rushed to Treasury futures, as opposed to cash bonds, “driving spreads between the two much wider,” noted Bloomberg.

To resolve this liquidity crisis, the Fed had to inject $5 trillion into the banking system. In 2023, the Fed published a report that said “hedge funds unwinding the cash-futures basis trade likely contributed to the March 2020 Treasury market instability.” The key takeaway from this is that despite being a relatively small player in the overall Treasury market, ICBC FS may have played an outsized role in hedge-fund, basis-trade financing, a risky trade that has previously been linked to Treasury market flash crashes.

FIs’ Growing Exposure to Cyber-Risk

Based on the chaos sowed throughout capital markets, specifically $60+ billion in delayed Treasury deliveries and the suspected sabotage, wittingly or not, of a quarterly 30-year Treasury auction, the ICBC FS attack easily exceeds the severity of the Carbanak gang’s entire, year-long, billion-dollar bank-robbery spree. The latter was previously the greatest cyber-heist campaign in the history of Wall Street. The difference boils down to systemic significance.

Credit-rating agency Fitch warned that the LockBit attack “highlights financial institutions’ growing exposure to payment interruption risk arising from cybersecurity incidents as they become more frequent and severe.” At the 2023 Treasury Market Conference, which took place November 16, the U.S. Treasury Secretary for Domestic Finance Nellie Liang addressed the ICBC FS incident and said the financial system remained resilient amidst the cyber-disruption.

In a prepared statement, Liang said her agency “activated its cyber incident response procedures, which includes a sector-wide executive response group. The firm quickly moved to alternative processing, and the event did not spread to other firms nor have a notable effect on Treasury markets.” “We are staying in regular contact with key financial sector participants and federal regulators, as well as continuing to assess potential effects on Treasury markets,” added Liang.

Nevertheless, the FT reported that some FIs were still “experiencing difficulties in finalising trades for hedge funds in the short-term lending market” a week after the attack. Ultimately, the shock caused by the ICBC FS attack illustrates how systemic shifts precipitated by the 2008 financial crisis and the sweeping regulatory reforms that ensued have introduced new dimensions of interconnected cyber-risks. This operationally transformed cyber-threat model poses unique threats to the stability of the global financial system.

Specifically, the FT spotlighted how increased Treasury market fragmentation in the wake of 2008 financial crisis led to a horde of new and unconventional entrants claiming territory that used to be the exclusive dominion of U.S. investment banks. But as regulatory reform forced investment banks to scale back Treasury trading and other activities, they were increasingly “replaced by brokers, asset managers and foreign firms like ICBC, which can use more leverage and take greater risks,” according to Bloomberg.

In this transformed debt-and-capital market landscape, foreign FIs like ICBC have emerged as vital liquidity nodes in Treasury and repo markets, competing with the likes of Goldman Sachs. Thus, the LockBit ransomware breach was an eyeopener. One anonymous executive in the fixed-income prime brokerage unit of a large U.S. bank told the FT that the market “exposure to ICBC was significantly higher than what we expected.”

The key questions that emerge from this attack are then what other blind spots do critical financial market participants have regarding their counterparty risks, and how does the overlay of cyber-risks impact those counterparty unknowns?

Declining Demand for U.S. Debt

The attack is most concerning because Treasuries, which are supposed to be stable investments, have been particularly volatile this year – even without cyber-shocks. These assets have surpassed swings in equities by the widest margin in 18 years, according to Bloomberg. Shockingly, global investor appetite for U.S. debt, which has, since time immemorial, been backed by the full faith and credit in the U.S. government, has fallen so low that America’s borrowing costs have surged past countries with much poorer credit ratings.

Today, the U.S. is paying more than countries like Vietnam, Morocco, and Bulgaria to borrow money via Treasury issuance, according to Business Insider. At the same time, a November Treasury report said that "bank security portfolio assets have been declining since last year with bank holdings of Treasuries down $154 billion compared to one year ago. The appreciation of the US dollar means some foreign central banks may consider liquidating Treasury securities in the process of defending their currencies.”

Compound this trend with a rising yuan that has been buoyed by Beijing’s increasingly ambitious and subversive bilateral currency swap agreements with countries like Saudi Arabia, Brazil, and others - and the ICBC FS ransomware attack seems particularly ominous. As Beijing jockeys to displace the U.S. as the global hegemon, the yuan surpassed the euro for the first time ever in October to “become the world's second-most used currency in SWIFT trade settlements”.

Thus, counterparties involved in the vital Treasury and repo trading segments need to be extremely vigilant about their cyber-risk postures and pivot to zero-trust network access models immediately, if they haven’t done so already. As for ICBC FS, the firm and its corporate parent may also face legal repercussions over perceived cyber-negligence from their clients and business partners.


Also uncertain is whether the attack on ICBC FS enabled LockBit affiliates to gain footholds or discern intrusion vectors into their customer or partner networks. Curiously, a little over a week after the gang hacked ICBC’s subsidiary, they announced two new finance-industry victims on their DLS: Chicago Trading Company and Alphadyne Asset Management.

Lockbit 3.0 announces new victims Alphadyne Asset Management and Chicago Trading, source: LockBit 3.0 DLS

Alphadyne appears to be a hedge fund that invests money on behalf of “pension funds, insurance companies, asset managers, investment consultants and sovereign wealth funds,” according to the firm’s website. The website also says the firm “pursues macro and fixed income relative value investment strategies in global interest rate, foreign exchange, equity, commodity and credit markets.” Alphadyne is also led by two executives with deep experience in Asia.

CTC, on the other hand, is a proprietary trading firm, meaning they invest their own capital and don’t manage outside money. As the FT noted, prop traders form one of ICBC FS’ key customer segments. Also, Alphadyne’s business model, specifically the fact that they are a hedge fund focused on fixed-income investments, is notable.

Overall, LockBit announcing two firms so closely aligned with ICBC FS’ core customer segments and business lines as victims, and doing this so quickly after the initial attack, is deeply suspicious. Although Bloomberg reported that LockBit actually hacked CTC in October, a spokesperson for the firm told the news outlet “there was never any ransomware.” Either way, the intrusion path may have also been the other way around.

Perhaps the CTC intrusion enabled LockBit to spot an entry path into ICBC FS’ network. The full attack chain remains unknown. Still, none of these institutions have confirmed that the ICBC FS ransomware breach has resulted in downstream breaches. While LockBit gave Alphadyne a November 25 deadline to pay the ransom, CTC was given until November 22 to cough up the loot. It is unknown whether either firm paid.

Per Bloomberg, Alphadyne declined to comment on LockBit’s claims, but a source told the news outlet the firm was “conducting business as usual.” CTC, meanwhile, is “investigating with help from law enforcement, and it’s reviewing and bolstering its security,” according to the news outlet.

The ICBC FS ransomware breach is the most devastating attack to ever strike the financial industry. The attack is a particularly ominous sign when viewed in the backdrop of the intensifying geopolitical tensions globally. Central to this escalating power struggle is hybrid-financial warfare. As Beijing angles to make the yuan more prominent in international trade and as a global reserve currency, there looms the threat of nation-state adversaries leveraging offensive cyber-capabilities to accelerate this trajectory at the dollar's expense. For financial services firms seeking to clarify their cyber-risk exposures and enhance their defensive postures, Resecurity can help.


Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial