Cyber Incident Victim: Industrial and Commercial Bank of China
Date:
Nov 2023
Location:
United States of America
Summary
The Industrial and Commercial Bank of China's U.S. financial services unit experienced a ransomware attack disrupting systems and impacting equities clearing operations, notably hindering U.S. Treasury trade settlements for market participants. The incident prompted isolation of affected infrastructure and temporary suspension of order processing, though critical trades were later cleared. Recovery efforts proceeded with cybersecurity experts, and the breach was linked to exploitation of an unpatched Citrix server vulnerability. The attack did not compromise the bank's broader international or domestic operations due to segregated systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 8, 2023, U.S. Eastern Time, the Industrial and Commercial Bank of China Financial Services (ICBC FS) experienced a ransomware attack that disrupted certain systems. The attack prevented ICBC from connecting to the Depository Trust & Clearing Corporation (DTCC) and National Securities Clearing Corporation (NSCC), halting all clearing services for its customers. Equity traders received emergency notifications stating inbound FIX connections were suspended and order acceptance paused. The disruption specifically impaired ICBC’s ability to settle U.S. Treasury trades for other market participants, causing operational issues within the U.S. Treasury market. ICBC FS detected the incident promptly, disconnecting and isolating impacted systems to contain the attack. The bank initiated an investigation with its information security team and notified law enforcement. By November 9, ICBC successfully cleared U.S. Treasury trades executed on November 8 and repo financing trades from November 9. The bank clarified that its core business systems, email infrastructure, ICBC New York Branch, Head Office, and other global affiliates operated autonomously and remained unaffected.
Industry sources attributed the attack to exploitation of an unpatched Citrix NetScaler vulnerability (CVE-2023-4966), known as 'Citrix Bleed,' which permits authentication bypass. Security researchers observed an ICBC Citrix server, last online November 6, vulnerable to this exploit before going offline. The ransomware intrusion caused significant operational disruption, prompting the U.S. Treasury Department to engage with financial sector participants and regulators while monitoring the situation. ICBC FS prioritized system recovery efforts but did not disclose the ransomware group involved or specific data compromise details. As the world’s largest commercial bank by revenue, ICBC’s incident highlighted systemic risks to financial infrastructure, though its segregated architecture limited broader institutional contagion. The bank’s public confirmation on November 10 followed earlier reports from financial sector alerts and cybersecurity analysts documenting the attack’s impact on trade settlement and clearing mechanisms.