SHANGHAI, CHINA - OCTOBER 22, 2021 - The Industrial and Commercial Bank of China (ICBC) on the Bund in Shanghai, China, Oct 22, 2021. Huawei and INDUSTRIAL and Commercial Bank of China jointly innovated in E-CNY application scenarios, taking the lead in supporting digital RMB wearable payment, and jointly demonstrated the progress of project cooperation at huawei Developer Conference 2021 (Together) sub-forum "Wallet Payment and Membership Services". Users bound E-CNY wallet to Huawei Watch 3 series. The two sides also envision future cooperation in the multi-dimensional scenario of E-CNY. (Photo credit should read Wang Gang / Costfoto/Future Publishing via Getty Images)
The Industrial and Commercial Bank of China (ICBC) on the Bund in Shanghai, China.
Wang Gang/Costfoto/Future Publishing/Getty Images
CNN  — 

A ransomware attack on a US unit of the powerful Industrial and Commercial Bank of China that may have contributed to a brief market sell-off on Thursday was a significant escalation for cybercriminals that underscored how big hacks can disrupt business for even the best-resourced companies, experts told CNN.

The incident immediately sparked concern among regulators and senior US and Chinese officials. It led to a flurry of behind-the-scenes coordination with the affected bank and across the financial sector about the threat.

FS-ISAC, an industry group for sharing cyberthreat intelligence composed of big banks around the world, has been sharing data on the attack with its members and reminding them “to stay current on all protective measures and patch critical vulnerabilities immediately,” a spokesperson for the group told CNN on Friday.

Intelligence sharing around cyberattacks like this is “critical,” the spokesperson said, “given the potential for disrupting system availability.”

The financial sector, and particularly its big banks, has long been considered one of the better defended sectors of the global economy from hacks. But the threat of ransomware, which has touched virtually every sector of the economy, has posed new challenges to financial institutions’ cyber defenses.

“The combination of advanced [hacking] techniques and security solutions that were not designed to address ransomware specifically means even sectors like financial and banking, which typically have the most mature security programs, are not going to be able to defend against a determined and well-resourced threat actor,” Jon Miller, CEO of US cybersecurity firm Halcyon, told CNN.

The hackers hit New York-based ICBC Financial Services, a subsidiary of the world’s largest bank by assets and a Chinese state-owned institution. The recovery was ongoing, the bank said in a statement on Thursday that remained on its website as of Friday afternoon.

“We successfully cleared US Treasury trades executed Wednesday … and [repurchase agreements] financing trades done on Thursday,” the statement said.

ICBC Financial Services did not respond to CNN’s request for comment on Friday.

It could take days for the ICBC subsidiary to return to normal business operations, Reuters reported Friday. At least one bank, BNY Mellon, was manually settling trades of Treasury securities with the ICBC because of the hack, the wire service reported.

ICBC Financial is not currently connected to BNY Mellon’s Treasury settlement platform due to the cyberattack, a person familiar with the matter told CNN. However, BNY Mellon is helping ICBC Financial manually process its Treasury trades, the source said.

“We’ve been tracking [the ransomware attack on the ICBC subsidiary] for a couple days now,” a senior cybersecurity executive at a big US financial institution told CNN. “We’re taking a look at the response and the broader impact given ICBC’s size and role in the global financial sector,” said the executive, who spoke on the condition of anonymity because they were not authorized to speak to the press.

A prolific cybercriminal group known as LockBit claimed responsibility for the ransomware attack on Friday. LockBit has Russian-speaking members, but it also has “affiliates,” or criminal partners, in multiple countries, that rent the ransomware and use it in attacks. Cybersecurity researchers believe one of those affiliates is based in China.

It is unclear which LockBit affiliate carried out the hack.

By going after such a big target, the hackers may have overplayed their hand by potentially drawing the ire of the Chinese government, cybersecurity analysts told CNN.

The Russian government has often resisted US government appeals to crack down on ransomware gangs operating from US soil, but Russia and China’s closer relationship means the hackers may draw more scrutiny after this incident, said Allan Liska, a ransomware expert with cybersecurity firm Recorded Future.

“If China sees this as a black eye, they may demand action from the Russian government,” Liska told CNN. “The team behind LockBit has benefited greatly from the poor relations between the United States and Russia.”

A series of disruptive cyberattacks on US banks more than a decade ago, which the US blamed on Iran, was a wakeup call for the financial sector. The sector has since poured billions of dollars into defenses. JPMorgan Chase alone spends $600 million a year on cybersecurity, according to its website.

But groups like LockBit tend to single out powerful companies to try to extort them for millions of dollars. LockBit ransomware was the most deployed ransomware around the world in 2022, according to US cybersecurity officials.

“While recent trends have suggested that some ransomware groups are shifting to go after medium-size, less well-defended organizations, LockBit and its affiliates continue to garner headlines unabated,” Will Thomas, a cybersecurity expert who closely tracks ransomware groups, told CNN.

The FBI declined to comment on Friday when CNN asked if the bureau was investigating the incident. The federal Cybersecurity and Infrastructure Security Agency, which also responds to big private-sector hacks, referred questions to the Treasury Department, which did not comment by press time.

- CNN’s Matt Egan contributed to this report