Lessons from ICBC’s Cyberattack on Protecting World’s Largest Financial Institutions

Reading Time: 8 min Read
8 min


Kim Kyung-Hoon / REUTERS


The Industrial and Commercial Bank of China, commonly known as ICBC, stands as a testament to the colossal scale and influence of modern banking. With a staggering $5.7 trillion in assets by the end of last year, ICBC is not just a financial institution but a global powerhouse, the largest bank in the world by assets. Its reach extends far beyond China’s borders, impacting global financial markets.


This prominence is particularly evident in the realm of U.S. Treasury trading, where ICBC plays a critical role. As a financial intermediary, ICBC facilitates a significant volume of transactions, influencing the ebb and flow of one of the most critical segments of the global financial market. The bank’s operations are not just limited to traditional banking services; they extend to complex financial operations involving clearing houses and a range of sophisticated financial instruments.


However, this size and significance also make ICBC a notable target for cyber threats, as was starkly highlighted in a recent cyberattack early in November 2023 that disrupted its operations and sent ripples through the U.S. Treasury market. This incident underscores the vulnerability of even the most formidable financial institutions and the far-reaching consequences of such attacks on global financial stability.


Let’s delve into the specifics of this cyberattack on ICBC, exploring its nature, impact, key takeaways, and preventative measures we can learn from this incident to better protect your company.



What Do We Know About the Attack?


The incident was first reported in early November 2023, targeting ICBC’s U.S. financial services division. The attack was sophisticated, leveraging a type of ransomware known as LockBit 3.0. This particular strain of ransomware is notorious for its evasiveness and complexity, making it a formidable tool for cybercriminals.


The attack had a significant impact on the operations of ICBC, particularly affecting its capacity to trade U.S. Treasurys. This disruption was not limited to ICBC’s internal operations but extended to the broader market. In one day, more than $62 billion of U.S. Treasurys failed to deliver, indicating the scale of disruption in market operations. Additionally, the attack coincided with a poorly received sale of 30-year U.S. Treasurys, further complicating the market situation.


“Because banks have invested so heavily in cybersecurity, most of them felt like something like this couldn’t happen,” said Allan Liska, a ransomware researcher at cybersecurity firm Recorded Future. “This is the first time we’ve seen an attack like this that is disruptive of the Treasury market.”


Upon detection of the attack, ICBC swiftly isolated the impacted systems to contain the breach. This rapid response was crucial in preventing further damage. However, the attack forced ICBC to disconnect and isolate some of its systems, and it was unplugged from the Treasury market in the U.S. by Bank of New York Mellon. The bank resorted to manually clearing trades, a testament to the severity of the situation.



How Did This Attack Happen?


The cyberattack on ICBC was not just a random act of digital vandalism but a calculated and sophisticated operation that exploited specific vulnerabilities. Understanding how this attack happened is crucial for comprehending the cybersecurity challenges faced by financial institutions.



Infiltration and Ransomware Deployment

The core of the attack was the deployment of LockBit 3.0 ransomware. This type of ransomware is known for its modularity and evasiveness, making it particularly challenging to detect and counter. The exact infiltration method remains unclear, but such attacks typically begin with a phishing campaign or exploitation of a network vulnerability. Once inside the system, the ransomware encrypts critical files and data, rendering them inaccessible to the bank’s personnel.


LockBit 3.0 is a sophisticated piece of malware. It is designed to bypass standard security measures and can be customized for each target, complicating efforts to create a universal defense against it. This ransomware is part of a larger trend known as “ransomware-as-a-service,” where cybercriminals develop and sell ransomware tools to other hackers, democratizing access to powerful cyber-attack tools.



System Vulnerabilities Exploited

The successful deployment of LockBit 3.0 against ICBC suggests that there were vulnerabilities in the bank’s cybersecurity armor. These could range from unpatched software to insufficient network segmentation or even a lack of employee training on cybersecurity threats. The complexity of financial institutions’ IT environments can often create blind spots in security.






The cyberattack on ICBC transcended mere disruption of internal systems; it had tangible and significant financial and operational impacts.



Impact on U.S. Treasury Markets

One of the attack’s most immediate and visible effects was its impact on the U.S. Treasury markets. ICBC’s role as a clearing house in these markets means its incapacitation had ripple effects. The failure of more than $62 billion in U.S. Treasurys to be delivered on a crucial trading day is a stark indicator of the attack’s severity. This failure not only reflects the direct impact on ICBC but also underscores the interconnectedness of modern financial systems.


The attack significantly affected the repo market, where ICBC facilitates transactions. The inability to electronically process these transactions led to operational bottlenecks, with a reported $70 billion in U.S. Treasurys failing to be delivered. This disruption showcases the vulnerability of financial markets to cyber incidents, given their reliance on digital infrastructure.


While ICBC managed to manually clear trades, this workaround was far from efficient. The need for such manual intervention highlights the cost in terms of time and resources, not to mention the potential for human error in a process typically dominated by precision automation.



ICBC’s Operational Disruption

The attack on ICBC disrupted key business processes crucial for the smooth operation of financial markets. The bank’s ability to process transactions was severely impacted, especially in the U.S. Treasury and repo markets. This led to a significant delay in trade settlements and posed challenges in maintaining the continuity of critical financial services.


In our recent white paper, “It’s Not If, But When: How Leadership Can Build Resilience In A Hack-Inevitable Era?” we dive deep into several high-profile cyberattacks, including those on MGM Resorts, Clorox, and Caesars Entertainment, which offer valuable lessons. Similar to what happened with ICBC, these incidents underline a shift in cybercriminal tactics from mere data breaches to targeting and disrupting key business operations.



Broader Market Reactions

The market’s reaction to the attack went beyond the immediate operational hurdles. There was a notable concern among investors and market participants about the systems’ reliability and security underpinning critical financial operations. This concern could have longer-term implications for market confidence and the perception of cybersecurity risks in financial transactions.



ICBC’s Response to the Cyberattack


The response of the ICBC to the cyberattack was critical in managing the immediate crisis and shaping the perception of their resilience and reliability.



Immediate Action Taken

As soon as the cyberattack was identified, ICBC acted swiftly to mitigate its impact. The primary step was isolating the impacted systems to contain the breach. This rapid isolation was crucial in preventing the ransomware from spreading further within their network and potentially impacting more critical systems.


ICBC maintained communication with key stakeholders throughout the incident. This included working closely with law enforcement agencies and cybersecurity experts to assess the situation and coordinate an effective response. The bank’s openness in acknowledging the attack and its commitment to resolving the issues helped in maintaining a level of trust with its clients and the broader financial community.



Manual Clearing of Trades

One of the more significant responses was ICBC’s decision to manually clear trades following the disconnection from automated systems. This decision, while resource-intensive and less efficient than digital processes, ensured that essential market operations could continue. It highlighted ICBC’s dedication to maintaining operational continuity even under challenging circumstances.


ICBC actively engaged with regulatory authorities, including the Securities and Exchange Commission (SEC) and other financial oversight bodies, to ensure compliance and transparency in their response efforts. This cooperation was vital in aligning ICBC’s recovery efforts with broader market stability and regulatory standards.



Key Takeaways and Preventive Measures


The cyberattack on ICBC, alongside similar incidents in other major corporations, brings to light crucial lessons and preventive measures that can be adopted to safeguard against such threats in the future.


It’s clear that a deeper understanding of ICBC’s critical business processes and associated risks could have potentially mitigated the impact of the cyberattack. By focusing on protecting these key areas and aligning cybersecurity strategies with business objectives, ICBC could enhance its resilience against future cyber threats.



Importance of Understanding and Protecting Critical Business Processes

A fundamental lesson from ICBC and other recent high-profile attacks is the importance of understanding an organization’s critical business processes and the associated risks. This knowledge is the first line of defense in building a robust cybersecurity strategy.


As Thomas Parenty, author of HBR’s A Leader’s Guide to Cybersecurity, says, “You cannot protect if you don’t know how it works.” It’s essential for organizations to inventory their key business processes and assets to understand the material risks they face. This involves:


  • Identifying critical business processes and supporting assets that are vital for the firm.
  • Understanding the business’ risk threshold in terms of acceptable financial and operational losses.
  • Implementing strategic mitigation measures aligned with the identified critical risks.
  • Ensuring that cybersecurity initiatives are directly tied to reducing material risks to the business.



Developing Cyber Resilience for Mission-Critical Operations

Effective cybersecurity is no longer just an IT issue; it’s a business-critical strategy. Organizations should develop a cyber risk management framework that aligns with their business objectives. This means prioritizing investments in cybersecurity measures that reduce the most significant risks to business operations.


Implementing strategic mitigation measures involves more than just deploying the latest technology. It requires a comprehensive understanding of the business’s risk threshold and a targeted approach to reducing those risks. This may include enhancing employee training, improving incident response protocols, and investing in advanced threat detection and response systems.


Traditionally, cybersecurity efforts have often been focused on protecting individual technologies. However, recent attacks demonstrate the need for a shift in this approach. The focus should now be on understanding the entire ecosystem of business operations and protecting the processes that are critical to the organization’s functioning.


If you want to learn more about how you can implement this approach, check out our solution, Cyber Resilience for Mission-Critical Operations.







The cyberattack on the Industrial and Commercial Bank of China (ICBC) is a powerful reminder of the ever-present and rapidly changing cyber threats facing organizations today. As the largest bank in the world, ICBC’s experience is a wake-up call for all businesses about the importance of cybersecurity in safeguarding critical operations.


This incident reinforces the need for a paradigm shift in approaching cybersecurity. Protecting individual technologies is no longer sufficient. Instead, a comprehensive understanding of an organization’s critical business processes and a business-driven approach to risk management are essential.


The lessons learned from ICBC and similar high-profile cyberattacks must guide future strategies. Building resilience, understanding critical assets, and aligning cybersecurity initiatives with business goals are key to navigating the hack-inevitable era. As businesses continue to evolve and digitize, the role of cybersecurity as a catalyst for sustainable growth and a protector of high-value assets and reputation becomes increasingly vital.


As we move forward, the insights gleaned from ICBC’s experience will be instrumental in shaping a more secure and resilient digital future for businesses worldwide.





Note: This blog post is based on information available as of Nov 15th, 2023, from various news sources. The situation might evolve, and readers are advised to stay updated through official channels.


Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Insights

Join Thousands of weekly reader

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

This field is for validation purposes and should be left unchanged.