Anatomy of a Breach

Anatomy of a Breach: ICBC — LockBit Ransomware Hits the World's Largest Bank and Disrupts US Treasury Trading

> series: anatomy_of_a_breach —— part: 179 —— target: icbc_us —— assets: $5,700,000,000,000 —— impact: us_treasury_trading_disrupted<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2023 13 min read
ransomware icbc lockbit banking us-treasury financial-stability china series
Breach #179

The world's largest bank. LockBit ransomware. US Treasury trades settled via USB stick.

On 8 November 2023, LockBit ransomware struck the US subsidiary of the Industrial and Commercial Bank of China (ICBC) — the world's largest bank by total assets, with over $5.7 trillion on its balance sheet. The attack disrupted ICBC Financial Services' ability to settle US Treasury trades — the most liquid and systemically important financial market in the world. ICBC was reportedly forced to physically deliver a USB stick containing settlement data to BNY Mellon to complete trades manually.

The attack exploited an unpatched Citrix NetScaler vulnerability (CVE-2023-4966, known as 'Citrix Bleed') — the same class of VPN/gateway vulnerability that had been exploited at Travelex (Pulse Secure, 2019) and Düsseldorf Hospital (Citrix, 2020). The patch for Citrix Bleed had been available since October 2023 — approximately three weeks before the ICBC attack. For the world's largest bank, running critical US Treasury market infrastructure, three weeks was not fast enough.

Systemic Financial Risk
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When ransomware hits the plumbing of the global financial system.

US Treasury Market Disrupted
The US Treasury market — the benchmark for global interest rates and the foundation of the world's financial system — was disrupted by a ransomware attack on a single institution. For UK <a href="/blog/sector-under-the-microscope-financial-services">financial services firms</a>, the ICBC attack demonstrated that ransomware against financial market infrastructure creates systemic risk. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses financial system resilience.
USB Stick Settlement
The image of the world's largest bank physically couriering a USB stick to settle Treasury trades encapsulated the absurdity and reality of ransomware's impact: when digital systems fail, organisations revert to the most basic physical alternatives. <a href="/penetration-testing/infrastructure">Our testing</a> validates that backup operational procedures — however basic — actually work.
Citrix Bleed — Three Weeks After the Patch
The Citrix Bleed patch had been available for approximately three weeks. <a href="/cyber-essentials">Cyber Essentials Danzell's</a> 14-day patching mandate would have required the patch to be applied before the attack. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched Citrix and other gateway appliances.
No Institution Is Too Big to Be Ransomwared
If the world's largest bank — with $5.7 trillion in assets — can be ransomwared through an unpatched Citrix appliance, no financial institution is immune. The LockBit affiliate that attacked ICBC demonstrated that ransomware operators will target any institution, regardless of size or systemic importance. <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box for Financial Services</a> provides 24/7 monitoring.
Lessons

Patch your gateways. The world's financial stability may depend on it.

The ICBC attack proved that unpatched internet-facing appliances — VPNs, firewalls, load balancers, gateway devices — remain the most exploited initial access vector for ransomware, and that even the world's largest financial institutions are vulnerable. Cyber Essentials Danzell mandates 14-day patching. Vulnerability scanning identifies unpatched appliances. Infrastructure testing validates gateway security. SOC in a Box for Financial Services monitors for exploitation. And UK Cyber Defence provides the incident response capability for financial infrastructure incidents.

Financial Infrastructure Security

The world's largest bank. Unpatched Citrix. LockBit. US Treasury trades disrupted. Are your gateways patched?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds unpatched gateways. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box</a> monitors financial infrastructure.

Commission a Financial Services Assessment Next: 2023 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2023

Anatomy of a Breach: Royal Mail — LockBit Ransomware Halts UK International Mail and Demands £66 Million

Breach #169. On 10 January 2023, Royal Mail — the UK's national postal service — was hit by LockBit ransomware that encrypted systems at its Heathrow distribution centre, halting all international parcel and letter deliveries. The disruption lasted over six weeks, affecting UK businesses and individuals who depended on Royal Mail for overseas shipments. LockBit demanded approximately £66 million ($80 million) in ransom — a demand Royal Mail described as 'absurd.' Royal Mail refused to pay. The attack demonstrated that even critical national infrastructure with centuries of heritage is a ransomware target.

ransomware royal-mail
14 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch