Ransomware criminals continue to make hay despite increased government efforts worldwide to clamp down on the ecosystem. What’s next?
Last week, the U.S. financial services division of China’s biggest bank, the state-owned Industrial and Commercial Bank of China (ICBC), was hit by ransomware that reportedly affected trading in U.S. treasuries. According to the Financial Times, “the attack prevented ICBC from settling Treasury trades on behalf of other market participants” and that “with its systems compromised, ICBC Financial Services proposed sending a USB stick with trading data to BNY Mellon to help it settle trades.” I mean, this is very serious, but lol.
This left ICBC’s U.S. unit owing BNY Mellon US$9 billion for unsettled trades, with the subsidiary requiring a capital injection from its parent company to pay the debt. Yikes.
This hack was discussed in the diplomatic stratosphere, and U.S. Treasury Secretary Janet Yellen raised it with Chinese Vice Premier He Lifeng.
Ransomware gang LockBit claimed the attack and told Reuters over the Tox encrypted messenger that ICBC had paid a ransom. Reuters was not able to independently verify this particular claim, but LockBit’s involvement was confirmed in reporting from the Wall Street Journal.
This is a very brazen attack, but we also think it’s a risky one, at least for the people directly involved, as it is the kind of thing that motivates government officials to take action. And we’re not talking about U.S. officials here, but Chinese ones.
Assuming LockBit has some Russian nexus (they advertise on Russian-language dark web forums), Chinese officials could have some influence over Russian law enforcement efforts. The leverage the People’s Republic of China (PRC) has over Russia has increased since the Russian invasion of Ukraine, and, as Risky Business News reported last week, Russian officials can arrest cybercriminals when they are motivated to do so.
If the PRC does ask Russian officials to take action, however, we think this will likely just result in the arrest of a few ransomware affiliates. It will not significantly change the ransomware game.
ICBC isn’t LockBit’s only recent high-profile victim. Security researcher Kevin Beaumont reports that a LockBit “strike team” has been using a recent Citrix NetScaler vulnerability (known as Citrix Bleed) to get initial access to organizations and then passing that on to another team that ultimately deploys ransomware. (LockBit’s use of Citrix Bleed to gain access to ICBC was reported in the Wall Street Journal).
Other organizations that Beaumont has found running vulnerable versions of NetScaler include British multinational law firm Allen and Overy, Boeing, and DP World Australia. LockBit has claimed credit for the ransomware attack on Allen and Overy and has leaked data purportedly from Boeing as well.
And DP World Australia was crippled by an attack last Friday. Per the Australian Financial Review:
The Middle Eastern-owned stevedore, which operates terminals in Sydney, Melbourne, Brisbane and Perth and handles about 40 per cent of the goods coming in and out of Australia was forced to shut down technology systems at 10am on Friday.
The shutdown prevented some 30,000 containers of goods from moving in or out of its terminals, including refrigerated containers that can hold anything from lobsters and wagyu beef to blood plasma.
While ships could still offload and pick up containers, the technology systems that allow trucks to share data with the stevedore were turned off, meaning trucks could not get into DP World’s terminals to collect or drop off containers.
There hasn’t been an official confirmation of who breached DP World Australia or how they did it, but Beaumont’s Citrix NetScaler compromise theory seems plausible or even likely. A patch for that vulnerability was released on Oct. 10.
The Australian government has a playbook for these kinds of serious cyber incidents where it rolls out a whole-of-government response coordinated by a “cyber disaster tsar” (aka the national cyber security coordinator). This approach uses an emergency response framework that was developed during the coronavirus pandemic and was first used in the case of a cyber incident when responding to the Medibank Private breach in late 2022.
From the point of view of a critical infrastructure company, part of this is great. If you are the victim of a significant cybersecurity incident, you’ll get all kinds of government assistance! On the other hand, the government will learn if your cybersecurity posture was subpar.
This essentially puts all critical infrastructure companies on notice to up their game.
That’s a good thing, but what else can governments do? Back in November 2022, Australian Cyber Security Minister Clare O’Neil announced “an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups.”
In January, we covered how LockBit’s porous OPSEC made it “ripe for disruption,” and in June, cyber security authorities in the Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States), France, and Germany issued a cybersecurity advisory warning about LockBit ransomware. We’d be stunned if these recent incidents don’t make LockBit a priority target for state action.
Although we love writing about flashy government disruption operations involving website takedowns and press releases, we think operations that covertly degrade ransomware groups are more sensible. Flashy operations push ransomware affiliates to greener pastures, whereas discreet operations leave them toiling joylessly in the ransomware salt mines.
We think these kinds of offensive cyber disruption operations will make a difference, but they won’t eliminate ransomware. Ultimately, the crime needs to be starved of funds, so efforts to prevent ransomware payments should be accelerated.
– Tom Uren, Published Courtesy of Lawfare
