“WTF? we not Russia”: LockBit Takes Credit for ICBC Cyberattack


On Thursday, traders of the US treasury market were unable to place trades due to the Industrial and Commercial Bank of China’s US arm being hacked. ICBC is one of the world’s largest and most prominent financial institutions. The assailant? None other than LockBit, a notorious ransomware group that just ransomed the aerospace giant Boeing.

Reported by vx-underground on Twitter, a LockBit admin staff member confirmed they were responsible for the ICBC ransom. Interestingly, the group explicitly stated that they are not Russian, claiming “WTF? we not Russia, we multinational… I have chines affiliate lol”. While there is nothing humorous about ransomware attacks, this exchange was pretty funny.

Not every day, a Chinese firm becomes the target of a ransomware attack. If ransomware groups are not stopped, everyone will eventually become a victim. LockBit is both a ransomware-as-a-service and a ransomware group. They actively recruit affiliates to conduct ransomware attacks using LockBit ransomware tools. They are a large group that uses different attack methods, so each attack varies significantly. LockBit is amongst the most prolific and aggressive ransomware groups active right now. Since 2020, they have been responsible for over 1700 ransomware attacks, resulting in over $100 million in damages. They account for approximately 10-20% of all ransomware incidents reported in major markets.

On Thursday, not only did LockBit disable ICBC, but they also began leaking over 40 GB of data belonging to Boeing. LockBit initially added Boeing to its victim list on October 27 and removed them on the 30th. Today, LockBit released over 40GB of Boeing’s data. The ICBC and Boeing hacks occurred weeks apart but may have been exploited using the same bug.

Citrix NetScaler is a networking device that helps optimize the performance of applications by managing traffic efficiently, balancing loads across servers, and enhancing security measures. It’s commonly used in networking to ensure fast and secure delivery of web applications in enterprise environments. A zero-day vulnerability with the identifier CVE-2023-4966 was discovered in Citrix NetScaler last month. Unfortunately, hackers had already used the exploit for months before its discovery. Mandiant, a threat intelligence leader, stated, “These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.”

Mandiant has traced attacks exploiting the bug back to late summer, carried out by an unknown threat actor. The CVE-2023-4966, named “CitrixBleed,” affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms. The vulnerability has a severity score of 9.4 out of a maximum possible 10 on the CVSS 3.1 scale. This particular exploit allows attackers to hijack user sessions. Citrix has described the flaw as remotely exploitable and involving low attack complexity, no special privileges, and no user interaction.

Threat actors have been actively exploiting the flaw since August. Security researcher Kevin Beaumont found an unpatched Citrix NetScaler server used by ICBC on November 6, 3 days before the attack. He adds, “As of writing this tweet, over 5000 organizations still haven’t patched #CitrixBleed. It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs – it gives attackers a fully interactive Remote Desktop PC on the other end.”

Security researcher Dominic Alvieri points out that Boeing was also potentially exploited by the same vulnerability, CitrixBleed. It is likely that CitrixBleed was the attack vector for both the Boeing and ICBC breaches. Only time will tell the extent of the damage CitrixBleed will cause, but the fact is that the damage is far from over.