(Bloomberg) -- A crippling cyberattack targeting the US division of Industrial & Commercial Bank of China Ltd., the world’s biggest bank, shows that cunning extortionists are paying little mind to the unofficial peace between Russia-linked hackers and China. 

Cyber sleuths believe a group called LockBit, the world’s most prolific cyber extortion group, carried out the attack. Purporting to be based out of the Netherlands and consisting largely of Russian speakers, LockBit — which is not an extension of the Russian government — has deployed its trademark knack for ruthless efficiency and strategy of farming out the actual work of hacking to affiliated partners to quickly assert itself as the alpha dog of cyber extortion.

What makes this breach unique to security experts? There’s long been an unspoken agreement between Moscow and Beijing, whereby Russia-linked cybergangs agreed to leave Chinese institutions alone. Now, that agreement appears to have been broken, putting Russian leader Vladimir Putin in a potentially awkward position as he tries to maintain China’s crucial support for his invasion of Ukraine.

Jon DiMaggio, chief security strategist with cybersecurity firm Analyst1 and a LockBit expert, said the group has, in public statements, sought to depict itself as politically disengaged. When Russia invaded Ukraine in February 2022, LockBit posted what DiMaggio characterized as a strategically shrewd statement that it had no political agenda or official position on the war.

“For us, it is just business, and we are all apolitical. We are only interested in money for our harmless and useful work,” LockBit wrote.

LockBit, meanwhile, appears to be trying to distance itself from the hack.

DiMaggio said on Friday that he had communicated with the group’s leaders. They blamed the hack on one of LockBit’s more than 100 affiliate partners, who are essentially unmonitored and allowed to pick their own targets. Their victims’ identities often remain unknown to LockBit leadership, DiMaggio said. 

“That is not smart because targeting the wrong organization may result in consequences that LockBit had not anticipated,” he said, adding that “it does not seem as though LockBit seems very worried about how China will react.”

ICBC confirmed that it had experienced a ransomware attack Wednesday against some of its US-based systems and that by the next day it could not clear swathes of US Treasury trades. Some market participants told Bloomberg News the disruption had forced ICBC to send the settlement details via thumb drive. The bank said it has isolated the affected systems and that the breach has not spread to its overseas units or head office. 

In the past year, the US Department of Justice arrested a Russian national and a dual Russian and Canadian national and indicted a third in absentia for their alleged involvement with LockBit. Prosecutors said the group had executed more than 1,400 attacks against victims around the world and extracted tens of millions of dollars in bitcoin-based extortion payments. 

Charl van der Walt, head of cybersecurity at French telecom Orange SA’s Orange Cyberdefense division, said the company has identified just over 1,100 victims of the latest version of LockBit’s ransomware, which first appeared in June 2022. Ten of those victims are in China, suggesting cyber extortionists are testing new, non-Western markets like India as well as more targets in the finance and insurance sectors, van der Walt said.

The ICBC attack aligns “with changing patterns we are seeing generally, rather than an extraordinary indicator that a particular actor or group of actors have adopted a dramatic change in tactics,” he added.

In the past, the LockBit leadership has shown some sensitivity to criticism. It has apologized when one of its affiliated partners violated the group’s code of conduct by targeting a children’s hospital. Last year it provided a free decryptor to Toronto’s Hospital for Sick Children after an unsanctioned cyberattack. 

Story Link: ICBC Hack Shows All Foreign Marks Are Equal to Russia’s LockBit

©2023 Bloomberg L.P.