Pete Schroeder and Zeba Siddiqui (Reuters)
Friday, November 10, 2023
The US arm of the Industrial and Commercial Bank of China (ICBC) was hit by a ransomware attack that disrupted trading in the US Treasury market on Thursday, the latest in a string of victims claimed by hackers demanding ransom this year.
ICBC Financial Services, the U.S. unit of China’s largest commercial lender by assets, said it is investigating the attack that disrupted some of its systems and is making progress in recovering from it.
China’s foreign ministry said on Friday that the lender was trying to minimize the impact of risks and losses following the attack.
“ICBC is closely monitoring the matter and has done its best in emergency response and supervisory communication,” ministry spokesman Wang Wenbin said at a regular press conference.
Wang added that business at ICBC’s head office and other subsidiaries and affiliates around the world remained normal.
Hackers lock down the victim organization’s systems in such attacks and demand a ransom to unlock them, often also stealing sensitive data for extortion.
Several ransomware experts and analysts said an aggressive cybercrime group called Lockbit was believed to be behind the hack, although the gang’s dark website, where it usually posts the names of its victims, did not mention ICBC as a victim until Thursday night. Lockbit did not respond to a request for comment sent through a contact address posted on its site.
“It’s not often we see a bank this large hit by a ransomware attack this devastating,” said Allan Liska, ransomware expert at cybersecurity firm Recorded Future.
Liska, who also believes Lockbit is behind the hack, said ransomware gangs must not name and shame their victims when negotiating with them.
“This attack continues a trend of increasing brazenness by ransomware groups,” he said. “Without fear of repercussions, ransomware groups see no target off limits.”
US authorities have struggled to contain the onslaught of cybercrime, mainly ransomware attacks, that affect hundreds of companies in nearly every industry every year. Just last week, US officials said they were working to limit the financing routes of ransomware gangs by improving the sharing of information about such criminals across the 40-nation alliance.
ICBC did not comment on whether Lockbit was behind the hack. It is common for targets to refrain from publicly disclosing the names of cybercrime groups.
Since Lockbit was discovered in 2020, the group has hit 1,700 US organizations, according to the US Cybersecurity and Infrastructure Security Agency (CISA). Last month, he threatened Boeing with a leak of sensitive data.
A CISA spokesperson referred questions about the ICBC hack to the US Treasury Department.
While market sources said the impact of the hack appeared to be limited, it signals how vulnerable systems at large organizations such as the bank remain. Thursday’s incident is likely to raise questions about market participants’ cybersecurity controls and spark regulatory scrutiny.
ICBC said it successfully cleared the Treasury trades executed on Wednesday and the repurchase agreement (repo) financing trades executed on Thursday.
“Overall, the event had a limited impact on the market,” said Scott Skrym, executive vice president of fixed income and repo at broker-dealer Curvature Securities.
Some market participants said trades going through ICBC were not settled because of the attack and that market liquidity was affected. It’s not clear whether that contributed to the weak outcome of the 30-year bond auction on Thursday.
“There may have been some technical issues as some participants were unable to fully access the market that day,” said Michael Gladchun, associate portfolio manager, core plus fixed income, at Loomis Sayles.
The Financial Times reported earlier Thursday that the Securities Industry and Financial Markets Association of America (SIFMA) told members that ICBC had been hit by ransomware that disrupted the U.S. government bond market by preventing it from settling trades on behalf of other market players.
“We are aware of cyber security issues and are in regular contact with key players in the financial sector, along with federal regulators. We continue to monitor the situation,” said a spokesman for the Ministry of Finance in response to a question about FT reports. SIFMA declined to comment.
The government bond market appeared to function normally on Thursday, according to LSEG data.