Ransomware attack on ICBC disrupts trades in US Treasury market

A ransomware attack on the financial services arm of China’s largest bank has disrupted the US Treasury market by forcing clients of the Industrial and Commercial Bank of China to reroute trades, market participants said on Thursday.

The Securities Industry and Financial Markets Association first told members on Wednesday that ICBC Financial Services had been hit by ransomware software, which paralyses computer systems unless a payment is made, several people familiar with the discussions said.

The attack prevented ICBC FS from settling Treasury trades on behalf of other market participants, according to traders and banks, with some equity trades also affected. Market participants including hedge funds and asset managers rerouted trades because of the disruption and the attack had some effect on Treasury market liquidity, according to trading sources, but it was not impairing the market’s overall functioning.

A notice on ICBC FS’s website on Thursday evening confirmed that it had “experienced a ransomware attack that resulted in disruption to certain [financial services] systems” starting on Wednesday.

ICBC FS said it had contained the incident by disconnecting and isolating affected systems, adding that it was “conducting a thorough investigation and . . . progressing its recovery efforts” with the help of information security experts.

It had successfully cleared US Treasury trades executed on Wednesday and repo financing trades done on Thursday, the notice said. ICBC FS operates independently from ICBC in China, it added, and neither the head office nor the New York branch of ICBC itself were affected.

A Treasury department spokesperson said: “We are aware of the cyber security issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.”

“This is a large party on [the Fixed Income Clearing Corporation], so [it is] certainly of major concern, and potentially impacting liquidity of US Treasuries,” said an executive at a large bank that clears US Treasuries. The Fixed Income Clearing Corporation handles the settlement and clearing of US Treasury trades.

Still, other Treasury market experts noted that traders often have relationships with several banks, so trades were successfully rerouted elsewhere and executed. “Everybody has a back-up for clearing in these situations,” said Kevin McPartland, head of market structure and technology research at Coalition Greenwich.

Yields on Treasury bonds rose sharply on Thursday afternoon, after a particularly poor auction for 30-year bonds. The 30-year yield rose by 0.12 percentage points to 4.78 per cent. It was unclear whether the auction was affected by the attack on ICBC FS.

Shares in ICBC fell 0.5 per cent in Hong Kong on Friday.

The company’s notice said it had reported the incident to law enforcement. Ransomware attacks have proliferated since the coronavirus pandemic, in part as remote working has left businesses more vulnerable and as cyber criminal groups have become more organised.

It was, however, “extremely unusual for a bank of [ICBC FS’s] size to be impacted like this”, said Allan Liska, threat intelligence analyst at cyber security company Recorded Future, noting that the financial sector invests more in guarding against cyber attacks than any other industry.

The attack was carried out using LockBit 3.0 software, according to two sources. The software was developed by LockBit, which has become one of the most high-profile criminal cyber groups, conducting debilitating attacks on targets such as ION, the City of London and the Royal Mail.

The group, believed to operate out of Russia and eastern Europe, also rents out its software to affiliates, a model known as RaaS, or ransomware as a service. It was unclear if Thursday’s hack was carried out by the criminal group or one of its customers.

Earlier on Thursday, Allen & Overy confirmed it was hit by a ransomware attack on its servers. The “magic circle” law firm said it was investigating the impact of the attack and informing affected clients.

Additional reporting by Stephen Gandel in New York