BEIJING: The US branch of the Industrial and Commercial Bank of China (ICBC) was hit by a ransomware attack on Thursday, disrupting trading in the US treasury market, the latest in a series of victims claimed by hackers demanding ransom this year. . ICBC Financial Services, the U.S. unit of China’s largest commercial lender by assets, said it was investigating the attack that disrupted some of its systems, and was making progress toward recovery.
China’s Foreign Ministry said on Friday the lender was making efforts to minimize the risk impact and losses following the attack. “The ICBC is closely monitoring this case and has done its best in emergency response and supervisory communication,” ministry spokesman Wang Wenbin said at a regular news conference.
Wang said business remained normal at ICBC’s head office and other branches and subsidiaries around the world. In such attacks, hackers lock the victim organization’s systems and demand ransom to unlock it, often even stealing sensitive data for extortion.
An aggressive cybercrime gang named Lockbit is believed to be behind the hack, several ransomware experts and analysts said, although the gang’s dark web site where it normally posts the names of its victims remained unlisted as of Thursday evening. ICBC was not mentioned in. Lockbit did not respond to a request for comment sent through the contact address posted on its site. “It’s not often we see a major bank hit with a ransomware attack this devastating,” said Alan Liska, a ransomware expert at cybersecurity firm Recorded Future.
Liska, who also believes Lockbit was behind the hack, said ransomware gangs cannot name and embarrass their victims when interacting with them.
“This attack continues a trend of increasing brazenness by ransomware groups,” he said. “With no fear of consequences, ransomware groups feel no target is off limits.”
U.S. authorities have struggled to prevent cybercrime, primarily ransomware attacks, which affect hundreds of companies in nearly every industry each year. Just last week, US officials said they were working to reduce the funding routes of ransomware gangs by improving information sharing on such criminals across the 40-nation alliance. ICBC did not comment on whether Lockbit was behind the hack. It is common for targets to avoid publicly disclosing the names of cybercrime gangs.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the group has affected 1,700 US organizations since Lockbit’s discovery in 2020.
Last month it threatened Boeing for leaking sensitive data. A CISA spokesperson referred questions about the ICBC hack to the US Treasury Department.
While market sources said the impact of the hack appeared to be limited, it indicated how vulnerable the systems of large organizations like banks remain.
Thursday’s incident is likely to raise questions about market participants’ cybersecurity controls and face regulatory scrutiny.
ICBC said it has successfully cleared the treasury trades executed on Wednesday and the repurchase agreements (repo) financing trades executed on Thursday. “In general, this event had a limited impact on the market,” said Scott Scream, executive vice president of fixed income and repo at broker-dealer Curvature Securities.
Some market participants said that transactions through ICBC could not be settled due to the attack and market liquidity was affected. It’s unclear whether that contributed to the weak result at Thursday’s 30-year bond auction. “There may have been some technical issues, as some participants were not able to fully access the market that day,” said Michael Gladchun, associate portfolio manager, core plus fixed income at Loomis Sales.
The Financial Times reported earlier on Thursday that the US Securities Industry and Financial Markets Association (SIFMA) told members that ICBC had been hit by ransomware, which disrupted the US Treasury market by preventing it from settling trades on behalf of other market players. Is done. Responding to a question about the FT report, a Treasury spokesperson said, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants in addition to federal regulators. We continue to monitor the situation. ” SIFMA declined to comment.
The Treasury market appeared to be functioning normally on Thursday, according to LSEG data.
