The ransomware attack on ICBC disrupts the US Treasury Market

Market participants reported on Thursday that a ransomware attack against the Financial Services arm of China’s largest bank, the Industrial and Commercial Bank of China, has caused the US Treasury Market to be disrupted by forcing customers of the Industrial and Commercial Bank of China (ICBC) to reroute their trades.

The Securities Industry and Financial Markets Association told its members for the first time on Wednesday that ICBC Financial services had been affected by ransomware, a type of software which can paralyze computer systems without payment.

Traders and banks report that the attack prevented ICBC FS to settle Treasury Trades for other market participants. Some equity trades were also affected. According to traders and banks, market participants, including hedge funds, rerouted their trades due to the disruption. The attack also had an effect on Treasury market liquidty, but did not affect the overall functioning of the market.

On Thursday evening, an announcement on the ICBC FS website confirmed that “a ransomware” attack had disrupted certain financial services systems since Wednesday.

ICBC FS said that the incident had been contained by isolating and disconnecting affected systems. It added that they were “conducting a comprehensive investigation and. . . With the help of experts in information security, it is progressing with its recovery efforts.

The notice stated that it had cleared US Treasury transactions executed on Wednesday as well as repo financing traded done on Thursday. ICBC FS is independent of ICBC in China. It added that neither the New York branch nor the head office were affected.

The Treasury Department spokesperson stated: “We are aware that cyber security is a problem and we are in regular communication with key financial sector players, as well as federal regulators. We are continuing to monitor the situation.”

A senior executive of a major bank that clears US Treasuries said, “This is an important party at [the Fixed Income Clearing Corporation] so [it’s] of great concern and could impact the liquidity of US Treasuries.” Fixed Income Clearing Corporation is responsible for the settlement and clearance of US Treasury Trades.

Other Treasury market experts also noted that traders have many relationships with banks and were able to successfully reroute trades elsewhere. Kevin McPartland is the head of Coalition Greenwich’s market structure and technological research. He said that everyone has a backup for clearing these situations.

The yields on Treasury Bonds rose sharply Thursday afternoon after a particularly bad auction for 30-year bond. The 30-year yield increased by 0.12 percentage point to 4.78 percent. The auction may have been affected by the ICBC FS attack, but it is unclear.

ICBC shares fell by 0.5 percent in Hong Kong Friday.

In the company’s notification, it said that they had reported the incident. Since the coronavirus outbreak, ransomware attacks are on the rise. This is partly because remote working makes businesses more vulnerable. Cyber criminals have also become more organised.

Allan Liska is a threat intelligence analyst with Recorded Future. He said that it was “extremely rare” for a bank the size of ICBC FS to be impacted in this way. The financial sector, he added, invests more than any other industry in protecting itself against cyber-attacks.

According to two sources, the attack was conducted using LockBit software 3.0. LockBit developed the software, and has been one of the highest-profile criminal cyber groups. They have conducted crippling attacks against targets like ION, City of London, and Royal Mail.

The group rents its software out to affiliates. This model is known as RaaS or ransomware-as-a-service. The hack on Thursday was not clear if it was the work of the criminal group, or one its customers.

Allen & Overy suffered a ransomware infection on its servers earlier on Thursday. The “magic-circle” law firm announced that it was investigating and notifying affected clients about the attack.