Unlock the Editor’s Digest for free

A ransomware attack on China’s largest bank has disrupted the US Treasury market by forcing clients of the Industrial and Commercial Bank of China to reroute trades, market participants said on Thursday.

The Securities Industry and Financial Markets Association first told members on Wednesday that ICBC had been hit by ransomware software, which paralyses computer systems unless a payment is made, according to several people familiar with the discussions.

The attack prevented ICBC from settling Treasury trades on behalf of other market participants, according to traders and banks, with some equity trades also affected. Market participants including hedge funds rerouted trades because of the disruption and the attack had some effect on Treasury market liquidity, according to trading sources, but it was not impairing the market’s overall functioning.

ICBC was starting to restore services as of Thursday afternoon, according to some of the people briefed on the incident. One person familiar with the situation said, “The firm has told people that they’re working to resolve US Treasuries transactions as soon as possible.”

A Treasury department spokesperson said: “We are aware of the cyber security issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.”

ICBC did not immediately respond to a request for comment.

“This is a large party on [the Fixed Income Clearing Corporation], so [it is] certainly of major concern, and potentially impacting liquidity of US Treasuries,” said an executive at a large bank that clears US Treasuries. The Fixed Income Clearing Corporation is a subsidiary of the Depository Trust and Clearing Corporation that handles the settlement and clearing of US Treasury trades.

Still, other Treasury market experts noted that traders often have relationships with multiple banks, so trades were successfully rerouted elsewhere and executed. “Everybody has a back-up for clearing in these situations,” said Kevin McPartland, head of market structure and technology research at Coalition Greenwich.

Yields on Treasury bonds rose sharply on Thursday afternoon, after a particularly poor auction for 30-year bonds. The 30-year yield rose by 0.12 percentage points to 4.78 per cent. It was unclear whether the auction was affected by the attack on ICBC.

Ransomware attacks have proliferated since the coronavirus pandemic, in part as remote working has left businesses more vulnerable and as cyber criminal groups have become more organised.

It was, however, “extremely unusual for a bank of [ICBC’s] size to be impacted like this”, said Allan Liska, threat intelligence analyst at cyber security company Recorded Future, noting that the financial sector invests more in guarding against cyber attacks than any other industry.

The attack was carried out using LockBit 3.0 software, according to two sources. The software was developed by LockBit, which has become one of the most high-profile criminal cyber groups, conducting debilitating attacks on targets such as ION, the City of London and the Royal Mail.

The group, believed to operate out of Russia and eastern Europe, also rents out its software to affiliates, a model known as RaaS, or ransomware as a service. It is unclear if Thursday’s hack was carried out by the criminal group or one of its customers.

Earlier on Thursday, Allen & Overy was hit by a ransomware attack on its servers. The “magic circle” law firm said it was investigating the impact of the attack and informing affected clients.

Additional reporting by Stephen Gandel in New York

Leave a Reply

Your email address will not be published.