The logo of Industrial and Commercial Bank of China Ltd (ICBC) is seen at its branch in Beijing, China, 30 March 2016. Portal/Kim Kyung-Hoon/File Photo Acquire License Rights
Nov 9 (Portal) – The U.S. arm of the Industrial and Commercial Bank of China (ICBC) was hit on Thursday by a ransomware attack that disrupted trading at the U.S. Treasury, the latest in a string of victims seeking ransom demanding hackers demanded this year.
ICBC Financial Services, the U.S. division of China’s largest commercial lender by assets, said it was investigating the attack that crippled some of its systems and was making progress toward recovery.
In such attacks, hackers lock the systems of a victim organization and demand a ransom to unlock them. They often steal sensitive data to blackmail them.
Several ransomware experts and analysts said an aggressive cybercrime gang called Lockbit was behind the hack, although the gang’s dark website, where it typically posts the names of its victims, did not mention ICBC as a victim as of Thursday evening. Lockbit did not respond to a request for comment sent through a contact address posted on its website.
“We don’t often see such a large bank hit by such a devastating ransomware attack,” said Allan Liska, a ransomware expert at cybersecurity firm Recorded Future.
Liska, who also believes Lockbit was behind the hack, said ransomware gangs should not name and shame their victims when negotiating with them over the ransom demand.
“This attack continues the trend of increasing boldness by ransomware groups,” he said. “Ransomware groups are not afraid of consequences and believe that no target is off limits.”
U.S. authorities are struggling to stem a tide of cybercrime, particularly ransomware actors, that hit hundreds of companies in nearly every industry every year. Just last week, U.S. officials said they would work to limit the funding avenues of ransomware gangs by improving information sharing about such criminals across a 40-country alliance.
ICBC did not comment on whether Lockbit was behind the hack. Victim organizations often refrain from publicly disclosing the names of cybercriminal gangs.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the group has attacked 1,700 US organizations since Lockbit was discovered in 2020. Last month, the company threatened Boeing with disclosing sensitive data it said it discovered in a breach against the company.
A CISA spokesperson referred questions about the ICBC hack to the U.S. Treasury Department.
While market sources said the impact of the hack appeared to be limited, it showed how vulnerable the systems of large organizations like the bank remain to cybercriminals. Thursday’s incident is likely to raise questions about market participants’ cybersecurity controls and prompt regulatory scrutiny.
TRADE CANCELED
ICBC said it successfully completed treasury operations conducted on Wednesday and repurchase financing (repo) operations conducted on Thursday.
“In general, the event had limited impact on the market,” said Scott Skrym, executive vice president of fixed income and repo at broker-dealer Curvature Securities.
Some market participants said trades cleared through ICBC were not settled due to the attack, affecting market liquidity. It was unclear whether that contributed to the weak result of a 30-year bond auction on Thursday.
“There may have been some technical issues as some participants did not have full market access on the day,” said Michael Gladchun, associate portfolio manager, core plus fixed income, at Loomis Sayles.
The Financial Times reported earlier on Thursday that the US Securities Industry and Financial Markets Association (SIFMA) told its members that ICBC (601398.SS) was affected by ransomware that disrupted the US Treasury bond market by affecting them prevented players from transacting on behalf of other markets.
“We are aware of the cybersecurity issue and are in regular contact with key players in the financial sector, in addition to the federal regulators. We continue to monitor the situation,” a Treasury spokesperson said in response to a question about the FT report. SIFMA declined to comment.
The Treasury market appeared to be functioning normally on Thursday, according to LSEG data.
Reporting by Urvi Dugar in Bengaluru and Pete Schroder in Washington; Additional reporting by Gertrude Chavez, Davide Barbuscia, Carolina Mandl, Paritosh Bansal; Edited by Stephen Coates
Our standards: The Trust Principles.
Acquire license rights, opens new tab