Unlock Editor’s Digest for free
Roula Khalaf, editor of the FT, picks her favorite stories in this weekly newsletter.
A ransomware attack on China’s largest bank has disrupted the U.S. Treasury bond market by forcing customers of the Industrial and Commercial Bank of China to redirect trades, market participants said Thursday.
The Securities Industry and Financial Markets Association told its members for the first time Wednesday that ICBC was hit by ransomware software that shuts down computer systems unless payment is made, according to several people familiar with the discussions.
According to traders and banks, the attack prevented ICBC from executing treasury trades on behalf of other market participants, with some stock trades also affected. Market participants, including hedge funds, redirected their trades due to the disruption and the attack had some impact on the liquidity of the Treasury market, but did not affect the overall functioning of the market, according to trading sources.
ICBC began restoring services Thursday afternoon, according to some people briefed on the incident. A person familiar with the situation said: “The company has told people that they are working to settle U.S. Treasury transactions as quickly as possible.”
A Treasury spokesman said: “We are aware of the cybersecurity issue and are in regular contact with key financial sector players, in addition to federal regulators. “We continue to monitor the situation.”
ICBC did not immediately respond to a request for comment.
“This is a big party [the Fixed Income Clearing Corporation]So [it is] “This is certainly of great importance and can potentially impact the liquidity of US Treasuries,” said an executive at a major bank that clears US Treasuries. Fixed Income Clearing Corporation is a subsidiary of the Depository Trust and Clearing Corporation that handles the clearing and settlement of U.S. Treasury securities transactions.
Still, other financial market experts noted that traders often have relationships with multiple banks, allowing trades to be successfully redirected and executed elsewhere. “Everyone has support in dealing with these situations,” said Kevin McPartland, head of market structure and technology research at Coalition Greenwich.
Treasury yields rose sharply on Thursday afternoon after a particularly poor 30-year bond auction. The 30-year yield rose by 0.12 percentage points to 4.78 percent. It was unclear whether the auction was affected by the attack on ICBC.
Ransomware attacks have increased since the coronavirus pandemic, in part because remote work has made businesses more vulnerable and because cybercriminals are more organized.
However, it is “extremely unusual for a bank of [ICBC’s] “Size that will be so affected,” said Allan Liska, threat intelligence analyst at cybersecurity firm Recorded Future, noting that the financial sector invests more in protecting against cyberattacks than any other industry.
Recommended
According to two sources, the attack was carried out using LockBit 3.0 software. The software was developed by LockBit, which has become one of the most prominent cyber criminal groups, carrying out debilitating attacks on targets such as ION, the City of London and the Royal Mail.
The group, which is believed to operate out of Russia and Eastern Europe, also leases its software to subsidiaries, a model called RaaS, or ransomware as a service. It is unclear whether Thursday’s hack was carried out by the criminal group or one of its customers.
Earlier on Thursday, Allen & Overy was hit by a ransomware attack on its servers. The Magic Circle law firm said it was investigating the impact of the attack and informing affected clients.
Additional reporting by Stephen Gandel in New York