The US arm of the Industrial and Commercial Bank of China (ICBC) has fallen victim to a ransomware attack which disrupted trades in the US Treasury market on Thursday 9th November, joining the string of victims targeted by cybercriminals in recent months.
The attack was confirmed by ICBC Financial Services, the US unit of China’s largest commercial lender, with the unit adding that investigations were currently underway to discover the attack’s origin.
The disruption, which experts say was caused by cybercrime gang, Lockbit, marks a concerning trend of increasing boldness by ransomware groups targeting even major financial institutions. Lockbit, known for locking up victims’ systems and demanding ransom admitted to attacking ICBC after being contacted through messaging platform, Tox.
Despite the attack, China’s foreign ministry has assured that ICBC is actively minimising the risk impact and losses. ICBC’s response to the attack was swift, with the firm switching to supervisory communication, and maintaining normal business operations at its head office and subsidiaries globally, according to ministry spokesperson Wang Wenbin.
While the impact on the Treasury market seemed limited, concerns about the vulnerability of systems at major organizations have been raised. The incident may prompt regulatory scrutiny and questions about cybersecurity controls within financial institutions.
Scott Skrym, Executive Vice President for Fixed Income and Repo at broker-dealer Curvature Securities, stated that ICBC successfully cleared Treasury trades executed on Wednesday and repurchase agreements (repo) financing trades done on Thursday. However, some market participants reported unsettled trades and reduced market liquidity due to the attack.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted that Lockbit has targeted 1,700 U.S. organisations since its discovery in 2020, illustrating the severity and persistence of the ransomware threat.
As U.S. authorities grapple with the increasing frequency of cybercrime, including ransomware attacks, questions surrounding the adequacy of cybersecurity controls in financial institutions are likely to gain prominence. The incident may prompt further discussions on improving information-sharing mechanisms and cooperation to curb cyber threats across the financial sector.
The U.S. Treasury Department and the U.S. Securities Industry and Financial Markets Association (SIFMA) are closely monitoring the situation. Despite the disruption, the Treasury market appeared to be functioning normally on Thursday, as reported by LSEG data.