Industrial & Commercial Bank of China Ltd. was hit by a cyberattack that prevented it from clearing swathes of trades, forcing US clients of the world’s largest lender by assets to reroute transactions and leaving brokers and traders scrambling to assess the extent of the impact.
The state-owned bank alerted market makers, banks and brokerages that trading of Treasuries is being impacted by the issue which started last night, according to people familiar with the matter who asked not to be identified discussing private information.
ICBC has told market participants that its US subsidiary appears to be experiencing the issue and is working to resolve US Treasury transactions as soon as possible, one of the people familiar said. The bank has hired cybersecurity firm Mandiant and has been offered assistance from the FBI and CISA, the person said.
ICBC confirmed in a statement that a ransomware attack at its ICBC Financial Services unit disrupted some of its systems. The bank said it’s conducting a thorough investigation and progressing its recovery efforts. Its head office and other domestic and overseas units weren’t affected, it added.
“We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation,” a spokesman for the US Treasury Department said in an emailed statement.
A spokeswoman for the SEC declined to comment.
The extent of the disruption caused wasn’t immediately clear, though Treasury market participants reported liquidity was being affected. The Securities Industry and Financial Markets Association, or Sifma, held a call with members about the matter on Thursday, some of the people familiar said. A representative for the trade organization declined to comment.
The attack on ICBC is suspected of being orchestrated by the prolific gang known as Lockbit, according to people familiar with the situation, who asked not to be identified because the information isn’t public. That’s the the same group that has — just in the past year — also hit Boeing Co., ION Trading UK and the UK’s Royal Mail.
Lockbit, a criminal gang with ties to Russia, specializes in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files. Earlier this year, it took credit for an attack against ION that paralyzed derivatives trading across markets for everything from commodities to bonds and forced several banks and brokers to process trades manually.
Market Impact
There was speculation among market participants that the issues with ICBC were part of the catalyst behind a very poor auction result for Treasury’s sale Thursday of 30-year bonds. Still, others said one firm’s issues would likely only affect a small portion of the market.
One US brokerage received an email from a broker who clears trades through the ICBC saying that the bank couldn’t connect to the Depository Trust and Clearing Corporation amid an issue clearing trades and that customers should expect delays.
Representatives for the DTCC didn’t immediately respond to requests for comment.
Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent the a default of one counterparty from causing widespread problems in the marketplace.
The SEC has made a raft of proposals aimed at curbing leveraged trading by hedge funds and investments firms in the US Treasuries market, which include mandating central clearing of all US Treasuries. Stanford University finance professor Darrell Duffie said that the incident underscores the benefits of central clearing in the $26 trillion market.
“It’s being handled very effectively, and people are working very hard sorting it out,” Duffie said in an interview. “Having central clearing allows the market to handle this in a way that both protects counterparties but also manages the systemic risk in a much more transparent and organized way.”
Read More: Cyberattack Sends Derivatives Trading Back to the 1980s
Other financial institutions have been the target of similar assaults in recent years.
The website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down. It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks at that time.
Boosted Security
ICBC, which is also a big player in the US repo market, has been improving its cyber-security in recent months as it highlighted increased challenges from potential attacks amid the expansion of online transactions, the adoption of new technologies and open banking.
“The bank actively responded to new challenges of financial cyber-security, adhered to the bottom line for production safety, and deepened the intelligent transformation of operation and maintenance,” it said in its interim report in September.
Read More: Global Lenders on Edge as Cyber Attacks Embroil More Banks
In 2016, an examination of the malware used in an attack on Vietnam’s Tien Phong Commercial Joint Stock Bank showed that unique Swift codes identifying at least seven additional financial institutions were embedded in the hackers work. They included the New York and Hanoi branches of ICBC.
The malware wasn’t used to attack those banks — rather, it deleted money-transfer confirmations sent between the Vietnamese bank and its partners that could have alerted bank officials of improper transactions.
--With assistance from Isis Almeida, Katanga Johnson and Lydia Beyoud.
(Updates with ICBC statement in fourth paragraph, suspected culprit in eighth)
Author: Yiqin Shen, Katherine Doherty, Elena Popina and Liz Capo McCormick