China's Industrial and Commercial Bank (ICBC) faced a ransomware attack in its U.S. division, leading to disruptions in U.S. Treasury trades. This incident marks another instance in a series of ransom-demanding hacker attacks reported this year. ICBC Financial Services, the U.S. branch of China's largest commercial lender in terms of assets, is currently investigating the cyber attack that caused disruptions in some of its systems. The institution is actively working towards recovering from the incident.

In these attacks, hackers seize control of an organization's systems, locking them up and demanding a ransom for their release. Additionally, they often engage in stealing sensitive data for the purpose of extortion. Numerous ransomware experts and analysts have suggested that the cybercrime group Lockbit is likely responsible for the hack. However, as of Thursday evening, the gang's dark website, where they typically disclose the names of their victims, did not mention ICBC as a target. Lockbit did not respond to a request for comment sent to the contact address listed on its site.

“We don’t often see a bank this large get hit with this disruptive of a ransomware attack,” said Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future. Liska, who shares the belief that Lockbit orchestrated the hack, mentioned that ransomware groups might refrain from publicly naming their victims during negotiations regarding the ransom demand. “This attack continues a trend of increasing brazenness by ransomware groups,” he said. “With no fear of repercussions, ransomware groups feel no target is off limits.”

U.S. authorities are grappling with the challenge of controlling a surge in cybercrime, particularly ransomware attacks that target hundreds of companies across various industries each year. In a recent development, U.S. officials announced efforts to disrupt the funding channels of ransomware groups by enhancing information-sharing within a 40-country alliance.

ICBC has not confirmed whether Lockbit was responsible for the cyber attack. It is a common practice for victim organizations to avoid publicly disclosing the identities of cybercrime groups. Since its discovery in 2020, Lockbit has targeted 1,700 U.S. organizations, as reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a recent incident, the group threatened Boeing with a potential data leak after claiming to have breached the company's security.

A spokesperson from CISA redirected inquiries regarding the ICBC hack to the U.S. Treasury Department. Although market sources suggested that the hack's impact seemed confined, it underscores the susceptibility of systems within major organizations like the bank to cybercriminals. Thursday's incident is expected to prompt inquiries into the cybersecurity controls of market participants and attract regulatory scrutiny.

ICBC reported successful clearance of Treasury trades conducted, including repurchase agreements (repo) financing trades. Executive Vice President overseeing fixed income and repo operations at the broker-dealer Curvature Securities Scott Skrym, “In general, the event had a limited impact on the market,” said.

Certain market participants reported unsettled trades via ICBC due to the attack, impacting market liquidity. It remains unclear if this played a role in the subpar results of a 30-year bond auction.

Michael Gladchun, associate portfolio manager, core plus fixed income, at Loomis Sayles said, “There could have been maybe some technical issues with some participants not being able to access the market fully on the day.”

The U.S. Securities Industry and Financial Markets Association (SIFMA) informed members that ICBC, reportedly hit by ransomware, disrupted the U.S. Treasury market by hindering trade settlements for other market participants, according to the Financial Times. “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation,” A spokesperson from the Treasury, in response to an inquiry about the FT report, stated, while SIFMA chose not to provide a comment.

Image source: The Print