Ransomware Attack on World's Largest Bank Disrupts US Treasury Market

The US unit of the Industrial and Commercial Bank of China (ICBC), the world's largest bank, was the target of a ransomware attack on Thursday, causing problems in the US Treasury market.

According to market sources, while ICBC Financial Services recognised the incident and stated that certain systems were disrupted, the overall market impact appeared to be modest.

Ransomware attacks, a growing threat across various sectors in recent years, encrypt an organisation's systems, demanding ransom payments for their release. ICBC Financial Services reassured stakeholders that it was actively investigating the incident and making progress in its recovery efforts. Notably, the bank reported successfully clearing Treasury trades executed on the previous day and repurchase agreements (repo) financing trades conducted on the day of the attack.

Scott Skrym, Executive Vice President for Fixed Income and Repo at broker-dealer Curvature Securities, provided a reassuring perspective, noting that "in general, the event had a limited impact on the market".

However, concerns were raised by some market participants who reported that trades going through ICBC were not settled due to the attack, leading to potential disruptions in market liquidity.

The alleged orchestrator of the attack, a criminal gang known as Lockbit, with reported ties to Russia, drew attention from Bloomberg's later report. While it is common for ransomware attacks to target various sectors, such an incident disrupting a major financial market raises questions about the cyber security controls of market participants and may attract regulatory scrutiny.

Market participants voiced concerns about technical issues and the potential inability of some participants to fully access the market on the day of the attack. Michael Gladchun, Associate Portfolio Manager at Loomis Sayles, suggested that these issues might have contributed to the weak outcome of a 30-year bond auction held on the same day.

The US Securities Industry and Financial Markets Association (SIFMA) reportedly informed its members about the ransomware attack on ICBC, stating that it disrupted the US Treasury market by preventing the settlement of trades on behalf of other market players. The Treasury spokesperson responded to the Financial Times report, acknowledging the cybersecurity issue and expressing ongoing monitoring of the situation.

SIFMA declined to comment and market data from LSEG indicated that the Treasury market functioned normally on the day of the attack.

Globally, ransomware attacks have been on the rise, with Statista reporting over 493 million attack attempts last year alone. Lockbit, according to the Financial Services Information Sharing and Analysis Center, emerged as the most prolific ransomware operator in 2022.

Its disruptive activities have continued into 2023, prompting a joint advisory from the United Kingdom and international partners, expressing concerns about the ongoing threat posed by the Lockbit ransomware operation.

The advisory highlighted Lockbit's prevalence as a ransomware variant globally and its persistent attacks across critical infrastructure sectors. Affiliates of Lockbit have targeted organisations of all sizes, including those in financial services, food and agriculture, education and healthcare. The adaptability and persistence demonstrated by Lockbit underscore the challenges faced by cybersecurity professionals in mitigating its impact.

In response to the alarming trend, the National Cyber Security Centre (NCSC) collaborated with agencies from the United States, Australia, Canada, France, Germany and New Zealand to provide guidance aimed at reducing the likelihood and severity of future Lockbit attacks. The advisory serves as a call to action for enhanced cybersecurity measures to safeguard organisations against the evolving tactics of this notorious cybercriminal group.

As the investigation into the ICBC ransomware attack unfolds, the incident is expected to prompt a broader discussion about cybersecurity controls within financial markets and the need for enhanced measures to protect against such sophisticated cyber threats.