Ransomware attack on Chinese bank interrupts U.S. Treasury trading

A ransomware attack on the U.S. arm of a large Chinese bank caused trade failures in the U.S. Treasury market on Thursday, forcing the market to stay open late so participants could reroute trades.

The attack against the U.S. arm of the Industrial and Commercial Bank of China prevented some U.S. debt brokers from conveying trade contracts. U.S. Treasury repo failures rose to the highest rate since March, according to Bloomberg.

Nonetheless, the attack had limited impact on the market, one executive at a repo broker-dealer told Reuters, after the market stayed open four extra hours.

Cybercrime gang Lockbit told Reuters it conducted the attack. Prior to the gang claiming responsibility on Friday, multiple security experts said Lockbit was involved.

ICBC Financial Services confirmed on its website it had experienced a ransomware attack, saying the disruption began on Wednesday.

"Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident," the company's statement reads. "ICBC FS has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts."

ICBC FS operates independently from ICBC in China, the company said, and neither the head office nor the New York branch of ICBC itself were affected by this week's attack.

China's Ministry of Foreign Affairs affirmed the lender's efforts to minimize impacts after the attack, according to Wang Wenbin, a ministry spokesman.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," Wenbin said at a regular news conference on Friday.

Lockbit first appeared in January 2020, and as of June, Lockbit had executed more than 1,700 attacks and received approximately $91 million in ransom payments, according to the Cybersecurity and Infrastructure Security Agency.

The Russian-linked Lockbit group has caused relatively minor interruptions in markets and other financial systems before, once in January when it interrupted some financial derivatives trading and again in April when it disabled back-office payment tools for some restaurants.

Cyber security

How LockBit attackers are infiltrating and extorting banks

The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.

By Carter Pape

March 4

The January incursion drew comments from the Futures Industry Association, a trade organization for derivatives markets, and the U.S. Commodity Futures Trading Commission. So far, Treasury spokespeople have only said the department is monitoring the ICBC FS situation.

Some ransomware actors have recently relied more on data exfiltration as their primary mode of exploiting companies, often skipping the encryption step to avoid detection, but still demanding ransom in return for not posting customer data publicly. But ransomware interruptions still take place, with attacks against MGM Resorts and Caesars Entertainment recent high-profile examples.

While authorities including the FBI advise against paying these criminal groups to get systems decrypted or stolen data deleted, many organizations still do so, often in an attempt to protect the data of customers or constituents.

Authorities say these ransom payments only incentivize further victimization, and regulators are increasingly scrutinizing payments. Banks and other financial companies regulated by the New York State Department of Financial Services will soon have to report when they make ransom payments and provide an explanation.

In the coming years, the requirement to report ransom payments will apply to all companies in critical infrastructure sectors when CISA implements the Cyber Incident Reporting for Critical Infrastructure Act of 2022.