Gang Behind Cyberattack On World’s Biggest Bank Has Hacked 1,000 Victims

Cyberattacks may hit record levels this year. (Representational)

On Thursday, trades handled by the world’s largest bank in the globe’s biggest market traversed Manhattan on a USB stick.

Industrial & Commercial Bank of China Ltd.’s US unit had been hit by a cyberattack, rendering it unable to clear swathes of US Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems. That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.

The workaround – described by market participants – followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing Co., ION Trading UK and the UK’s Royal Mail. The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume.

The incident spotlights a danger that bank leaders concede keeps them up at night – the prospect of a cyberattack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.

“This is a true shock to large banks around the world,” said Marcus Murray, the founder of Swedish cybersecurity firm Truesec. “The ICBC hack will make large banks around the globe race to improve their defenses, starting today.”

As details of the attack emerged, employees at the bank’s Beijing headquarters held urgent meetings with the lender’s US division and notified regulators as they discussed next steps and assessed the impact, according to a person familiar with the matter. ICBC is considering seeking help from China’s Ministry of State Security in light of the risks of potential attack on other units, the person said.

Late Thursday, the bank confirmed it had experienced a ransomware attack a day earlier that disrupted some systems at its ICBC Financial Services unit. The company said it isolated the affected systems and that those at the bank’s head office and other overseas units weren’t impacted, nor was ICBC’s New York branch.

The extent of the disruption wasn’t immediately clear, though Treasury market participants reported liquidity was affected. The Securities Industry and Financial Markets Association, or Sifma, held calls with members about the matter Thursday.

ICBC FS offers fixed-income clearing, Treasuries repo lending and some equities securities lending. The unit had $23.5 billion of assets at the end of 2022, according to its most recent annual filing with US regulators.

The attack is only the latest to snarl parts of the global financial system. Eight months ago, ION Trading UK – a little-known company that serves derivatives traders worldwide – was hit by a ransomware attack that paralyzed markets and forced trading shops that clear hundreds of billions of dollars of transactions a day to process deals manually. That has put financial institutions on high alert.

ICBC, the world’s largest lender by assets, has said it’s been improving its cybersecurity in recent months, highlighting increased challenges from potential attacks amid the expansion of online transactions, adoption of new technologies and open banking.

“The bank actively responded to new challenges of financial cybersecurity, adhered to the bottom line for production safety and deepened the intelligent transformation of operation and maintenance,” ICBC said in its interim report in September.

Ransomware attacks against Chinese firms appear rare in part because China has banned crypto-related transactions, according to Mattias Wahlen, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity.

But the latest attack likely exposes weaknesses in ICBC’s defenses, Wahlen said.

“It appears ICBC has had a less effective security,” he said, “possibly because Chinese banks have not been tested as much as their Western counterparts in the past.”

Record Levels

Ransomware hackers have become so prolific that attacks may hit record levels this year.

Blockchain analytics firm Chainalysis had recorded roughly $500 million of ransomware payments through the end of September, an increase of almost 50% from the same period a year earlier. Ransomware attacks surged 95% in the first three quarters of this year, compared with the same period in 2022, according to Corvus Insurance.

In 2020, the website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down. It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks simultaneously.

Caesars Entertainment Inc., MGM Resorts International and Clorox Co. are among companies that have been hit by ransomware hackers in recent months.

ICBC was struck as the Securities and Exchange Commission works to reduce risks in the financial system with a raft of proposals that include mandating central clearing of all US Treasuries. Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent a default of one counterparty from causing widespread problems in the marketplace.

The incident underscores the benefits of central clearing in the $26 trillion market, said Stanford University finance professor Darrell Duffie.

“I view it as one example of why central clearing in the US Treasuries market is a very good idea,” he said, “because had a similar problem occurred in a not-clearing firm, it’s not clear how the default risk that might result would propagate through the market.”

Leave a Reply

Your email address will not be published. Required fields are marked *