How a cyberattack crippled the world's largest bank for hours

File photo of ICBC
File photo of ICBC Copyright VINCENT YU/AP2006
By Doloresz Katanich with Reuters
Share this articleComments
Share this articleClose Button

The US unit of Industrial & Commercial Bank of China had been hit by a cyberattack, forcing it to trade via a UBS stick.


The world's largest bank by assets, the Industrial and Commercial Bank of China (ICBC), was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday. 

ICBC Financial Services, the lender's US unit, which handles trades and other services for financial institutions, said in a statement on its website that the ransomware attack disrupted some of its systems but that it had disconnected parts of the affected systems to limit the impact from the attack.

According to Bloomberg, at one point during trade on Thursday, the bank had to employ an unconventional workaround: It transmitted essential data to entities overseeing US Treasury transactions through a messenger carrying a UBS stick.

In general, the event had a limited impact on the market.
Scott Skyrm
Executive Vice President, Curvature Securities

Eventually, all Treasury trades executed on Wednesday and repo financing trades on Thursday were cleared, ICBC said adding that the lender's banking, email and other systems were not affected.

"In general, the event had a limited impact on the market," said Executive Vice President at Curvature Securities Scott Skyrm.

Some market participants said trades going through ICBC were not settled due to the attack and affected market liquidity. It was not clear whether this contributed to the weak outcome of a 30-year bond auction on Thursday.

ICBC Financial Services says it is investigating the attack and has reported the problem to law enforcement.

Prime suspect: A Russian-speaking cyber gang

Several ransomware experts and analysts said that LockBit, an aggressive, Russian-speaking cybercrime gang that does not target former Soviet countries, was believed to be behind the hack.

"We don’t often see a bank this large get hit with this disruptive of a ransomware attack," said Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future.

"This attack continues a trend of increasing brazenness by ransomware groups," he said. "With no fear of repercussions, ransomware groups feel no target is off limits."

Since LockBit was discovered in 2020, the group has hit 1,700 US organisations, according to the US Cybersecurity and Infrastructure Security Agency (CISA). Last month it threatened Boeing with a leak of sensitive data it said it had found by breaching the company.

The ICBC did not comment on whether Lockbit was behind the hack.

While market sources said the impact of the hack appeared limited, it signalled how vulnerable systems at large organisations such as ICBC (with more than $6 trillion [€5.6 trillion] in assets, according to Forbes) continue to be to cybercriminals. 

Thursday's incident is likely to raise questions over market participants' cybersecurity controls and draw regulatory scrutiny.

The Treasury market appeared to be functioning normally on Thursday, according to London Stock Exchange data.

Share this articleComments

You might also like