World’s Biggest Bank Has To Trade Via USB Stick After Hack #BitcoinFixesThis #GotBitcoin
On Thursday, trades handled by the world’s largest bank in the globe’s biggest market traversed Manhattan on a USB stick. World’s Biggest Bank Has To Trade Via USB Stick After Hack #BitcoinFixesThis #GotBitcoin
* Incident Caused ICBC’s Clients To Reroute Some Treasury Trades
* ‘A True Shock To Banks Around The World,’ Truesec Founder Says
Industrial & Commercial Bank of China Ltd.’s US unit had been hit by a cyberattack, rendering it unable to clear swathes of US Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems.
That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.
The workaround — described by market participants — followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing Co., ION Trading UK and the UK’s Royal Mail.
The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume.
The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyberattack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.
“This is a true shock to large banks around the world,” said Marcus Murray, the founder of Swedish cybersecurity firm Truesec. “The ICBC hack will make large banks around the globe race to improve their defenses, starting today.”
As details of the attack emerged, employees at the bank’s Beijing headquarters held urgent meetings with the lender’s US division and notified regulators as they discussed next steps and assessed the impact, according to a person familiar with the matter.
ICBC is considering seeking help from China’s Ministry of State Security in light of the risks of potential attack on other units, the person said.
Late Thursday, the bank confirmed it had experienced a ransomware attack a day earlier that disrupted some systems at its ICBC Financial Services unit. The company said it isolated the affected systems and that those at the bank’s head office and other overseas units weren’t impacted, nor was ICBC’s New York branch.
ICBC is closely following the cyberattack and will take “effective” emergency response measures, Wang Wenbin, a spokesman for the Chinese Foreign Ministry, said at a regular briefing
Friday in Beijing. The bank will engage in proper supervision and communication to minimize the risks, impact and losses, Wang said.
The extent of the disruption wasn’t immediately clear, though Treasury market participants reported liquidity was affected. The Securities Industry and Financial Markets Association, or Sifma, held calls with members about the matter Thursday.
ICBC FS offers fixed-income clearing, Treasuries repo lending and some equities securities lending. The unit had $23.5 billion of assets at the end of 2022, according to its most recent annual filing with US regulators.
The attack is only the latest to snarl parts of the global financial system. Eight months ago, ION Trading UK — a little-known company that serves derivatives traders worldwide — was hit by a ransomware attack that paralyzed markets and forced trading shops that clear hundreds of billions of dollars of transactions a day to process deals manually. That has put financial institutions on high alert.
ICBC, the world’s largest lender by assets, has said it’s been improving its cybersecurity in recent months, highlighting increased challenges from potential attacks amid the expansion of online transactions, adoption of new technologies and open banking.
“The bank actively responded to new challenges of financial cybersecurity, adhered to the bottom line for production safety and deepened the intelligent transformation of operation and maintenance,” ICBC said in its interim report in September.
Ransomware attacks against Chinese firms appear rare in part because China has banned crypto-related transactions, according to Mattias Wåhlén, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity.
But the latest attack likely exposes weaknesses in ICBC’s defenses, Wåhlén said.
“It appears ICBC has had a less effective security,” he said, “possibly because Chinese banks have not been tested as much as their Western counterparts in the past.”
Ransomware hackers have become so prolific that attacks may hit record levels this year.
Blockchain analytics firm Chainalysis had recorded roughly $500 million of ransomware payments through the end of September, an increase of almost 50% from the same period a year earlier.
Ransomware attacks surged 95% in the first three quarters of this year, compared with the same period in 2022, according to Corvus Insurance.
In 2020, the website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down.
It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks simultaneously.
Caesars Entertainment Inc., MGM Resorts International and Clorox Co. are among companies that have been hit by ransomware hackers in recent months.
ICBC was struck as the Securities and Exchange Commission works to reduce risks in the financial system with a raft of proposals that include mandating central clearing of all US Treasuries.
Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent a default of one counterparty from causing widespread problems in the marketplace.
The incident underscores the benefits of central clearing in the $26 trillion market, said Stanford University finance professor Darrell Duffie.
“I view it as one example of why central clearing in the US Treasuries market is a very good idea,” he said, “because had a similar problem occurred in a not-clearing firm, it’s not clear how the default risk that might result would propagate through the market.”
ICBC Hack Kept Repo Market Open, Fueled Bond Delivery Failures
* Non-Delivery Of Treasuries Rose To Near An Eight-Month High
* Repo Market Got Four-Hour Extension To Minimize Pain: Traders
Non-delivery of US debt pledged as collateral surged on Thursday as the repercussions of a cyberattack on Industrial & Commercial Bank of China Ltd. rippled through the market.
US Treasury repo fails — the amount of US debt that wasn’t delivered to fulfill trade contracts — rose to $62.2 billion, the highest since March and up from $25.5 billion a day earlier, Depository Trust & Clearing Corporation data show.
Such failures-to-deliver occur when either sellers do not deliver, or buyers do not receive, securities in time to settle a trade.
The repo market — which usually closes at 3 p.m. in New York — stayed open until 7 p.m. in order to facilitate trades, according to Subadra Rajappa, head of US interest-rates strategy at Societe Generale. And the Federal Reserve kept its Fedwire settlement system open to minimize the damage, said Curvature Securities executive vice president Scott Skyrm.
The DTCC and Fed could not immediately be reached for comment on the extensions.
“We saw our fails increase by maybe 50% or doubled,” said Skyrm. “We would’ve had a lot more fails if they hadn’t stayed open. That cleaned up some of the fails and helped the congestion,” he said.
Rumors around the attack on ICBC swirled through markets on Thursday as entities responsible for settling transactions swiftly disconnected their systems to contain the damage, forcing ICBC to send settlement details via a USB drive.
The drama complicated the US’s auction of 30-year debt, which was among the worst in a decade, with some market participants citing ICBC’s troubles as adding to the lackluster result.
Behind ICBC Hack Is a Gang for Hire That Holds Systems Hostage
* LockBit Is What’s Known As A ‘Ransomware As A Service’ Group
* It Is One Of The Most Prolific Ransomware Attackers In World
In January, it hacked the UK’s Royal Mail and halted international mail shipments. Less than a month later, it struck a British fintech firm, paralyzing global derivatives trading. It has crippled Japan’s biggest maritime port and struck Boeing Co.’s parts and distribution business.
But arguably none of the recent cyberattacks orchestrated by LockBit — one of the most prolific ransomware gangs of all time — has shaken the financial world more than its hack of Industrial & Commercial Bank of China Ltd.
The breach disclosed Thursday by the largest global lender by total assets blocked some Treasury market trades from clearing, forcing brokers and traders to reroute transactions.
“This is a true shock,” Marcus Murray, founder of the Swedish cybersecurity firm Truesec. It’s the kind of large-scale, high-profile attack that “will make large banks around the globe race to improve their defenses, starting today.”
LockBit’s devastation has been roughly four years in the making. The group has been active since at least the start of 2020 and has hacked as many as 1,000 victims globally, extorting more than $100 million in ransom demands, according to the US Justice Department.
The group’s members have been tied to Russia and are active on Russian-language cybercriminal forums, according to industry experts.
The gang is what’s known as a “ransomware as a service” enterprise. Core LockBit hackers develop malware and other tools. Freelance cybercriminals then sign up with LockBit to gain access to their tools and infrastructure and do the hacking themselves. When attacks are successful, LockBit gets a commission — typically around 20% of any ransom paid, according to cybersecurity firms.
“They run it like a business, and that’s the best way to explain it,” Jon DiMaggio, chief security strategist at Analyst1, said in an interview earlier this year. “The founder of LockBit runs it as if he were Steve Jobs, which is successful for them but very bad news for the rest of us.”
LockBit hackers use so-called ransomware to infiltrate systems and hold them hostage. They demand payment to unlock the computers they’ve compromised and often threaten to leak stolen data to pressure victims to pay.
The gang’s victims span Europe and the US, as well as China, India, Indonesia and Ukraine, according to cybersecurity firm Kaspersky.
Researchers have long studied LockBit’s hacking tools, determining that the group regularly updates its malicious software in order to avoid detection from cybersecurity products.
One strain of malware, dubbed LockBit Black, showed that the gang had experimented with a kind of self-spreading malware that would make it easier for hackers to infiltrate victim organizations without the technical expertise typically required to do so, Sophos Group Ltd. researchers wrote in a blog post.
Exactly how many people are involved in LockBit and where they are based is unknown, but the gang has said on its website that it doesn’t attack post-Soviet Union countries because most of its developers and partners were born and grew up there.
As of late Thursday, ICBC hadn’t been listed on LockBit’s website as a victim. That’s not unusual, said Mattias Wåhlén, a threat intelligence expert with Truesec.
“Many initial ransom notes contain the offer that, if victims pay swiftly, the ransomware group will not publish the victim’s name at all, to save public embarrassment.”
Eric Noonan, chief executive officer of the security services firm CyberSheath, described LockBit as “the most deployed ransomware in the world in 2022,” noting that it has also been “pretty active” this year. Still, Noonan said: “It really is surprising that a Chinese bank was targeted.”
Because the Chinese government banned trading in crytocurrency — hackers’ preferred method of payment — gangs don’t often target the region, according to Wåhlén. China has also traditionally been considered an ally to Russia, he said, making it a lesser target of those with Russian ties.
“If that targeting turns out to be an error, Noonan said, “we could see LockBit aid in the recovery by providing free decryption as they have in the past when the wrong victims have been targeted.”
Then again, LockBit hackers have in the past made it clear that they’re equal opportunists. In a statement issued early last year, they described themselves as “apolitical.”
“For us, it is just business,” the gang said. “We are only interested in money for our harmless and useful work.”
ICBC Flies Top Executives To US In Race To Contain Hack Fallout
* Bank Officials Arrive In US Over Weekend After Cyberattack
* Hard To Predict When Systems Will Resume Service, People Say
Within days of a cyberattack at its US unit, members of Industrial & Commercial Bank of China Ltd.’s management were on a plane.
Officials from the world’s largest lender arrived in the US over the weekend in a hastily arranged trip to limit fallout from the incident last week, people with knowledge of the situation said.
As they sought to calm markets through a steady stream of discussions and calls, one question remained unanswered: When will the stricken systems start functioning again?
The bank is racing to reassure market participants it has a handle on the situation following the attack by prolific ransomware gang LockBit, which rendered it unable to clear swathes of US Treasury trades and forced many to reroute their orders. The firm has yet to restore normal operations.
On Friday, senior ICBC executives spoke with hundreds of member firms of the Securities Industry and Financial Markets Association in a bid to allay concerns, according to people familiar with the matter who asked not to be identified discussing private information.
Some participants left without a clear outline of ICBC’s response, one of the people said.
And while the bank has been working to restore access to its systems, a subsequent investigation and ongoing discussions with regulators have made any resumption of normal service hard to predict, one of the people said.
The incident also prompted China’s National Administration of Financial Regulation to issue guidance last week pressing large banks with offshore units to bolster their defenses against potential cyber attacks, another person familiar with the matter said.
Representatives for ICBC didn’t immediately respond to requests for comment. A representative for Sifma declined to comment. The NAFR didn’t immediately respond to a request for comment.
ICBC confirmed in a statement on Thursday that a ransomware attack at its ICBC Financial Services unit had disrupted some of its systems and that it was conducting a thorough investigation.
Its head office and other domestic and overseas units weren’t affected, it said. On Monday, LockBit said that it had received a ransom payment from ICBC, without giving further details.
The extent of the disruption caused by the attack wasn’t immediately clear, though participants in the $26 trillion Treasury market reported liquidity was being affected. Traders were still finding it hard to settle transactions more than a day after the attack.
ICBC is working with its US banking partners to help clear transactions as it seeks to resolve the cyber issues, one of the people said.
Still, some participants were concerned about connecting with the bank digitally until they had resolved the security issues, said the person.
In the immediate aftermath, ICBC held discussions about hiring Google-owned cybersecurity firm Mandiant for incident response, though no agreement to work together was reached.
If recent ransomware attacks are any indication, it could take weeks for ICBC to restore its operations to normal.
LockBit, a criminal gang with ties to Russia, specializes in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files.
Earlier this year, it took credit for an attack against ION Trading UK that paralyzed derivatives trading across markets for everything from commodities to bonds and forced several banks and brokers to process trades manually.
ICBC Hackers Used Methods Previously Flagged by U.S. Authorities
Attack stemmed from Lockbit 3.0 ransomware and two tactics targeting users of services managed by Citrix, Treasury says.
The hackers who infiltrated the New York arm of the Industrial and Commercial Bank of China and disrupted trading in the U.S. Treasury market appeared to exploit three vulnerabilities that had been flagged by U.S. officials earlier this year.
In an email sent to financial-services executives and trade groups Monday that was viewed by The Wall Street Journal, Treasury officials said that the ICBC attack stemmed from Lockbit 3.0 ransomware and two tactics that target users of services managed by Citrix, a cloud-computing company.
In March, the FBI and the Department of Homeland Security had highlighted the risks posed by the Lockbit ransomware. And the Cybersecurity and Infrastructure Security Agency had warned companies about the Citrix vulnerabilities in recent weeks.
The report suggests that ICBC could have anticipated the cyberattacks. ICBC officials in New York couldn’t immediately be reached for comment Monday evening.
ICBC is the world’s largest bank. Its ICBC Financial Services unit forms part of the plumbing of the U.S. Treasury market as a member of the government-securities division of the Fixed Income Clearing Corporation, which clears all trades in government bonds among members including Goldman Sachs and JPMorgan Chase, as well as smaller interdealer brokers.
The unit largely focuses on clearing, ensuring that transactions previously agreed by traders go through, and on lending and borrowing through repurchase agreements—a form of collateralized funding that forms a vital part of the financial system.
While ICBC Financial Services is a smaller player in the overall Treasury market, the business has punched above its weight in clearing repo trades for hedge funds, Wall Street executives said.
ICBC Financial Services was forced to isolate some of its systems last week after the attack, and it disconnected from the Treasury market and the Bank of New York Mellon platform that settles its trades. The ICBC unit then began to clear those trades manually.
On a Monday call with market participants, an ICBC executive said the bank hadn’t yet reconnected to the market, according to people who listened to the call. The executive didn’t address whether the bank had made a ransom payment to the hackers.
The Treasury’s Office of Cybersecurity and Critical Infrastructure Protection wrote in its note that the two Citrix threats—“Citrix Bleed” Citrix Netscaler ADC and Gateway Vulnerability, and the Denial of Service in Netscaler ADC and Netscaler Gateway—were still under review and would take several days to confirm.