Wall Street and Beijing fight fallout of ransomware attack on China’s biggest bank

ICBC is present in 18 countries, loaning US$78.6 billion against 288 projects.

Wall Street traders and brokers are scrambling to minimise the fallout from a ransomware attack on China’s biggest bank, which disrupted trading in the US$25 trillion market for US Treasuries.

The attack on a New York unit of the Industrial and Commercial Bank of China, first revealed by the Financial Times on Thursday, has exposed vulnerabilities in the Treasury market, the world’s biggest and most liquid, which underpins asset prices around the globe.

With its systems compromised, ICBC Financial Services was forced to send a USB stick with trading data to BNY Mellon to help it settle trades, according to people familiar with the situation.

The attack prevented ICBC from settling Treasury trades on behalf of other market participants, according to traders and banks. Hedge funds and asset managers rerouted trades because of the disruption and the attack had some effect on Treasury market liquidity, according to trading sources.

Some traders suggested the hack at ICBC may even have contributed to a sharp sell-off in long-dated Treasuries later on Thursday following a US$24 billion auction of 30-year bonds.

On ICBC’s behalf, BNY on Thursday requested multiple extensions of the operating hours of Fedwire, a real-time payments platform operated by the US Federal Reserve, said people familiar with the matter, to buy more time to settle Treasury trades.

Because of the hack, ICBC’s US unit required a US$9b capital injection from its parent company to cover unsettled trades with BNY, according to two people familiar with the matter.

BNY declined to comment. ICBC did not respond to a request for comment. ICBC had previously confirmed it had “experienced a ransomware attack that resulted in disruption to certain [financial services] systems”.

BNY, the world’s largest custodian bank, has electronically disconnected ICBC from its platform and does not plan to reconnect it until a third party attests that it is safe to do so, said people briefed on the matter. BNY is instead using manual workaround solutions to process the trades.

“No IT team is going to trust anything out of ICBC US without it being rigorously scanned or scrutinised,” said one cyber expert close to the industry response.

Another person involved said: “Until BNY reconnects it’s going to be slow and painful.”

US Treasury secretary Janet Yellen on Friday said she had been in touch with China’s vice-premier He Lifeng about the hack but had not seen an impact on the Treasury market.

“We have been working very closely with the Chinese, with the firm and with regulators in the United States,” Yellen said, adding that Treasury had given “as much assistance as we possibly can” to ICBC on the issue.

The Securities and Exchange Commission on Friday said it “continues to monitor with a focus on maintaining fair and orderly markets”. The Securities Industry and Financial Markets Association, which represents banks and asset managers, held calls with members to discuss their response to the incident.

At a briefing on Friday, the Chinese foreign ministry said ICBC had done a good job in handling the attack on its US financial services arm.

“ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” said ministry spokesperson Wang Wenbin.

ICBC is the only Chinese broker with a securities clearing licence in the US. It created the business after buying the prime dealer services unit of Fortis Securities in 2010.

“ICBC is a large Chinese bank and the flows it handles matter,” said Charlie McElligott, a cross-asset strategist at Nomura. “Anything that blocked the ability to participate in the auction, it’s fair to say, would have contributed to the yield spike that followed.”

After news of the ransomware attack emerged, employees at ICBC’s Beijing headquarters held urgent meetings with their US unit, according to a staff member who participated in these meetings.

Ransomware attacks have proliferated since the coronavirus pandemic, in part as remote working has left businesses more vulnerable and as cyber criminal groups have become more organised.

“With the rising severity, sophistication and frequency of cyber attacks, often involving human error, companies urgently need to rethink their approach to ransomware defence,” said Oz Alashe, founder of CybSafe, a British cyber security and data analytics firm.

Written by: Joshua Franklin and Kate Duguid in New York, Costas Mourselas and George Steer in London, Colby Smith in Washington, Cheng Leng in Hong Kong and Ryan McMorrow in San Francisco

© Financial Times