A U.S. subsidiary of China’s biggest bank was hacked this week, threatening a temporary logjam for some trades in the Treasury bond market.
ICBC Financial Services, a New York-based entity owned by the Industrial and Commercial Bank of China IDCBY, was the victim of a ransomware attack on Wednesday. The unit largely focuses on clearing, which means ensuring that transactions previously agreed by traders go through, and on lending and borrowing through repurchase agreements—a form of collateralized funding that forms a vital part of the financial system.
The company was forced to disconnect and isolate some of its I.T. systems after the attack. But it said it was able to clear all trades involving U.S. Treasurys that were executed on Wednesday, and repo financing that took place on Thursday.
The incident shines a spotlight on the financial connections between China and the U.S., which persist despite political tensions and economic rivalry between the two countries. Chinese institutions hold more than $800 billion of Treasury bonds, even after a years-long reduction in their holdings, and the country’s biggest banks are active in the U.S. government-bond market.
ICBC Financial Services forms part of the plumbing of the U.S. Treasury market as a member of the government-securities division of the Fixed Income Clearing Corporation. The FICC clears all trades in government bonds among members, which include household names such as Goldman Sachs and JPMorgan Chase, as well as smaller interdealer brokers.
Routing trades through the FICC reduces the risk that a default by one broker-dealer could cascade through the market—though its importance has waned in recent years with the rise of nonbank market makers in Treasurys. ICBC is the only Chinese member.
The attack came just ahead of a Thursday meeting between U.S. Treasury Secretary Janet Yellen and Chinese Vice Premier He Lifeng in San Francisco. That was itself a precursor to a meeting next week between President Biden and Chinese President Xi Jinping, the first time the two leaders will have met in a year.
The attack used ransomware developed by Russian hacking group LockBit, according to Marcus Murray, the founder of Truesec, a cybersecurity company. He said it was likely the attack was launched by an affiliate of LockBit.
Ransomware is a type of software that can paralyze computers or entire networks, with the promise that the attack will end if the victim makes a payment. The payments often take place in the form of cryptocurrency, which is harder for authorities to trace.
“A boundary has been broken. We haven’t seen something like this involving a large bank before,” said Murray. “We’ve seen previous cyberattacks against big banks, but the hackers haven’t used ransomware. It’s not clear how this is going to impact banks, or the wider financial system.”
“Banks are in many ways perfect targets. It’s generally very difficult to hack a bank, but because they are so complex they have so many vulnerabilities. They process a massive amount of transactions, and it’s hard to secure all of that,” he said.
LockBit’s program was the most widely used ransomware in the world last year and remains popular in 2023, according to the U.S. government’s Cybersecurity and Infrastructure Security Agency.
LockBit has previously claimed attacks on companies including Boeing and the U.K.’s Royal Mail.
One of its strikes exploited a chink in the finance industry’s armor outside highly regulated banks: The technology firms that process trades and keep markets humming.
Some financial institutions resorted to confirming derivative trades manually after a ransomware strike on Dublin-based ION Trading Technologies in late January this year. ION’s software automates the matching and clearing process in trades. LockBit claimed responsibility for that attack.
This week’s attack on ICBC took place a day before an auction for long-dated U.S. Treasurys got weaker demand than the government is used to.
ICBC had $5.7 trillion of assets at the end of last year, making it the largest bank in the world, according to S&P Global Ratings. That dwarfed the $3.7 trillion assets of JPMorgan, the largest U.S. bank.
ICBC Financial Services said the computer systems in the Chinese bank’s head office in Beijing, as well as those of its New York branch, weren’t affected.
By August, China held $805 billion of U.S. Treasurys, the lowest level in more than 14 years, according to data from the Treasury Department. China’s U.S. government debt holding has been declining for five months since April. Japan is now the largest foreign holder of U.S. government bonds.
ICBC Financial Services is one of the main subsidiaries ICBC has in the U.S. The others include ICBC’s New York branch, which serves as the U.S. dollar clearing center for the bank, and ICBC USA, which provides retail and commercial banking services.
ICBC Financial Services held $23.5 billion in assets at the end of 2022, according to its most recent annual report. Illustrating its role in repo financing: $16.5 billion of those assets were securities held as part of agreements to resell them, a form of lending.
That is dwarfed by the $631 billion in assets held at the end of 2022 by J.P. Morgan Securities, a subsidiary of the Wall Street giant that is also a member of the FICC.
ICBC Financial Services’ clients include hedge funds, broker-dealers and global banks, according to the bank’s website.
The Justice Department has charged three people with alleged activities related to the LockBit ransomware campaign over the past year. Two of those people have been arrested, the DOJ said in June.
LockBit ransomware first appeared at the start of 2020, and LockBit actors have launched more than 1,400 attacks, according to the DOJ. It said they had issued more than $100 million in ransom demands and received tens of millions of dollars in ransom payments, made in the form of bitcoin.