China’s ICBC, the world’s largest bank, was hit by a cyber attack that reportedly disrupted government bond markets

The US financial services division of Chinese bank ICBC was hit by a cyber attack that reportedly disrupted trading in government bonds.

Industrial and Commercial Bank of China, the world’s largest lender by assets, said Thursday that its financial services arm, called ICBC Financial Services, suffered a ransomware attack “that resulted in disruption of certain” systems.

Immediately after discovering the hack, ICBC “isolated affected systems to manage the incident,” the state bank said.

Ransomware is a form of cyber attack. It involves hackers taking control of systems or information and only releasing it after the victim has paid a ransom. It’s a type of attack that has seen a surge in popularity among bad actors in recent years.

ICBC did not reveal who was behind the attack, but said it “conducted a thorough investigation and continues its recovery efforts with the support of its professional team of information security experts.”

The Chinese bank also said it is cooperating with law enforcement.

ICBC said it “successfully cleared” the U.S. Treasury transactions executed on Wednesday and the repo financing transactions executed on Thursday. A repo is a repurchase agreement, a type of short-term loan for government bond traders.

However, multiple news sources reported that there was a disruption in trading in US government bonds. The Financial Times said on Friday, citing traders and banks, that the ransomware attack prevented the ICBC division from settling government bond trades on behalf of other market participants.

The US Treasury Department told CNBC: “We are aware of the cybersecurity issue and are in regular contact with key financial industry participants, in addition to federal regulators. We will continue to monitor the situation.”

ICBC said the U.S. financial services arm’s email and business systems operate independently of ICBC’s China operations. The systems at the head office, ICBC’s New York branch and other domestic and foreign affiliated institutions were not affected by the cyber attack, ICBC said.

Chinese Foreign Ministry spokesman Wang Wenbin said on Friday that ICBC aims to minimize the impact and losses after the attack, according to a Reuters report.

Wang said at a regular news conference that ICBC has paid close attention to the case and handled emergency response and supervision well, according to the Reuters report.

No one has claimed responsibility for the attack and ICBC has not yet said who may be behind it.

In the world of cybersecurity, it is often very difficult to find out who is behind a cyber attack due to the techniques hackers use to mask their locations and identities.

But there are clues as to what type of software was used to carry out the attack.

Marcus Murray, founder of Swedish cybersecurity company Truesec, said the ransomware used is called LockBit 3.0. Murray said this information comes from sources with relationships with Truesec, but could not reveal who those sources are for confidentiality reasons. The Financial Times, citing two sources, reported that LockBit 3.0 was also the software behind the attack. CNBC could not independently verify the information.

This type of ransomware can enter an organization in many ways. For example, because someone clicks on a malicious link in an email. Once inside, the idea is to find out sensitive information about a company.

VMware’s cybersecurity team said in a blog last year that LockBit 3.0 is a “challenge for security researchers because each instance of the malware requires a unique password to operate, without which the password is extremely difficult or impossible.” The researchers added that the ransomware is “heavily protected” from analysis.

The US government’s Cybersecurity and Infrastructure Security Agency calls LockBit 3.0 “more modular and evasive,” making it harder to detect.

LockBit is the most popular form of ransomware, responsible for about 28% of all known ransomware attacks between July 2022 and June 2023, according to data from cybersecurity firm Flashpoint.

LockBit is the group behind the software. The business model is known as ‘ransomware-as-a-service’. It effectively sells its malicious software to other hackers, known as affiliates, who then carry out the cyber attacks.

The group’s leader goes by the online name “LockBitSup” on hacking forums on the dark web.

“The group posts mainly in Russian and English, but according to its website the group claims to be based in the Netherlands and not politically motivated,” Flashpoint said in a blog post.

The group’s malware is known to target small and medium-sized businesses.

LockBit has previously claimed responsibility for ransomware attacks on Boeing and that of Great Britain. Royal mail.

In June, the US Department of Justice indicted a Russian for his involvement in “deploying numerous LockBit ransomware and other cyberattacks” on computers in the US, Asia, Europe and Africa.

“LockBit actors have carried out more than 1,400 attacks on victims in the United States and around the world, demanding more than $100 million in ransoms and receiving at least tens of millions of dollars in actual ransom payments in the form of bitcoin,” said the DOJ in a press release in June.

— CNBC’s Steve Kopack contributed to this article.