A cyberattack on a subsidiary of a Dublin-based financial technology and trading firm ION Group has disrupted transactions for dozens of major clients in both Europe and the United States, impacting the market for exchange-traded derivatives, the firm and other sources stated this week.
The attack, reportedly carried out by the Russia-linked LockBit ransomware group, has resulted in the trading company isolating servers and taking them offline. The company's subsidiary ION Cleared Derivatives, which provides order management and execution services, acknowledged the "cybersecurity event" in a statement on Jan. 31.
"The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," ION Cleared Derivatives said in a statement, adding that it would provide further updates as more information becomes available.
Derivatives are financial instruments whose value is tied to an underlying asset or a benchmark, such as the price of oil, portfolios of debt, or stocks. The four broad categories of derivatives are options, futures, swaps, and forwards, with massive sums traded every day. The value of assets traded as options and futures in North America, for example, totaled $30.1 trillion and $23.5 trillion, respectively, in the third quarter last year, according to the Bank for International Settlements.
The cyberattack on ION Cleared Derivatives has affected at least 42 of the company's clients, disrupting their processing of derivative trades, according to a Bloomberg News report. Several members of two large industry groups in the United States — the CME Group and Intercontinental Exchange — have also been impacted by the attack on the ION Group, an article in the Financial Times stated.
The Futures Industry Associations (FIA) — which represents one area of derivatives, futures contracts — is investigating the attack's effects on its members, the group said in a statement.
"FIA is aware of network issues caused by a cyber incident on certain ION Group systems which are impacting the trading and clearing of exchange traded derivatives by ION customers across global markets," the group stated. "We are working with impacted members, including clearing firms and exchanges, as well as market regulators and others, to assess the extent of the impact on trading, processing, and clearing."
LockBit Claims Credit for Carnage
The infamous LockBit group — responsible for recent attacks on the Hospital for Sick Children in Toronto and a host of chemical and industrial targets — posted a breach notice to its extortion site on Feb. 2 naming the ION Group as a victim. In addition, a ransom note, purportedly from the group, is currently circulating on private forums and names the ION Group as a compromised business, says Allan Liska, a senior analyst with threat intelligence firm Recorded Future.
How the LockBit group gained access to the ION Group's subsidiary and the extent of the damage are questions that will likely take a while to answer, Liska says.
"Unfortunately, not a lot is known yet about the tools used in the attack," he says. "The ION Group is likely still assessing the damage and conducting incident response and disaster recovery, so they may not know the full scope yet."
The LockBit cybercrime group uses a ransomware-as-a-service (RaaS) model, creating the tools to compromise and infect victims and then relying on affiliates to infect companies, healthcare organizations, and government agencies. While ransomware groups relied in the past on encrypting data and holding the keys for ransom, the modern variant of the scheme typically also steals sensitive data and threatens its release.
How Widespread Is the ION Attack's Impact?
The immediate impact to clients of ION Cleared Derivatives' services is that the post-trade processes — such as "trade matching and keeping track of risk and margin requirements" activities normally automated by the company's services — have to be completed manually, according to the Financial Times.
Yet the service outage is also affecting markets in the United States and parts of Asia, underscoring the interconnectedness of today's financial and technological infrastructure.
"ION Group is used by financial institutions all over the world, so this attack is likely having wide-ranging impact on those institutions," Record Future's Liska says. "This is, unfortunately, an increasingly common problem with ransomware attacks: The attack doesn't just impact the affected organization but every organization that organization works with."
While the attack has had widespread — and in some cases, surprising — effects, a senior US Treasury official stated that the disruption to the ION Cleared Derivative's platform does not pose a "systemic risk to the financial sector," according to Bloomberg News.