Geopolitical and Cybersecurity Risk Weekly Brief 14 December 2020

14 december 2020

Executive Summary

Cybersecurity continues to be a priority amid the COVID-19 pandemic. US-based pharmaceutical firm Pfizer and its German partner BioNTech said documents relating to their COVID-19 vaccine had been ‘unlawfully accessed’ after a cyberattack targeted the European Medicines Agency (EMA). Major US cybersecurity firm FireEye revealed that it recently suffered a cyberattack from a ‘highly sophisticated threat actor’ resulting in the theft of its Red Team tools, used to simulate attacks. These could be used for successful intrusions.

An unnamed Russian APT is reported to have compromised multiple US government departments via a supply-chain attack on SolarWinds, one of the biggest network management systems (NMS) in the United States. Multiple sources have alleged that the attack on the Treasury and the breach at FireEye were carried out by APT29 (also known as CozyBear or TheDukes), which also breached the White House, the State Department, and attempted to steal COVID-19 vaccine research earlier in 2020.

This constitutes a potentially catastrophic attack against the global IT supply chain. There is a high likelihood that US authorities will seek to identify and retaliate against the suspected perpetrators, potentially leading to an escalation of cyber hostilities between Washington and its adversaries, particularly in the final weeks of the administration of President Donald Trump. Organisations with interests in US cybersecurity should monitor developments and regularly install cybersecurity patches to minimise exposure to potential attacks.

Meanwhile, technology companies continue to come under scrutiny. The US Federal Trade Commission (FTC) and 46 state prosecutors filed lawsuits against Facebook, accusing the social media giant of illegal actions to ‘crush’ smaller rivals and stifle competition. France’s privacy watchdog said it had fined US-based technology firms Google (EUR100 million) and Amazon (EUR35 million) for breaching the French Data Protection Act.

There have been a number of geopolitically significant developments this week. Morocco agreed to normalise ties with Israel, marking the fourth agreement of this kind in 2020 after the UAE, Bahrain, and Sudan. Ongoing hostilities between Ethiopia and Eritrea continue to lead to increased risks.

Tensions with China continue. US Secretary of State Mike Pompeo announced sanctions against senior leaders of China’s National People’s Congress in connection with the imposition and implementation of Hong Kong’s national security law (NSL). Beijing announced sanctions on unspecified US officials and the withdrawal of visa-free travel into Hong Kong and Macau for US diplomatic passport holders. China’s customs service also suspended meat imports from an Australian abattoir, the sixth to be targeted so far this year.


Attacks and cybersecurity news

An unnamed Russian APT has reportedly compromised multiple US government departments via a supply-chain attack on SolarWinds. According to an exclusive Reuters report, the threat actors were observed monitoring internal email traffic within US Treasury and Commerce departments. SolarWinds, which works with several areas of the US government, called it a "highly-sophisticated, targeted and manual supply chain attack by a nation-state." While the US government has not yet identified the threat actors responsible, three unidentified sources "close to the investigation" alleged that Russian state-sponsored actors are responsible. Two of the unnamed sources also believe that the attack is connected to the recent FireEye breach (see below). Multiple sources have alleged that the attack on the Treasury and the breach at FireEye were carried out by APT29, which also breached the White House, the State Department, and attempted to steal COVID-19 vaccine research earlier in 2020. This constitutes a catastrophic attack on the global IT supply chain.

Cybersecurity firm, FireEye, announced this week that it had fallen victim to a “state-sponsored attack” resulting in the theft of its Red Team tools, used to simulate attacks. None of the tools is believed to contain 0day vulnerabilities, but they are still powerful enough to be used for successful intrusion campaigns. One anonymous source connected to the investigation alleged that early signs point to APT29. This remains unconfirmed at the time of publication. This appears to be the most significant theft of cybersecurity tools since the NSA was breached by TheShadowBrokers in 2016. Russian and North Korean cyber operators subsequently weaponised them and leveraged the tools in attacks to distribute ransomware worms such as NotPetya and WannaCry. The NSA’s tools, however, were much more powerful than FireEye’s, as they were purpose-built cyber-weapons: FireEye’s tools were essentially built from known malware and vulnerabilities.

The European Medicines Agency (EMA) has confirmed it has been the subject of an unspecified cyberattack. The EMA authorises the use of medicines across the European Union. It is in the process of assessing whether the Pfizer/BioNTech and Moderna COVID-19 vaccines are safe for EU countries. Details about when the attack took place, who was responsible, and the exact information that has been compromised have not been disclosed. Organisations involved in COVID-19 vaccine research and distribution have been the target of numerous APTs in recent months. These have included APT29 (CozyBear), Zinc, Strontium, Cerium and Kimsuky, among others. Data such as formulas, distribution plans, and trial results is especially valuable given the global race to rapidly develop vaccines that can help end the pandemic.

A new DNS hijacking campaign is attempting to exploit D-Link and ZTE routers. According to researchers at Bad Packets, the main targets of these attacks appear to be Brazilian banks. The security advisory highlights the importance of changing default login credentials, using strong passwords, updating router firmware, and having procedures in place to check for phishing sites. Using phishing sites designed to look like the website the victim is trying to visit, attackers can remain undetected for long periods of time.

Reuters reports that since the establishment of formal ties with Israel, the United Arab Emirates (UAE) has been the target of an increasing number of cyberattacks. Chairman of the UAE Cyber Security Agency, Mohamed Hamad al-Kuwaiti, stated that the country’s financial sector is currently being heavily targeted. Specifics have not been provided and the success or otherwise of these attacks is not known. The initial spike in cyberattacks targeted in the UAE began after the start of the coronavirus pandemic. Al-Kuwaiti added that, traditionally, many attacks in the region originate from Iran, without specifying the nature of them.

CISA, the FBI, and MS-ISAC have issued a joint advisory regarding cyber threat actors launching attacks against K-12 educational institutions causing widespread disruption. Organisations in the education sector, particularly K-12 schools, are recommended to raise awareness around cyber threats which include social engineering, patching vulnerabilities, closing unused services to the internet (such as RDP or SMB), and replacing end-of-life systems. The FBI Cyber Division has issued several alerts regarding cyberattacks targeting K-12 schools. Its most recent advisory on this topic revealed that K-12 schools were attacked 1,233 times, with another 422 schools hit in the first quarter of 2020: a huge increase compared to previous years.

 

Data security, fraud, and darknet

Data Security

Norway's biggest independent ISP, Webhuset, has exposed two identical ElasticSearch monitoring instances online. These logs including customer details, such as IP addresses, emails, SMPT/IMAP details, and communication with support agents. Researchers estimate that all of Webhuset's clients were impacted in this incident. The company has said that its security team immediately investigated and resolved the issue, claiming that it only impacted "a very small number of customers." There is currently no indication that this data was accessed by any malicious third parties or used for malicious purposes.

A non-password protected database belonging to photo editing application Fotor has exposed the details of 13 million users. It contained more than 123 million records, with a combination of both test and production data. It was also obvious to whom the data belonged because each folder contained the name "Fotor". Exposed information in this dataset could be used to gain deeper access to a company network. In October 2020, a Fotor database was found exposing the data of 13 million app users. It is unclear if this latest incident concerns the same data, or if Fotor exposed the same or a similar database for a second time in the space of two months.

American healthcare provider Dental Care Alliance has notified 1,004,304 patients that their data may have been exposed in a cyberattack. The attack began 18 September 2020 and was only discovered on 13 October. Patient data that may have been accessed includes account numbers, billing information, and bank account numbers. The company claims that it has not seen any evidence that this information was used for malicious purposes, so it is not offering any free credit monitoring services to customers because of the attack. This does not mitigate, however, the chances of this data being abused by threat actors in the future.

Fraud

New research has identified a phishing campaign which uses COVID-19 vaccine-themed lures to deliver Zebrocy, malware known to be used by APT28 (also known as FancyBear). The lure consists of multiple files labelled as having a connection to the Sinopharm International Corporation, a Chinese company currently developing a COVID-19 vaccine. These files are delivered as part of a Virtual Hard Drive (VHD) file.

A cybercrime group known for targeting e-commerce sites has launched a multi-stage campaign to distribute information-stealers and JavaScript-based payment skimmers. This campaign has been attributed to the same Magecart group responsible for a separate set of attacks that used FakeSecurity JavaScript-sniffers (JS-sniffers) to distribute password-stealing malware to online merchants. The attacks delivered the Vidar password stealer to target passwords from browsers and various applications, with subsequent iterations using the Raccoon stealer and AveMaria RAT. The malware distribution infrastructure was also used to store the sniffer code and collect stolen bank card data, linking the two malicious attacks.

A new Magecart campaign targeted e-commerce stores running end-of-life (EoL) versions of Magento around Black Friday and Cyber Monday. The attacks began in April and targeted versions 2.2.3 up to 2.2.7 of Magento. Multiple vulnerabilities were leveraged in this long-running campaign. According to the researchers, over 50 large online stores were compromised, only to be exploited right before Black Friday. The presence of multiple flaws in Magento ensured future access for the attackers, even if one option was closed.

DARKNET

Thousands of stolen databases are currently being sold on the darknet via a specially created site. This site is believed to be linked to an ongoing campaign involving the accessing and downloading of unsecure databases. Once a database has been purchased, the original is deleted and replaced with a ransom note, directing victims to the darknet site. Victims who do not pay within a set period have their databases auctioned off. The theft and subsequent ransom of unsecured databases is not new. However, this evolution towards threatening to auction off stolen data has clear parallels with techniques used by ransomware groups.

Darknet vendors have begun selling alleged doses of the Pfizer/BioNTech COVID-19 vaccine. Prices for the vaccine have been over USD1,300, though none of these vendors has provided any proof of the vaccines’ legitimacy or efficacy. Furthermore, most of the listings for the alleged Pfizer/BioNTech COVID-19 vaccine have been on markets which are generally considered unreliable. While these listings are almost certainly fraudulent, they are similar to what was observed at the start of the COVID-19 pandemic, when multiple darknet vendors claimed to be selling high quantities of PPE. It is possible there will be a surge in COVID-19 vaccine related scams in the coming months.

 

APT activity, malware campaigns, and vulnerabilities

APT activity

A Molerats cyber-espionage campaign is targeting high-ranking political figures and government officials, primarily across Palestinian Territories, the UAE, Egypt and Turkey. The attacks deploy previously unseen malware variants that use Facebook, Dropbox, and Google Docs for C&C infrastructure. Two backdoors, SharpStage and DropBook, were discovered alongside a downloader dubbed MoleNet. These were designed to be stealthy and help the threat actors evade detection. Social engineering techniques were leveraged to deliver phishing documents, with themes related to regional current affairs. 

JPCERT/CC has disclosed a new attack campaign linked to APT10’s use of the Quasar malware. There are many variants of this open-source remote access Trojan (RAT) some of which have been used in targeted attacks against Japanese organisations. Multiple versions of Quasar have been pushed over the years, some are clones, others are customised. APT10 is believed to be a Chinese state-sponsored APT that has been active since 2009. It specialises in intelligence gathering campaigns and intellectual property theft. It is one of China’s most skilled groups and is best known for ‘Operation Cloud Hopper’.

Malware

New research has revealed the exploitation of a 0day vulnerability in LILIN digital video recorders (DVR). The remote command execution 0day bug is currently being exploited by a variant of the Mirai botnet. There are currently 6,748 vulnerable LILIN DVRs exposed to the internet. The vast majority are in China and Taiwan. Mirai malware variants typically target Unix-based systems and facilitate DDoS attacks that are designed to disrupt a network, website, or service. It has been used in some of the largest distributed denial of service (DDoS) attacks, including an attack on security journalist Brian Krebs' blog, an attack on French host OVH, and the 2016 Dyn cyberattack. Mirai Trojans have since infected thousands of Linux-based systems in China via SSH brute-forcing attacks.

Vulnerabilities

Patch Tuesday and December updates were released this week by Google, Microsoft, Adobe, IBM, Siemens, SAP, and others. These should be applied in line with your company’s update schedule.

A new report has revealed a set of 33 critical vulnerabilities affecting millions of smart devices around the world. These bugs have collectively been dubbed Amnesia:33 and impact four open-source TCP/IP stacks: uIP, FNET, picoTCP, and Nut/Net. The vulnerabilities have an extended impact on enterprise devices, including embedded components, operational technology, network and office devices, and consumer smart products. Successful exploitation of these bugs can lead to information interception, denial of service, and total takeover. According to the researchers' best estimates, devices from over 150 vendors contain these vulnerabilities. As it is not clear how or when these systems will be patched, the researchers have not disclosed which devices are affected.

 

Geopolitical Threats and Impacts

Americas

US, HONG KONG & CHINA – US SANCTIONS CHINESE OFFICIALS OVER HONG KONG SECURITY LAW

On Monday (7 December), US Secretary of State Mike Pompeo announced sanctions against senior leaders of China’s National People’s Congress in connection with the imposition and implementation of Hong Kong’s national security law (NSL). The sanctions target the 14 vice-chairpersons of the National People’s Congress Standing Committee (NPCSC), the legislature’s senior decision-making body. The targeted individuals and their immediate family members are banned from travelling to the US. Furthermore, US persons are generally prohibited from doing business with them, while any US assets they hold are frozen. Responding to the announcement, Chinese foreign ministry spokeswoman Hua Chunying said that Beijing would take ‘firm counter-measures’ against the US’s ‘malicious’ actions. The sanctions mark the latest deterioration in bilateral ties between Washington and Beijing linked to Hong Kong’s evolving political status. While the latest sanctions have prompted Beijing to pledge retaliation, they are limited in scope and do not affect the broader commercial relationship between the world’s two largest economies. Given precedent, China is highly likely to retaliate through almost-reciprocal measures, potentially targeting senior US lawmakers assessed as hostile to China’s interests. Despite next month’s change of US administration, the prospects for an immediate improvement in relations are low, given bilateral consensus in Washington over disputes with Beijing. Beyond Hong Kong’s political status, these include longstanding opposition to Chinese trade policies, as well as concern over Beijing’s treatment of ethnic Uyghurs and military developments in the South China Sea.

UNITED STATES – MAJOR LAWSUITS RAISE PROSPECT OF FACEBOOK BREAKUP

On Wednesday (9 December), the US Federal Trade Commission (FTC) and 46 state prosecutors filed lawsuits against Facebook, accusing the social media giant of illegal actions to ‘crush’ smaller rivals and stifle competition. The complainants called for an unwinding of Facebook’s acquisitions of photo-sharing app Instagram and messaging service WhatsApp, which Facebook bought in 2012 and 2014, respectively. Responding to the lawsuits, Facebook’s general counsel Jennifer Newstead described the actions as ‘revisionist history’ and said the company would defend itself ‘vigorously’. The lawsuits are set to be fiercely litigated, meaning a swift outcome or resolution to the legal cases is highly improbable. More broadly, however, the lawsuits highlight growing bipartisan consensus and concern over US tech giants’ market dominance. In October, federal and Republican state authorities filed a similar lawsuit against Google, accusing the company of violating competition law to preserve its monopoly over internet searches and online advertising. This trend mirrors developments in the European Union, a jurisdiction which has long been less favourable to the interests of US tech companies than their home market, a reflection of diverging commercial interests and ideological positions. European authorities have launched several probes into and lawsuits against US tech giants over their perceived unfair market position. In the short-to-medium terms, further political and regulatory scrutiny of US tech giants is highly likely globally, potentially leading to hefty fines and potentially divestment orders.

ASIA-PACIFIC

CHINA, HONG KONG & US – BEIJING IMPOSES TRAVEL CURBS, SANCTIONS ON US OFFICIALS

Beijing on Thursday (10 December) announced sanctions on unspecified US officials and the withdrawal of visa-free travel into Hong Kong and Macau for US diplomatic passport holders as a reprisal for US sanctions on Chinese officials announced on Monday (7 December). The US officials include those in executive and legislative branches and their immediate family members, as well as NGOs. In the immediate-term, Beijing’s measures are set to complicate US diplomatic travel and mark a worsening of already tense bilateral relations between China and the US. Past sanctions by China have had little apparent effect, as the punitive force of the country’s sanctions are undermined by the dominance of the US Dollar in international transactions. Hong Kong is likely to remain a significant hurdle towards the stabilisation of US-China relations under the US’ upcoming Biden administration. Jake Sullivan, Biden’s designated national security adviser on Tuesday (8 December) tweeting his ‘deep [concern]’ about the stifling of pro-democracy activists in the territory. Further measures against China over Hong Kong and reciprocal actions are likely against the backdrop of continuing arrests of activists and apprehension about the territory’s evolving legal and financial system under the national security law (NSL).

AUSTRALIA & CHINA – CUSTOMS BARS FURTHER AUSTRALIAN PRODUCTS AMID ECONOMIC CAMPAIGN

China’s customs service on Tuesday (8 December) suspended meat imports from an Australian abattoir, the sixth to be targeted so far this year. The ban has been linked to unfounded accusations in China’s state-controlled media that the coronavirus (COVID-19) pandemic may have originated in Australia and arrived in China in frozen meat imports. The successive bans have already undermined exports of Australian beef and lamb meat to China, valued at AUD2.6 billion (USD1.94 billion) in 2019. There are concerns Australian pharmaceuticals, fruit and honey are also set to be barred. However, China continues to increase iron ore imports from Australia, its nearest and cheapest source of the key industrial mineral. Beijing’s overt political efforts to use economic pressure against the Australian government over Canberra’s stance on a number of issues, notably human rights in Hong Kong and the origins of the COVID-19, that have angered the ruling communist party appear to be increasingly targeted what China assesses as non-essential imports. As no Australian government could concede to Beijing’s demands that it ‘correct its attitude’ towards China, further economic pressure is certain to be applied to the country‘s exports. There is also the threat Australian commercial concerns and individuals within China and Hong Kong may also be targeted for increased scrutiny in terms of business practices, taxation and access.

Europe and Russia

REGIONAL – EU LEADERS APPROVE 2021-2027 BUDGET AND LANDMARK ECONOMIC RECOVERY PACKAGE

On Thursday (10 December), EU leaders granted approval to the 2021-2027 EUR1.1 trillion budget and the EUR750 bn coronavirus (COVID-19) recovery fund. Hungary and Poland had blocked the plans over stipulations linking the distribution of funds to rule of law provisions. Details of the agreement have not yet been made available but indications suggest the rule of law mechanism will only apply after a ruling from the European Court of Justice. German Chancellor Angela Merkel has been a key figure in bridging the differences and ultimately reaching an agreement. Both Hungary and Poland face accusations of democratic backsliding and implementing measures undermining the rule of law. The agreement can be interpreted as a concession to Budapest and Warsaw as it means the implementation of the mechanism will be delayed. For EU leaders strongly supportive of the rule of law mechanism, the deal is also favourable as the text remains the same. One key implication of the agreement is that it will unblock funds needed by national governments to finance recovery plans and avoid payment cuts to countries since the seven-year budget will be in effect from January.

FRANCE – PRIVACY REGULATOR FINES GOOGLE, AMAZON FOR BREACHING RULES

On Thursday (10 December), CNIL – the country’s privacy watchdog – said it had fined US-based technology firms Google (EUR100 million) and Amazon (EUR35 mn) for breaching the French Data Protection Act. According to a statement from the agency, cookies – minor pieces of data stored on user computers when they are browsing a website – are tracking user devices without their consent. In particular, CNIL said that when a user visited the google.fr website several advertising cookies were automatically placed on a person’s computer, without any prompts requiring actions. A similar issue was reported with the amazon.fr website. Both companies have three months to make changes to information provided to users or face additional fines of EUR100,000 per day. Why it matters: Google has faced fines of over EUR8.2 billion in three antitrust cases amid increasing scrutiny from the European Commission. EU regulatory agencies have gained significant powers since the General Data Protection Regulation (GDPR) was adopted in May 2018. Technology firms should ensure they fully comply with domestic competition and consumer protection rules. This will help mitigate the risk of potentially heavy fines and mandatory requirements to conduct operational changes.

MENA and Central Asia

SAUDI ARABIA – ELEVATED SECURITY & CORRUPTION RISK AMID HIGH LEVELS OF CYBERCRIME, FRAUD

On Wednesday (2 December) the governor of the Saudi central bank and chair of the Anti-Money Laundering Permanent Committee, Ahmed Abdulkarim Al-Kholifey, said that levels of corruption and cybercrime had risen over recent months amid the COVID-19 pandemic. In a notable threat, he specifically referenced an increase in the number of financial fraud cases, whereby a growing number of individuals have fraudulently claimed investments in digital currencies. Al-Kholifey also outlined a number of corruption cases emerging in recent months where officials affiliated to the government have exploited the current health crisis by conducting side deals on the additional resources coming into the country, such as medical supplies. Finally, according to Al-Kholifey’s statement cybercrime cases have also risen, particularly via mobile phone hacking and fake financial donation campaigns established through the pandemic. The details, which were revealed at the 12th Annual Forum for Compliance and Combating Money Laundering, underscore the elevated security and corruption risk to staff in the country and across the wider region amid the ongoing pandemic. Companies in Saudi Arabia and MENA have ramped up digitalisation processes in answer to lockdown and social distancing restrictions. However, this has resulted in a significant increase in the number of identity related fraud cases due to larger quantities of personal data available online and greater means of accessing this as employees utilise personal tech equipment more frequently.

MOROCCO & ISRAEL – AGREEMENT TO NORMALISE TIES WILL LIKELY FUEL TENSIONS IN W. SAHARA

On Thursday (10 December) US President Donald Trump announced that Morocco had agreed to normalise ties with Israel, marking the fourth agreement of this kind in 2020 after the UAE, Bahrain, and Sudan. Morocco’s Royal court released a statement from King Mohammed VI confirming the news and notably indicated that direct flights between the two states would be facilitated in the near future. While the King also said that Morocco remained committed to the Palestinian cause and a two state solution, Palestinian figures have condemned the deal. One aspect of the deal that will likely fuel tensions in the region is a US commitment to recognise Morocco’s sovereignty over the disputed Western Sahara region. The pledge is in line with a transactional foreign policy demonstrated in previous agreements engineered by the US between Israel and Arab states. Notably, it is likely that a US arms deal with the UAE worth USD23bn in advanced fighter jets and drones was central to securing the Emirate’s commitment to the Abraham Accords. In reaction to the announcement, the Polisario Front (PF), a Sahrawi rebel national liberation movement aiming to end Moroccan presence, reiterated their autonomy over Western Sahara and stated that Trump’s recognition would ‘not change the legal nature of the Sahara issue’. Tensions in the disputed region have ramped up in recent weeks following the deployment of Moroccan troops into Guerguerat, a buffer zone on the southwest coast, and the subsequent termination of a ceasefire by PF on 14 November. The latest development will likely work to further aggravate the heightened hostilities and elevates the risk of open conflict between PF supporters and Moroccan forces. Staff in the regions should anticipate protests against the agreement over the coming days, particularly around Laâyoune city in Western Sahara and across urban centres around the MENA region. It is possible that rogue actors working in support of the PF could carry out attacks against Moroccan interests over the coming weeks.

ISRAEL – PFIZER COVID VACCINATIONS TO COMMENCE ON 27 DECEMBER AMID RISE IN INFECTIONS

Prime Minister Benjamin Netanyahu announced on Wednesday (9 December) that COVID-19 vaccinations will commence across Israel on 27 December. The news comes after the country received its first batch from Brussels - 8 million doses - of the Pfizer and BioNTech coronavirus vaccine. Further batches carrying hundreds of thousands of doses are set to arrive in the coming days. It makes Israel one of the first countries in the world to vaccinate its citizens and will come as a huge boost to investor confidence in the country, which has faced economic stagnation over the past nine months due to strict lockdown measures. Netanyahu has indicated that around 60,000 people per day from 27 December will be inoculated under current plans. Those treated will be given cards or applications that allow them to prove their immunity and enable freer movement around the country - something that will further enable the economy to open up. Despite this significant sign of progress, it is worth also noting that there will likely be some pushback from a number of Israelis who will not wish to take the vaccine given concerns over its safety. This could be seen across some Ultra-Orthodox Jewish communities where noncompliance with lockdown restrictions has been high. Elsewhere, it is important to underline that Israel is currently likely in the midst of a third wave with infection rates beginning to rise once again. On Sunday (6 December) the health ministry announced that Tel Aviv and Eliat had been downgraded from ‘green’ to ‘yellow’ (green being the lowest infection rating) due to an increase of COVID cases. If infection rates in these cities continue to rise, it is likely they will be designated a ‘red’ rating and face harsher restrictions. In Israel, there are currently 25 ‘red’ cities and towns. 

Sub-Saharan Africa

ETHIOPIA & ERITREA – CONTINUING AND LIKELY EXPANDING HOSTILITIES INCREASE SERIES OF RISKS

The government on Tuesday (8 December) admitted that the Ethiopian National Defence Force (ENDF) had over the weekend fired upon a UN convoy that was assessing road quality for aid deliveries in an area near the Shimelba refugee camp, about 45km south of the Eritrea border. Government spokesman Redwan Hussein said the ENDF fired on the convoy after it failed to stop at a third checkpoint. Relatedly, unnamed diplomatic and US government sources quoted by Reuters news agency on Tuesday allege there is growing evidence of involvement of the Eritrean military in the conflict in Ethiopia’s northern Tigray Regional State. The Ethiopian and Eritrean governments have repeatedly denied such claims by the Tigray People’s Liberation Front (TPLF) since hostilities erupted on 4 November. The firing on UN staff likely underscores the Ethiopian authorities’ unease with giving unfettered access to humanitarian aid deliveries, as previously promised to the UN. And the claims from a series of diplomatic and US sources of Eritrean involvement are indications of potentially internationalising conflict in Ethiopia. This has implications not just on Ethiopia’s security risk outlook, but also signals growing political risks for companies and organisations operating in the country. For instance, Eritrea is under a UN arms embargo, and its involvement in the Ethiopian conflict could threaten operations in Ethiopia, for instance through sanctions targeting high-ranking military officials over the coming six months. But there may also be third-party risks related to weapons transfers to the United Arab Emirates, which has a military base in Eritrea’s Assab and is alleged to have supplied some of the weapons systems to the Eritrean military.

ETHIOPIA & UGANDA – COMPLIANCE RISKS LIKELY TO GROW AS US LAWMAKERS CALL FOR SANCTIONS

US lawmakers on Wednesday (9 December) called for expanding sanctions targeting senior security officials in Ethiopia and Uganda. Eliot Engel, the Chairman of the House of Representative Committee on Foreign Affairs called for targeted sanctions against Ugandan officials under the Global Magnitsky Human Rights Accountability Act and a review of non-humanitarian US assistance to the country. The call comes ahead of presidential elections in Uganda due on 21 January 2021. In addition, two senators – Republican Party member Jim Risch and Democratic Party lawmaker Ben Cardin – tabled a bill calling for targeted sanctions against officials found to be involved in serious human rights violations in northern Ethiopia’s Tigray Regional State . While the ultimate decision-making power for issuing the sanctions lie with the executive, the calls for expanded sanctions indicate growing compliance risks to organisations with a presence in or trading with entities in Ethiopia and Uganda over the coming months. While we deem it a remote possibility that the administration of President Donald Trump will target either country’s security apparatus with sanctions before leaving office, the risk of such sanctions are likely to grow under President Joe Biden, who has called for greater focus on democracy and human rights in the US’ Africa policy. However, revelations of major incidents of human rights abuses, in addition to existing credible evidence of such practices, may shift the outcome over the coming month. Targeting either country with sanctions is likely to complicate the US’ relationship in East Africa and the Horn of Africa, with both Ethiopia and Uganda being key partners in the so-called war on terror. Nevertheless, the calls signal mounting political pressure and sanctions risks, in line with our warnings, particularly with regards to  Ethiopia. Western organisations with interests in Uganda should increase their monitoring of further related announcements and assess their impact on operations.

MALI – NOMINATION OF LEGISLATURE PRESIDENT CEMENTS MILITARY’S GRIP ON POWER

The Conseil national de transition (CNT) – the 121-member transitional legislature – on Saturday (5 December) elected Colonel Malick Diaw as its president. As the sole candidate, Diaw obtained 111 votes. The nomination of a CNT president was an important step in the country’s political transition, following the August coup d’etat, and it means the transitional government may now begin legislating bills proposed by the interim government. Diaw’s nomination as CNT president also cements the military’s hold on power. In turn, this is likely to fuel growing grievances with the transitional authorities, including from the broad-based civil society and political coalition Mouvement du 5 juin-Rassemblement des forces patriotiques (M5-RFP) which led mass protests between June and August that preceded the coup. The M5-RFP accuses the armed forces of taking the transition hostage, given that key ministerial posts and 13 out of 20 governorships are held by military officials. Furthermore, 22 out of 121 CNT are army men, according to a government decree. The coalition said on Friday (4 December) that it would boycott the CNT, a move that is likely to precede other forms of protests, including street demonstrations, over the coming months.