Geopolitical and Cybersecurity Risk Weekly Brief 2 November 2020

2 November 2020

Executive Summary

In the US, tensions are elevated ahead of the elections on 3 November. Retail giant Walmart announced on 29 October that it has removed guns and ammunition from its stores across the country amid mounting concerns over ‘civil unrest’. In the cyber sphere, researchers have registered a significant increase in election-related phishing attacks since August, and the Trump campaign website was briefly defaced – no data is thought to have been compromised. Wisconsin Republican Party had USD2.3 million stolen from it in an apparent phishing attack.

Tensions with China continue. Senior officials from the US Department of Justice (DOJ) announced charges against eight people for their suspected attempts to coerce Chinese dissidents in the US to return to China to face punishment as part of a programme known as Operation Fox Hunt. In Sweden, regulators banned the use of telecommunications equipment from China-based firms Huawei and ZTE for the development of 5G networks.

Organisations involved in the search for a COVID-19 vaccine have been warned that a Russian state-sponsored group, APT29, is distributing WellMess malware in the US, UK, and Canada. The target of the campaign appears to be data related to vaccine development. A joint security advisory from the FBI and other governmental bodies stated that there has been a significant uptick in ransomware attacks targeting the healthcare and public health sector. Multiple hospitals have been affected.

The technology sector remains in flux. On 28 October, Italy’s antitrust authority launched an investigation into Google for allegedly abusing its dominant market positions in the Italian online display advertising market. Beijing tightened the rules for patent infringement, including new protections for pharmaceutical patents, in a move suggesting continued efforts to address concerns around forced technology transfers and IP theft. However, foreign pharmaceutical businesses’ IP remains threatened by continued alleged China-linked cyberattacks.

Crypto-fraud has seen a resurgence. A threat actor has stolen USD24 million in cryptocurrency assets from decentralised finance (DeFi) service Harvest Finance. The company claimed that the attacker invested a large amount of cryptocurrency in its service, and then sent a cryptographic exploit to siphon the platform's funds to their own wallets.

Majority Muslim countries have experienced a growth in anti-French sentiment fuelled by the French government’s response to the recent murder of a schoolteacher by an Islamic militant. Protests and calls to boycott French products have taken place in mainly Muslim countries in South and Southeast Asia as well as well as the Middle East and North Africa.

The anti-French sentiment has the potential to involve cyberattacks; tens of websites across France, many of them government-affiliated, were hijacked and displayed anti-France and Islamist propaganda messages. Others were the victims of DDoS attacks and SQL injection. The group responsible for this is believed to be based in Bangladesh and encouraged visitors to its Facebook page to follow other pages to get insight into hijacking pages and training for other cyber-related malicious activity.

 

Attacks and cybersecurity news

The CISA, FBI, DHS, and HHS have issued a joint security advisory regarding ransomware activity targeting the healthcare and public health (HPH) sector. The advisory details the TTPs of the Ryuk ransomware that has recently been deployed against targets in the HPH Sector. Malicious actors are currently targeting the HPH Sector with the Trickbot malware, often leading to ransomware attacks (by Ryuk), data theft, and the disruption of essential services during the COVID-19 pandemic. Multiple hospitals have already been affected by this campaign.

Importantly, the Ryuk ransomware operators’ C&C infrastructure and Windows Executables are always unique in each attack. This means that sharing indicators of compromise (IOCs) offers little protection against ransomware attacks. Organisations are recommended instead to prioritise keeping systems patched and replacing end-of-life (EoL) devices. Monitoring the groups’ TTPs and applying the appropriate mitigation for each is also advised.

The FBI has issued a security advisory about the WellMess malware which has been used against various organisations involved in Covid-19 research in the USA, the UK, and Canada. WellMess is Golang malware that has been used by APT29 since at least 2018. In July, the UK NCSC and US NSA released a joint public security advisory stating that a Russian state-sponsored group, tracked as APT29, had been infiltrating organisations involved in coronavirus vaccine development. WellMess was deployed in those attacks. APT29 (also known as CozyBear) is likely to continue to target organisations involved in COVID-19 vaccine research and development. The group has vast resources and skills: a resurgence from it would be a major security concern, particularly for the US and its allies, and especially with the 2020 US presidential election looming (3 November).

Reuters reports that the Louisiana National Guard was called in to stop a series of cyberattacks targeting small government offices across the state. The attacks involved several systems becoming infected with KimJongRAT, a malware that is linked to the North Korean government. Emotet was also deployed on computers in Louisiana. When staff were hacked, their email accounts would be co-opted by the hackers to send malware to colleagues. Ransomware poses a serious security risk to the US election. An attack against certain state government offices around the election could disrupt systems needed to administer aspects of the vote. As the 2020 presidential election draws closers, more cyberattacks are expected.

USD2.3 million was stolen from the Wisconsin Republican Party two weeks before the US Election Day (3 November). The Republican Party Chairman, Andrew Hitt, stated that the attack is believed to have begun as a phishing attempt in which the threat actor gained access to an account and generated a fraudulent invoice. The party has stated it remains operationally at full capacity. Researchers at Symantec have observed a significant increase in election-themed SMS phishing attempts ahead of the upcoming US presidential election. Since August, the number of election-themed SMS phishing messages has increased by nearly 30 per cent.

Threat actors compromised Donald Trump's campaign website (donaldjtrump.com), defacing it with a message stating "this site was seized" and that "the world has had enough of the fake-news spread daily by president donald j trump." The attackers claimed to have obtained confidential information on Trump and his relatives, as well as the origins of the coronavirus. Trump campaign spokesman Tim Murtaugh disputed this, however, saying the site was quickly fixed and no sensitive data was compromised. This was corroborated by researchers who believe the attack was simply a scam intended to collect hard-to-trace Monero cryptocurrency and was not state-sponsored.

 

Data security, fraud, and vulnerabilities

Data Security

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, has disclosed a data breach in which the personal information of both current and former Google employees was exposed. The company is responsible for providing I-9 employment verification services to Google, giving it access to highly sensitive data that. This is highly sensitive information that can be abused for identity theft purposes, as well as phishing attempts and other fraudulent activity. It is currently unclear how many people were affected.

Amazon has sent out an email to customers telling them that it has recently fired employees responsible for leaking customer data to an unaffiliated third-party, in violation of company policies. Only those believed to have been affected have been contacted. The company claims that only user email addresses and phone numbers were exposed in this incident. A similar incident to this occurred in January 2020, when Amazon-owned Ring fired multiple employees for improperly accessing customer video data. Corporate espionage is a common threat that can be difficult to mitigate, as it can be caused by several factors: scorned employees, monetary gain, or even simple human error.

Singapore online grocery platform RedMart has been the victim of a data breach resulting in the compromise of 1.1 million accounts containing personal data. RedMart customers were all logged out of their accounts and asked to reset their passwords before logging in. Subsequently, threat actors were then found access to the data set with details including first and last names, hashed passwords, billing addresses and partial credit card numbers.

Fraud

A threat actor has stolen USD24 million in cryptocurrency assets from decentralised finance (DeFi) service Harvest Finance. The attack took place on 26 October. Messages on the company's Twitter and Discord channels claim that the attacker invested a large amount of cryptocurrency in its service, and then sent a cryptographic exploit to siphon the platform's funds to their own wallets. The attacker is "well-known in the crypto community," according to reports. Harvest Finance acknowledged that this attack was possible because of an engineering mistake on its part. It also left the door open for the attacker to return the funds without any consequences, and said it has no interest in doxxing the threat actor.

Threat actors are hijacking Nando's online accounts to place large orders. Due to coronavirus restrictions, customers of the chain must now scan a QR code in-store and order online to get their food. This has given attackers the opportunity to use credentials from previous breaches to compromise Nando's accounts. One report claims a group of young people used the account details of one user to place two large orders in-store and leave with the food before the fraud was detected. In this incident, two separate orders were placed totalling GBP114.50. This is a prime example of the dangers of reusing the same credentials across multiple sites: it gives attackers the opportunity to compromise multiple accounts belonging to the same person.

An emerging threat group dubbed PlanetaryReef, offers web hosting services and the ability for customers to conduct their own phishing attacks. The group, which is based in Indonesia, set up fraudulent hosting companies with leased IP space from legitimate resellers to create criminal-friendly hosting service providers. PlanetaryReef and similar groups allow threat actors considerable freedom to upload and host a range of illegal content with minimal risk of it being removed.

Vulnerabilities

An arbitrary file read vulnerability (CVE-2020-8255) has been found in Pulse Connect Secure. This flaw is only rated a medium, however, because it requires authenticated administrative user access to be exploited. Pulse Connect Secure is the most widely deployed SSL VPN for organisations of any size, across every major industry sector. Therefore, this gives attackers a larger attack surface. Threat actors have exploited various Pulse Secure vulnerabilities in the past to gain access to company systems: for example, CVE-2019-11510 has been used by ransomware group REvil for attacks on large organisations such as Travelex.

Microsoft has released a security update to address vulnerabilities in Edge (Chromium-based). Successful exploitation could enable unauthorised control over an affected system. CISA has released a security advisory encouraging users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary update.

Google has disclosed a 0day elevation of privileges (EoP) vulnerability in the Windows kernel that has been actively exploited in targeted attacks. The vulnerability, tracked as CVE-2020-17087, is a pool-based buffer overflow that exists in the Windows Kernel Cryptography Driver. Analyst comment: The technical team at Google's Project Zero claims that attacks exploiting CVE-2020-17087 in the wild are not focused on targets associated with the US election. The company expects a patch for this vulnerability to be available on 10 November.

Multiple security vendors have issued an alert regarding the active exploitation of Oracle Weblogic servers. The vulnerability in question, tracked as CVE-2020-14882, is being scanned for by IPs from multiple countries for targeting. The SANS Internet Storm Center believes that: “If you find a vulnerable server in your network: Assume it has been compromised.”

Microsoft patched the SMBGhost remote code-execution (RCE) vulnerability, tracked as CVE-2020-0796, in March 2020, but more than 100,000 Windows systems have not yet been updated to protect against the critical and wormable flaw. SMBGhost affects Windows 10 and Windows Server 2019. Organisations must exercise caution around SMBGhost as threat actors are continually developing their exploits for the vulnerability. It is strongly recommended that patches are implemented for the flaw as soon as possible to avoid potential compromise. The longer a system remains unpatched, the higher its chances are of being attacked.

 

APT Activity and Malware Campaigns

APT activity

US Cyber Command shared information on malware used by Russian threat groups in attacks on multiple ministries of foreign affairs, national parliaments, and embassies. CISA also published two advisories with the FBI and CNMF detailing additional information about the ComRAT and Zebrocy malware used by Russian threat groups. Turla is named specifically in the report, but APT28 is strongly associated with the Zebrocy malware, and Cyjax believes it is the group in question. Both APT28 and Turla are dangerous Russian state-sponsored espionage groups that aim to collect intelligence that would be useful to the Kremlin. Users possessing sensitive material that would be of interest to these attackers should use the IOCs provided to help protect their systems from potential compromise by these threat groups.

Researchers have disclosed an ongoing cyber-espionage campaign targeting organisations around South Asia and China, linked to the BITTER APT group (which it calls ManlingFlower). BITTER APT was first disclosed by Forcepoint in 2016. The group has orchestrated multiple long-term espionage campaigns across the APAC region. It mainly targets the government, military industry, electric power, nuclear industry to steal sensitive data.

Malware

A new wave of phishing emails, distributed by the Cutwail botnet, is pushing the Dridex banking Trojan. Notably, the cybercriminals running the campaign are also leveraging the same images in the documents containing Dridex that the Emotet spam botnet uses. CSIRT Italy has also warned that the malspam campaign is targeting Italian organisations and individuals. This campaign was first detected on 23 October and has continued over the following week. While there is nothing about this campaign that would make it stand out in particular, the large amounts of spam are likely to make it relatively successful and profitable for the cybercriminals running it, simply through the weight of numbers.

Darknet

The source code for the KPot stealer has been auctioned off, with a representative of the REvil ransomware group being the sole public bidder. KPot first appeared in the darknet in mid-2018 as a Malware-as-a-Service (MaaS). While it is impossible to state definitively that REvil is now in control of the stealer, they were the sole public bidder, and the auction was closed soon after their bid was made. If REvil has purchased the source code for KPot stealer, then this malware can be expected to be incorporated into future ransomware attacks.

An interview with an alleged representative of the REvil ransomware group was also made public this week. This interview contained interesting revelations concerning the group’s TTPs. It was indicated that the group makes significant sums from organisations who pay immediately to avoid their data being leaked. This suggests that the victims who are named on the REvil leaks site represent only a fraction of their total victims. The representative also indicated that the group may begin launching distributed denial of service (DDoS) attacks against organisations that refuse to pay.

Maze ransomware has shut down its operations and the threat actors behind have cashed out. According to forum posts and other sources, many affiliates of the ransomware are moving to Egregor, after its success against high-profile targets such as Ubisoft and Crytek.

The popular software producer Nitro PDF with over 1.8 million licensed users and used by big technology companies, such as Google, Microsoft, Apple, etc. has suffered a breach which subsequently saw its data leaked on the Raid Forums. Cyjax has observed several initial access brokers this week. Capgemini, a French IT consultancy, an unnamed telecommunications company in the US, and multiple web shell level accesses against US based firms have all been offered across different hacking forums. 

Moderators of the darknet market Hyper have announced the market is shutting down. Hyper market was relatively new and had struggled to grow, failing to attract many users. This shut down, therefore, is unlikely to have a significant impact on the broader darknet market community.

 

Geopolitical Threats and Impacts

Americas

UNITED STATES – WALMART REMOVES GUNS, AMMUNITION FROM STORES OVER POTENTIAL UNREST

On 29 October, retail giant Walmart announced that it has removed guns and ammunition from its stores across the country amid mounting concerns over ‘civil unrest’. Customers will still be able to purchase firearms and ammunition on request, however they will no longer be displayed in store. No information was provided regarding the duration of the policy. Walmart’s move to halt arms sales comes amid growing concern over the potential for election-related unrest, particularly in the run-up to, during, and after the 3 November presidential poll. The potential for unrest encompasses multiple scenarios and threat actors, including far-right white nationalist groups. The most likely scenario for unrest is likely to be a delayed or disputed election result, which could lead to rival protests from supporters of each major candidate and potentially result in violent confrontations, most likely occurring in major cities.

US & CHINA – US DOJ ANNOUNCES CHARGES OVER ALLEGED CHINESE COERCION OF DISSIDENTS

At a press conference on 28 October, senior officials from the Department of Justice (DOJ) announced charges against eight people for their suspected attempts to coerce Chinese dissidents in the US to return to China to face punishment as part of a programme known as Operation Fox Hunt. As part of the charges, participants are accused of surveilling, threatening, and intimidating a Chinese resident of New Jersey to return to China to face charges between at least 2017 and 2019. Under Operation Fox Hunt, launched in 2015, Chinese authorities have sought to repatriate Chinese nationals accused of crimes in China. As the US and China do not have an extradition treaty, Chinese authorities have few likely legal avenues to pursue wanted persons resident in the US. The case, which marks a further deterioration in already-hostile ties between Beijing and Washington, is likely to prompt heightened scrutiny of Chinese nationals in the US, particularly those operating in the private investigations and security industry.

CHILE – VOTERS BACK CITIZENS’ REWRITING OF CONSTITUTION IN LONG-PLANNED REFERENDUM

In a long-scheduled referendum held on 25 October, voters overwhelmingly backed the rewriting of Chile’s dictatorship-era constitution. The referendum, which was first proposed amid mass anti-inequality protests beginning in late 2019, had originally been scheduled for April but was postponed due to the coronavirus (COVID-19) pandemic. A large majority voted for the constitution to be re-written by a popularly elected convention of citizens, shunning a proposal for lawmakers to participate in the process. Many supporters of a new constitution hope that the document will increase citizens’ rights to healthcare, pensions, and education, in contrast to the current charter introduced in 1980 under former dictator Augusto Pinochet. While Chile has experienced sustained economic growth in recent decades and is South America’s richest country per head, its economy remains characterised by profound income and wealth inequality. For corporates, the rewriting of the constitution is set to adjust the operating environment and labour relations, potentially increasing the power of trade unions and other labour bodies vis-à-vis companies.

Asia-Pacific

CHINA – TIGHTENED INTELLECTUAL PROPERTY RULES SIGNAL CONTINUED EFFORTS TO CURB VIOLATIONS

Beijing has tightened the rules for patent infringement, including new protections for pharmaceutical patents, to better intellectual property (IP) rights and boost innovation. If a patent is deliberately infringed or with serious damage inflicted on the patent holders, the guilty party will need to pay compensation of up to five times the loss incurred, the benefit obtained by the infringer, or the patent licence fee. Otherwise, the courts can also order compensation of RMB30,000-5 million (USD4,476-756,025). The new regulations, which also create an early resolution mechanism for pharma disputes, are effective from June 2021. The harsher penalties, which are the first change to China’s patent laws since Washington and Beijing agreed to a partial trade deal in January 2020, demonstrate the Chinese government’s continued efforts to address concerns around forced technology transfers and IP theft. However, foreign pharmaceutical businesses’ IP remains threatened by continued allegedly China-linked cyberattacks. Washington in July 2020 accused China-linked threat actors of conducting cyberattacks on US firms researching COVID-19 treatments and vaccines, among other targets. China’s amendment in recent months to its criminal code presents another avenue for reprisals against US interests.

REGIONAL – ANTI-FRENCH RALLY IN BANGLADESH OVER PERCEIVED INSULT TO MUSLIM PROPHET

An estimated 40,000 people joined a rally in the Bangladesh capital Dhaka on 27 October to protest against the French government’s response to the recent murder of a schoolteacher by an Islamic militant. Police prevented the demonstrators from reaching the French embassy in the Baridhara Diplomatic Enclave as protesters burned an effigy of French President Emmanuel Macron, reflecting widespread anger among the global Muslim community over his defence of cartoons depicting the Prophet Muhammad and the introduction of measures intended to counter Islamic extremism in France. The largely peaceful rally follows similar demonstrations and calls to boycott French products in other Muslim-majority countries. The Pakistan and Malaysian government have condemned the French response to the murder, and other countries, notably Indonesia, can be expected to join the anti-French unrest.

THAILAND – PROTESTERS MOCK ROYALTY IN FURTHER ESCALATION OF ANTI-MONARCHY CAMPAIGN

Thousands of people joined a rally in the capital Bangkok on 29 October that included a mock ‘fashion show’ targeting the monarchy, coupled with open criticism of King Maha Vajiralongkorn's expenditure and personal control over billions of dollars in assets and a number of key military units. On 30 October, several students at the country’s prestigious Thammasat University boycotted graduation ceremonies in which the king conferred degrees as part of the widening protests against him and the military-led government. Protesters demanding reforms to the monarchy are becoming increasingly assertive in their campaign against what many view as the Thai king’s conduct, not least the amount of time he spends in Germany, and his lifestyle. To date the government and military have not taken direct action against the protesters other than seeking to confine rather than disperse the generally peaceful demonstrations. However, the longer the protests continue the greater the potential for a confrontation between the mainly young activists and the country’s royalist, military, and commercial elites.

Europe and Russia

ITALY – ANTITRUST AUTHORITY LAUNCHES PROBE INTO GOOGLE FOR ALLEGED MARKET ABUSE

On 28 October, the country’s antitrust authority launched an investigation into Google for allegedly abusing its dominant market positions in the Italian online display advertising market. The probe, which is expected to be completed by November 2021, was triggered after IAB, a digital advertising trade group, filed a complaint last year. Inspections of Google premises in Italy were also carried out. Regulatory officials will examine claims that Google used vast amounts of data collected through its own apps to prevent rival firms from competing effectively. The Italian advertising market is very lucrative, generating a revenue of EUR3.3 billion in 2019. US-based technology firms have been subject to growing political and regulatory scrutiny across Europe. For some countries, this approach serves a dual-purpose: harmonising market conditions to improve competition and raising funds through imposing significant fines on companies over violations. Indeed, the political climate is currently unfavourable for major technology firms, which will likely face new taxation regimes in several EU countries over the coming months.

HUNGARY & UKRAINE – LOCAL ELECTION INTERFERENCE ALLEGATIONS WORSEN RELATIONS

On 27 October, Hungary’s foreign minister Peter Szijjártó said Kiev’s decision to ban two Hungarian government officials from entering Ukraine was ‘pathetic and nonsense’. Ukraine handed a letter of protest to the Hungarian ambassador on 26 October, where it expressed dismay after Hungarian officials had ostensibly interfered in local elections that were held two days prior. In particular, two high-ranking Hungarian government officials were accused of calling on ethnic Hungarians to vote for the Party of Hungarians of Ukraine (KMKSZ) in the poll. Bilateral tensions continue to exist over the rights of 150,000 ethnic Hungarians who are mostly concentrated in Zakarpattia Oblast, a province in south-eastern Ukraine. In March, Szijjártó said Hungary would continue to block Ukraine-NATO meetings until concrete commitments were made to strengthen minority rights for Hungarian speakers. Tensions over the issue carry significant geopolitical consequences; blocking Ukraine’s engagement efforts with NATO undermines the country’s strategic orientation towards Western political and collective defence organisations.

FRANCE – JUDICIAL PROBE LAUNCHED FOLLOWING PRO-ISLAMIST CYBER ATTACKS

On 27 October, judicial authorities in Paris launched an investigation after tens of websites across France were hijacked by hackers, who displayed anti-France and Islamist propaganda messages on welcome pages. This included an unflattering picture of President Emmanuel Macron distributed on several of the targeted sites. Administrators of a Bangladesh-based Facebook group claimed responsibility for targeting the websites of various organisations, including pensioners’ associations, small-sized firms, and some town halls. A tense debate has intensified in France since the killing of a history teacher by a Russian-born Islamist of Chechen origin on 16 October and the French government’s response. While the attacks are technically unsophisticated, focusing on websites and servers with strong vulnerabilities, they illustrate an additional layer of the ongoing tensions. There is a possibility for the attacks to enhance in sophistication and possibly target higher-profile organisations.

MENA and Central Asia

REGIONAL & FRANCE – BOYCOTT ACTION AGAINST FRENCH GOODS LIKELY TO GROW AMID RISING TENSIONS

Calls to boycott French products have gathered pace in recent days across the MENA region. The action has been fuelled by the recent beheading of a French teacher who was targeted after including cartoons of the Prophet Muhammad in a lesson. In response, French president Emmanuel Macron has publicly defended the right to show cartoons of the Prophet Muhammad, while also announcing plans for stricter controls on religious and cultural establishments in France, a stance that boycotters have condemned. In reaction to the boycotts, France has effectively doubled down on its position with Macron tweeting on Sunday ‘We will not give in, ever’. The response will likely further exacerbate tensions. Condemnation against the French state will be further compounded by Macron’s initiation of a process to implement tougher laws as a means of addressing what he has called ‘Islamist Separatism’.

UAE & MOROCCO – CONSULATE WILL OPEN IN DISPUTED WESTERN SAHARA REGION; PROTESTS LIKELY

On 27 October, officials in Rabat and Abu Dhabi confirmed that the UAE will open a consulate in the city of Laayoune, situated in the Morocco-controlled Western Sahara region. The move comes after the UAE voiced support for Morocco's sovereignty over the disputed Western Saharan region in statements issued to the UN General Assembly’s Fourth Committee on 23 October. The establishment of a UAE consulate in Laayoune, which has been under Moroccan control since 1974, marks the first instance of an Arab state doing so. It presents a significant sign of progress for Morocco which has sought international recognition for its territorial claim over Western Sahara for decades. The potential for building further alliances with Arab countries will now be a more realistic goal for Rabat.

LEBANON & ISRAEL – TECHNICAL NEGOTIATIONS OVER MARITIME BORDER COMMENCE

The second round of indirect negotiations took place on 29 October over a contested oil and gas rich zone of 860sqkm in the Mediterranean, commonly known as Block 9. The talks, aimed at ending a long running dispute over the two countries’ maritime border, which each claim is their exclusive economic zone, are being hosted at the UN Interim Force headquarters in Naqoura, a city in southern Lebanon. It marks the first time in 30 years that a non-security issue is being addressed; however, the talks are strictly technical with both sides underlining that normalisation will not be tabled. A key issue has been the Lebanese delegation’s proposal for 1,430sq km to be added to their maritime territory. The maximalist approach likely reflects an urgency in Lebanon to secure new means of bolstering their crippled economy via oil and gas revenue. The country signed its first contract in February 2018 for drilling across two blocks in the Mediterranean with the energy companies Total, Eni and Novatek. However, one of the blocks overlaps with the 860sqkm also claimed by Israel, meaning the exploration remains controversial and effectively impossible to conduct without flaring tensions. Progress towards an agreement that permits Lebanon to drill in this area would signal a notable economic stabiliser for the country. Despite this, opposition towards the negotiations has the potential to undermine broad acceptance of any accords that negotiators may reach in the coming months. This will likely come from Hezbollah and Amal, Lebanon’s two major Shiite parties, who are strongly anti-Israel and invested in the fact both countries technically remain in a state of war.

Sub-Saharan Africa

DEMOCRATIC REPUBLIC OF THE CONGO – NATIONAL DIALOGUE UNDERSCORES FRAGILITY OF RULING ALLIANCE

President Félix Tshisekedi this week is beginning consultations with leading political and civil society actors to establish what he on 23 October referred to as a ‘holy union’. The consultations come after relations between the presidential camp and the ruling legislative coalition, led by the Front Commun pour le Congo (FCC) – loyal to former president Joseph Kabila – hit a nadir last week. Tshisekedi on 21 October opted to swear in three judges of the Constitutional Court – the country’s apex court – a move which the FCC and Prime Minister Sylvestre Ilunga opposed. It is unclear exactly what Tshisekedi intends with the national consultations. Previous talks between his and Kabila’s camp since August have been at an impasse. Tshisekedi has several options, neither of which are certain to de-escalate the tensions. One is to garner a large enough majority to counter the FCC’s influence, and by doing that gain legitimacy to appoint a new prime minister. Given the FCC’s overwhelming majority in the lower house this appears unlikely, despite some lawmakers having been ousted from the coalition over the past 18 months. In light of this, another option is for Tshiesekdi to replace Ilunga with the vice-prime minister and minister of interior, Gilbert Kankonde, who is from Tshisekedi’s UDPS party, as interim head of government. The coming weeks will provide more clarity, while continued and potential intensified political tensions are highly likely over the coming two months.

THE SEYCHELLES – LANDSLIDE WIN FOR OPPOSITION CANDIDATE SIGNALS GROWING POLITICAL RISKS

Opposition party Linyon Democratik Seselwa (LDS) won the general elections by a landslide, with its leader Wavel Ramkalawan garnering 54.9 per cent of the ballots in the presidential polls and the party obtaining a two-thirds majority (25 seats) in the legislative elections. The results were confirmed on 25 October. Outgoing president Danny Faure conceded defeat. Ramkalawan inherits a tourism-dependent economy which the International Monetary Fund projects will contract by 10.2 per cent in 2020 due to the COVID-19 pandemic. Debt to GDP stood at just over 53 per cent in 2019, a figure that is likely to increase in the coming year due to reduced revenue from tourism and increased spending on stimulus packages for businesses to help them cope with the impact of the COVID-19 pandemic. However, default risks are likely to remain subdued due to a solid debt-sustainability policy over the past few years. While tourist arrivals from emerging markets such as China and India have cushioned the drop in demand from European countries, the sector is likely to continue to struggle over the coming months. Although authorities have said that most airlines will resume operations in December, new surges in infections in Europe as well as China in September and October suggests that further restrictions may be imposed over the three-month outlook, slowing economic recovery.

SUDAN – NORMALISATION OF ISRAEL TIES LIKELY TO INCREASE ACCESS TO FINANCE AND CIVIL UNREST

A joint statement on 23 October by the US, Israel, and Sudan announced that the latter two states had agreed to normalise relations. However, Sudan’s foreign minister, Omar Gamareldin, cautioned that ratification of the deal would be completed after the formation of the transitional legislative assembly, which has yet to be formed, one year after the beginning of the country’s political transition. Major political parties in Sudan, including the National Umma Party, which is led by influential leader Sadiq El Mahdi, have rejected the deal. The formalisation of ties with Israel would make Sudan the third Muslim-majority country to formalise ties with the Jewish state over the past two months. The deal is likely to improve Sudan’s access to foreign financial flows and goods. This is likely to stabilise inflation which reached 212 per cent year on year in September. However, the deal is fuelling anti-government sentiment, which is likely to incite protests against the deal in the coming weeks.