Geopolitical and Cybersecurity Risk Weekly Brief 21 December 2020

21 december 2020

Executive Summary

The nexus between geopolitics and cybersecurity manifested in the announcement of a ‘highly sophisticated’ supply-chain attack against one of the biggest network management systems in the USA, SolarWinds. The attack, announced on 14 December, is now known to have affected the majority of Fortune 500 companies, US military and government, Intel, Microsoft, and many others around the world. In response, the US government has formed a new cyber coordination group, the first of its kind, to oversee the investigation into the incident, and SolarWinds is warning customers to treat all hosts monitored by the Orion platform as compromised and to rebuild their systems from scratch. The fallout from this attack will continue to reverberate into 2021.

This ‘real world’ crossover was further demonstrated by another state-sponsored attack, this time on the systems of Austin, Texas. Another US city, Independence, Missouri, was also affected in the latest ransomware attack on a US metropolitan area. These are unlikely to be connected; Cyjax assesses that ransomware groups with access to paid-for ransomware, are the most likely culprits, rather than these attacks being indicative of a broader, coordinated attempt to undermine the day-to-day activities of US administrations.

The administration of US President Donald Trump tightened sanctions on Iran’s energy sector by banning companies in China, UAE and Vietnam from providing support in exporting Iranian oil and gas. Tighter regulations on money-laundering are on the horizon for US-registered companies and limited liability companies as Congress passed the Corporate Transparency Act. Labour unrest impacted operations at a Taiwan facility that manufactures Apple iPhones in the southern India city of Bengaluru. Workers and trade unions protested against unfair wage and poor work conditions. Relations with the EU and Australia on one side and China on the other are worsening. Australia has referred China to the WTO on allegations of unfair trade practices, while the EU has called on Beijing to release journalists who have been detained for their work.

In Europe, the EU unveiled the Digital Services Act (DSA) and Digital Market Act (DMA), which marks a significant shift in competition policy aimed at the tech sector: Amazon, Apple, Facebook, and Google, among others, will be subject to stricter competition requirements. The UK is set to formerly leave the EU trading bloc at the end of December, but key issues over trade remain unresolved. Competition over energy security in the Mediterranean is set to reignite between Greece and Turkey.

Maritime security risks in the Red Sea were brought to the fore after Iran-backed Houthi militants allegedly attacked a Singapore-flagged oil tanker in Jeddah port. The attack is assessed as a marked increase in Houthi capabilities, particularly its ability to successfully execute such operations in a heavily securitised zone. Shipping and maritime insurance companies should prepare for more attacks in 2021.

In Sub-Saharan Africa, Nigeria’s telecommunications regulator ordered all mobile network operators to deactivate all SIM cards not registered with a valid national ID number. This could impact millions of mobile phone users in the New Year. Washington removed Sudan from its list of ‘state sponsor of terrorism’ list, a critical step for the war-torn country to receive debt relief and private investment to boost its ailing economy and provide more stability.


Attacks and cybersecurity news

One of the biggest network management systems in the USA, SolarWinds, announced on 14 December that it was breached in a ‘highly sophisticated’ supply chain attack. SolarWinds’ Orion platform, used to monitor network devices and critical servers, had its update server compromised to push Trojanised DLL files dubbed SUNBURST or Solorigate. These malicious DLLs were reportedly pushed to over 18,000 SolarWinds customers. The affected organisations include 425 of the US Fortune 500 companies; the ten largest US telecommunications companies; all five branches of the US military; multiple federal agencies, Intel, Cisco, and Microsoft, as well as many other critical and strategic targets worldwide for an adversarial intelligence gathering operation.

The FBI, CISA, and ODNI have disclosed that networks at multiple federal government agencies have been compromised. The FBI stated it is “investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.” The US authorities have formed a Cyber Unified Coordination Group (UGC) - the first of its kind - to assist in the intra-governmental response to this significant cyber incident.

A limited amount of evidence is currently available about the SolarWinds incursion, and the use of techniques that are unfamiliar to most researchers has prevented the attribution of this campaign conclusively to the Russian SVR. However, the choice of targets, breadth of the attack, and TTPs are similar to Russia's many previous intelligence-gathering campaigns. CISA has urged SolarWinds customers to treat all hosts monitored by the Orion platform as compromised by the threat actors and to assume further persistence mechanisms have been deployed. All hosts should be rebuilt, and all credentials used by or stored in SolarWinds software can be considered compromised and should be reset.

Elsewhere in the United States, government officials in Austin, Texas, disclosed a state-sponsored intrusion campaign into the city’s networks attributed to EnergeticBear. The attack reportedly began in October. By compromising the network of America’s eleventh most populous city, the Russian APT group may have accessed sensitive information on policing, city governance, and elections, as well as inside water, energy, and airport networks. Microsoft has warned that the group targeted the telecommunications, aerospace, and defence sectors, hitting entities in the UK and Turkey, as well as the USA. While this Russian group is not known for sabotage, disruptive attacks could be initiated.

And in a continuation of the ransomware attacks against US localities, Independence, Missouri, was hit and the city's services are still being disrupted after it was forced to shut down its IT system. The ransomware was discovered and stopped before it could infect the city's entire network, however. These attacks have persisted throughout 2020 and disrupted local government operations around the US. There is no suggestion that they are connected, however, in the same way that the EnergeticBear attacks are. These are more likely to be isolated attacks carried out by opportunist cybercriminals with access to paid-for ransomware.

 

Data security, fraud, and darknet

Data Security

Sensitive details of coronavirus patients in Russia have allegedly been exposed on the darknet. These documents were shared for free on a Russian-speaking forum. Medical data is highly attractive to cybercriminals, as it is detailed enough to be used for successful fraud and identity theft. There has been a rise in the amount of coronavirus-related data being exposed online, potentially because the infrastructure was put up quickly because of the sudden outbreak of COVID-19 cases worldwide. This resulted in less care being taken with protecting user data, putting it at high risk of exposure.

This is exemplified by several recent exposures. Most recently, the personal and health information of over 16 million Brazilian coronavirus patients was leaked online after a hospital employee uploaded a private database to GitHub. Earlier this year, around eight million patients' data was leaked in India due to multiple vulnerabilities in a government-run COVID-19 monitoring system known as Surveillance Platform Uttar Pradesh Covid-19. In Slovakia, 390,000 patients that had tested positive for COVID-19 had their information exposed due to critical vulnerabilities in the contact tracing mobile app known as Moje eZdravie.

On 15 December, the Cyjax team discovered an Azure storage bucket (Azure Blob Storage) containing at least 1 million images sent via the flyzoo.co chat platform. From the samples we took of the data, many of the images appear to be explicit or otherwise compromising selfies sent privately. FlyZoo.co, controlled by Chinese e-commerce giant Alibaba, provides a plugin for websites to allow users to chat with each other in real-time, much like a live chat used on many company websites. In the case of the FlyZoo plugin, however, it is focused on the website users talking to each other rather than to a support agent. The data is still online at the time of publication. Cyjax representatives are attempting to contact FlyZoo to resolve the issue and further updates will be provided when they are available.

A six-month investigation into unsecured patient data has revealed medical records being potentially exposed by hospitals and medical centres around the world. 45 million unique images were stored on more than 2,140 unprotected servers located across 67 countries including the US, the UK, and Germany, among others. Some images included lines of metadata revealing PII such as names, birth dates, addresses, a patient’s height, weight, and even diagnosis. Because some of the medical institutions are located in the European Union (EU), they are subject to the EU's General Data Protection Regulation (GDPR). This means that due to the failure to secure their patients’ sensitive data there may be serious ramifications such as financial penalties and legal actions.

Fraud

IBM has disclosed a major mobile banking fraud operation in which millions of dollars were stolen from financial institutions in the US and Europe. The attacks reportedly took place over several days before fraud teams were able to disrupt them. The scale of this operation is said to be unprecedented. The sophistication of the threat actors' automation environment is highly unusual demonstrating that those behind this campaign are experienced threat actors with a deep understanding of mobile malware, anti-fraud protection systems, and money laundering. Each time a change was made by financial fraud teams, the attackers were able to adapt and continue to bypass protection. The is indicative of an ongoing operation that is perfecting the process of mobile banking fraud. The scale of the attacks puts this group in the same league as the Trickbot or Dridex banking Trojan operations run by WizardSpider and EvilCorp, respectively.

A new MoqHao SMiShing campaign is targeting Android mobile users in South Korea. This malware and credential harvesting campaign is associated with the RoamingMantis botnet operators and aims to collect and exfiltrate system data from the infected device, such as passwords, contact list, and message log. This is then used to compromise accounts, while the rest is added to the spamming list of mobile numbers for further attacks. The Roaming Mantis attack campaign was thought to have been predominantly a threat for users in Asia, but this year it began targeting other regions. Through infected mobile devices, the threat actors can potentially infiltrate deep into an organisation. These attacks also highlight the importance of verifying the source of a notification before following its instructions. This can thwart most phishing and SMiShing attacks.

The most recent SilentLibrarian campaign against educational institutions was first detected in early October. Since then, there have been a number of updates, including new phishing pages added to by the threat actors. This week, new SilentLibrarian domains were discovered, some with credential-harvesting fake login pages. Targeted universities include Boston University, Western Washington University, University of Newcastle Australia, Western Sydney University, and Macquarie University Sydney.

DARKNET

The FBI and Interpol have successfully seized a server used by the popular darknet carding market Joker’s Stash. This law enforcement operation resulted in seizure notices being displayed on multiple Joker’s Stash domains. The operators of Joker’s Stash have claimed the affected server did not contain any market data, although this claim has not been independently verified. In previous law enforcement operations, evidence extracted from seized darknet market servers was used months later to identify and arrest various market users. Joker’s Stash is one of the largest and most popular carding markets, so it is highly likely that law enforcement entities will continue to target this market.

Yellow Brick Market, a private darknet market, this week experienced unexpected downtime over several days. Community moderators on Dread made posts announcing that the admin was uncontactable from 14 December to 18 December and that they were extremely worried that they were not coming back. The downtime ended uneventfully, however, with the admin returning on 19 December. The market’s reputation has suffered potentially irreparable damage.

A new ransomware variant called Hades has been identified operation on the darknet. The operators of the Hades ransomware use a five-letter alphanumeric code for its file extension and the malware has already released two Tor websites for leaks and data recovery. The group uses TOX, a peer-to-peer video calling and messaging service to talk to victims.

 

APT activity, malware campaigns, and vulnerabilities

APT activity

The Lazarus threat group has been observed targeting multiple European entities in the manufacturing and electrical sectors. Most of these attacks started with social engineering attempts, with many targets initially being contacted on LinkedIn, WhatsApp, or their company email, which is used to deliver malicious documents and compromise user devices. These attacks were precise, with few mistakes observed by the researchers, confirming that Lazarus is a sophisticated group that has a clear objective and fastidiously cleans traces of its attacks. The toolset used in the attacks was flexible, and the group regularly changed its C&C infrastructure to remain obfuscated.

Elsewhere, researchers disclosed a new Manuscrypt distribution campaign connected to the Lazarus group. The North Korean state-sponsored APT continues to deploy the malware in targeted attacks on behalf of the regime. These new samples of Manuscrypt target macOS computers. When first discovered, Manuscrypt samples were not detected by any antivirus engines on VirusTotal. Manuscrypt is a fully featured remote access Trojan (RAT), exclusively used by Lazarus. The malware is actively updated and deployed and has been used in many attacks, dating back several years, on financial institutions in Turkey and Asia, and an online casino in Latin America.

A supply-chain attack hit Vietnam between July and August. The website of the Vietnam Government Certification Authority (VGCA) was compromised and used to distribute two modified software installers with an added backdoor to target users of the legitimate application. The backdoored software installers were a digital signature toolkit used by the Vietnamese government and private companies to sign digital documents. Supply-chain attacks are a common attack vector for espionage groups. This is demonstrated by the recent compromise of Able Desktop, the attack on WIZVERA VeraPort by the Lazarus group, and the widespread campaign affecting users of SolarWinds Orion. In addition to Vietnam, victims in the Philippines were also discovered, although the delivery mechanism has not yet been found.

Malware

Tencent has disclosed a new wave of attacks targeting cloud servers originating from an IoT botnet called Prometei. The botnet first appeared in July 2020, spreading via exposed services on Windows systems and those affected by the EternalBlue exploit. Since the beginning of December, however, Prometei has been targeting Linux systems via SSH brute-forcing (via Port 22). Successful compromises result in the installation of a cryptocurrency mining Trojan. This shift in TTPs demonstrates that this operation has expanded its targeting. Financially motivated cybercriminals are often opportunistic. Organisations can reduce the likelihood of a successful attack by patching vulnerable software, replacing end-of-life (EoL) systems, and - considering the recent SolarWinds incident - reviewing software and hardware supply chains.

A new malicious campaign has been targeting users in the governmental and financial sectors in Asia. The attackers pose as members of a central bank from an Asian country, in an attempt to trick victims into opening a compressed attachment containing a malicious HTA file. In May 2020, this malware was found being used in a campaign to target the Indian government and financial sector. It is possible that this is part of the same series of attacks, but this has not been confirmed. JsOutProx was first discovered in late 2019. There have not been many detections of it in the wild since then, which is likely to be down to its advanced obfuscation capabilities.

Vulnerabilities

Apple has released a major point-upgrade for its iOS and iPadOS mobile operating systems to patch various vulnerabilities. Some of these are serious enough to expose Apple mobile devices to code execution attacks, some of which could allow attackers to launch harmful code via malicious font files. Updating to iOS 14.3 and iPadOS 14.3 can mitigate the chances of being compromised with these flaws.

 

Geopolitical Threats and Impacts

Americas

UNITED STATES – MAJOR DATA BREACH OF IT INFRASTRUCTURE USED BY GOVERNMENT AND BUSINESSES

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security on Sunday (13 December) issued an Emergency Directive to all ‘federal civilian agencies’ to review their internal networks to assess whether their networks have been compromised and urged organisations to ‘power down’ all applications related to US IT infrastructure firm SolarWinds’ Orion network monitoring software. CISA’s Acting Director Brandon Wales urged all its partners ‘in the public and private sectors’ to assess their exposure to the potential data breach. In addition, all agencies operating SolarWinds products were directed to complete a report and deliver it to CISA by 1200 Eastern Standard time on Monday (14 December). The directive followed reports by Reuters on Sunday that hackers, backed by a ‘foreign government’, have for months been monitoring internal email correspondence at the treasury and the National Telecommunications and Information Administration (NTIA) – an agency of the commerce department. The sources also indicated there is concern that other US state agencies may have been compromised, and that the hackers were backed by Russia. According to cyber-security firm FireEye, which itself on 8 December confirmed a sophisticated data breach of its networks and is investigating the incident along with SolarWinds and the FBI, said the modus operandi in the latest attack was consistent with those used by state-backed actors. FireEye also said that the compromises were not ‘self-propagating’, and that ‘each of the attacks require meticulous planning and manual interaction.’ The incident signals a significant security threat to organisations working with named state agencies or using Orion for their integrated operations. In the longer term, the incident underscores the growing number of cyberthreats facing Western organisations which have increased during the COVID-19 pandemic. Relatedly, there is a realistic possibility that the incident will fuel suspicions about the validity of the 2020 presidential election results.

UNITED STATES – CORPORATE TRANSPARENCY ACT SET TO BE IMPLEMENTED, LOWERING AML RISKS

The Corporate Transparency Act on Friday (11 December) passed both the house and senate. The bill requires corporations and limited liability companies established in the US to disclose their real owners to the Treasury Department, effectively banning anonymous shell companies. The bill, which applies to both existing and future entities, will make it more difficult for criminals to anonymously launder money or evade taxes. The likely implementation of the bill marks a significant breakthrough in anti-money laundering (AML) legislation. UK-based Tax Justice Network has ranked the US as the world’s second most financially secretive jurisdiction after the Cayman Islands. The bill will probably reduce the likelihood that US-based corporate entities are concealing their true owners, who may be subject to criminal charges, in order to facilitate transactions.

UNITED STATES & IRAN - TRUMP ADMINISTRATION BROADENS SANCTIONS AGAINST IRANIAN ENERGY EXPORTS

On Wednesday (16 December), the US Department of Treasury (DoT) imposed sanctions on energy companies based in China and the United Arab Emirates (UAE) for allegedly providing support in the exports of Iranian oil and gas. Donghai International Ship Management, Petrochem South East Limited, Alpha Tech Trading and Petroliance Trading were placed on the sanctions list along with Vietnam Gas and Chemicals Transportation Corporation. The latter was added in connection to ‘significant transactions’ for Iranian petrochemicals. The sanctions regime against Iran continues to tighten with this latest round of targeted embargoes. With the incoming administration of president-elect Biden, the Iranian government is cautiously optimistic that Trump-era sanctions that are not compliant under the terms and conditions of the 2015 Joint Comprehensive Plan of Action (JCPOA, or ‘nuclear deal’) will be relatively easy to repeal. Despite the Iranian government leaving the JCPOA, Biden has already pledged to rejoin it but has not given any substantive indications on reversing any sanctions. In the immediate term, these new embargoes will have more significant political impacts rather than substantive operational ramifications on the targeted entities. They certainly do not help with US-Iran relations. More sanctions are likely in the coming weeks.

Asia-Pacific

INDIA – LABOUR UNREST AT IPHONE ASSEMBLY PLANT IN INDIA’S BENGALURU TECHNOLOGY HUB

Thousands of employees staged a protest on Saturday (12 December) at a facility assembling Apple Corp. iPhones near southern India’s Bengaluru (Bangalore), Karnataka state, a high technology hub. The workers employed by Wistron, a Taiwan-based company operating a plant assembling iPhones at Narsapura around 60km from Bengaluru, claimed they had not been fully paid for the previous four months and complained about harsh working conditions. Further protests are possible, not least because of the already febrile atmosphere in India due to the huge rallies and transport blockades by farmers, if the state authorities seek to intimidate employees. Such incidents at foreign-owned companies are unusual in India and the scale of employees’ action indicates a high degree of support based on the accuracy of the claims regarding unpaid wages and an oppressive work environment. The impact on iPhone output is so far assessed as limited, but the incident will cause Apple some reputational harm. More broadly the incident highlights the need for foreign companies relying on contractors to provide branded goods or services to ensure they are compliant with their own corporate rules and standards regarding employee pay and working conditions.

AUSTRALIA & CHINA – CANBERRA REFERS BARLEY TARIFFS TO WTO, ADDING TO BILATERAL TENSIONS

The Australian government on Wednesday (16 December) announced that it had referred Beijing’s decision to impose 80 per cent tariffs on its barley exports to China, effectively ending the trade, to the World Trade Organization (WTO) for adjudication. China had accused Australia of selling barley to China a lower price than to domestic consumers, a charge Canberra denies. Australia’s decision to bring China’s barley tariff to the WTO will also challenge that organisation’s ability to balance the two countries demands in a case certain to increase pressure from a powerful bloc of mainly Western nations to curtail what many view as China’s failure to adhere to the long-established rule-based trading system. While this may be a long-term consequence of Canberra's decision to bring the case before the WTO, Beijing’s response in the short term is certain to include further measures to restrict Australian imports and, in all probability, sanction that country’s companies where possible, actions that are likely to impact their staff and assets.

CHINA & EU – EU URGES RELEASE OF REPORTERS AFTER BLOOMBERG STAFFER ARRESTED

The European Union (EU) on Saturday (12 December) urged China to release all reporters and citizens detained in connection with their journalism. The statement came after it was on Friday (11 December) confirmed that Chinese authorities on Monday (7 December) detained Haze Fan, a Bloomberg News staffer, on suspicion of endangering national security. The statement comes against the backdrop of a potentially imperilled Comprehensive Agreement on Investment between the two parties, intended to be concluded by the end of 2020. BusinessEurope, a lobby group representing European businesses, in November withdrew from a meeting with Beijing-based think tank the China Centre for International Economic Exchanges (CCIEE) over the CCIEE’s opposition towards the participation of two individuals deemed to be China critics. Businesses with interests in China should assess the impact of geopolitical tensions on the security of staff, assets, and operations. Anticipate heightened scrutiny and detention risks.

Europe and Russia

REGIONAL – EU UNVEILS LANDMARK LEGISLATION, MARKING SIGNIFICANT SHIFT IN COMPETITION POLICY

On Tuesday (15 December), the EU revealed new legislation that outlines strict rules for major technology firms operating in the bloc. The legislation called the Digital Services Act (DSA) and the Digital Markets Act (DMA) will apply to global internet companies such as Amazon, Apple, Facebook, and Google. Under the draft law, companies with over 45 million users based in the EU would be designated as digital ‘gatekeepers’, subjecting them to stricter requirements. Failure to meet the proposed regulations will lead to fines of up to 10 per cent of annual turnover and potential service suspension, while regulators can impose orders requiring firms to sell parts of their business. Companies will also need to inform EU officials of any planned mergers or acquisitions, and ensure data sharing on some content. The landmark legislation aims to strengthen competition policy and increase the regulatory burden for non-compliance. By elevating the penalties associated with potential infringements, EU regulators aim to encourage best practices among leading technology firms and create a more level playing field in the market. Critics accuse US-based technology companies of using their dominant market power to edge out smaller competitors. The draft will take a prolonged ratification process – including input from member states and the European Parliament – which is expected to take several months.

GREECE & TURKEY – TENSIONS LIKELY TO RE-ESCALATE AS TURKEY ISSUES PROVOCATIVE MARITIME MESSAGES

On Sunday (13 December), the Turkish navy issued three navigational (Navtex) warnings calling for the demilitarization of the Greek islands of Chios, Halki, Lemnos, Samos, Samothraki and Tilos. In a related development the Oruc Reis research vessel left the port of Antalya on Monday (14 December) heading south-west in an area within Turkey’s territorial waters. Meanwhile, on Saturday Greek police said that two nationals were arrested on espionage charges for allegedly supplying naval information to Turkey from the island of Rhodes. The Navtex will be seen as yet another dangerous Turkish provocation from Greek officials, prolonging an already tense situation in the Aegean Sea. News that spies providing sensitive information to Turkey will further add to a climate of intense suspicion. Lack of diplomatic dialogue and bilateral engagement to defuse tensions means that a heightened deployment of military assets in the region is highly likely. On Friday (11 December), EU leaders agreed to impose sanctions on an unspecified number of Turkish officials and entities involved in the offshore drilling off the coast of Cyprus. Greece and Cyprus had called for tougher action, including trade tariffs or an arms embargo, but a collective decision will be elusive until the new Joe Biden administration begins its term in January.

EU & UK – BOTH SIDES AGREE TO ‘GO THE EXTRA MILE’ AS BREXIT TRANSITION DEADLINE LOOMS

On Sunday (13 December), the two sides issued a joint statement agreeing to ‘go the extra mile’ over the next few days in a bid to reach a last-minute trade agreement after the latest deadline for talks expired. UK Prime Minister Boris Johnson said the two sides would try to be as creative as possible but emphasized that London would not compromise on ‘red lines’, alluding to the position that a no-deal was the most likely outcome. Meanwhile, the UK Ministry of Defence said four Royal Navy patrol ships would be deployed on 1 January to safeguard fishing waters from foreign fleets in the event of a no-deal. Despite public statements tempering expectations that a deal is forthcoming, the fact that talks are continuing after the expired deadline, which had already been extended, indicates a strong level of political commitment to bridge outstanding differences. Fishing rights in UK waters and the prospect of the British government facing enforceable penalties if it diverges from EU fair competition rules remain the key issues of contention. With the 31 December deadline fast approaching, the coming days will be of paramount importance in defining the future UK-EU trading relationship.

MENA and Central Asia

SAUDI ARABIA – TANKER LIKELY ATTACKED BY HOUTHI MILITIA IN JEDDAH PORT; ELEVATED MARITIME RISK

On Monday (14 December), the shipping company, Hafina, confirmed that a vessel from its fleet, the Singapore-flagged BW Rhine oil tanker, was hit by an ‘external source’ at around 0040 local time in the southwestern city of Jeddah. The statement reveals that the incident was likely an attack and if so, will raise speculation that Houthi militia were responsible given their previous links to recent mine attacks in the region. Saudi authorities did not immediately comment on the blast, likely in part due to the fact this attack will come as another blow to the country’s efforts in maintaining the energy market’s confidence which has fluctuated in recent months due to a scaling up of attacks linked to the Yemen Houthi rebels movement. Monday’s attack signals a development in the capabilities of the Houthis given their success in conducting an operation in a heavily policed port area. Businesses moving supplies in and out of Jeddah port are advised that delays should be anticipated over the coming days as investigations are carried out. Further attacks on Saudi facilities, or affiliates, such as commercial oil tankers exporting from the region, are highly likely in the months ahead. Shipping companies transiting through the region should ensure security measures are updated to reflect the increased maritime risk.

Sub-Saharan Africa

NIGERIA – MOBILE FIRMS ORDERED TO DEACTIVATE UNREGISTERED SIM CARDS AFTER 30 DECEMBER

The Nigerian Communication Commission (NCC) on Tuesday (15 December) ordered all mobile network operators to deactivate all SIM cards that are not registered with a valid National Identification Number (NIN) once a submission deadline of 30 December has elapsed. The measure could cause millions of mobile lines to be blocked. Out of 198 million activated mobile lines, only 41.5 million Nigerians had registered for national identity cards as of May 2020. It is widely viewed as part of a clampdown on growing security threats including terrorism, as registered SIM cards can easily be traced by security operatives.

SUDAN – US FORMALLY REMOVES SUDAN FROM STATE SPONSOR OF TERRORISM LIST

The United States on Monday (14 December) formally removed Sudan’s designation as a ‘state sponsor of terrorism’. The move is intended to help the country access debt relief, multilateral lending and western investment. The removal from the list was a top priority for Sudan’s transitional government, which came to power in August 2019 following months-long protests sparked by a rise in fuel and food prices. The removal is likely to be beneficial to the Sudanese economy; the government has struggled with a huge budget deficit, widespread shortage of essential goods, and soaring inflation, which reached 212 per cent year-on-year in September. The US has committed to providing support for wheat and other commodities over four years as well as for debt relief. Meanwhile, the World Bank and International Monetary Fund (IMF) have stated they were ready to provide financial aid to Sudan should the country clear its arrears to the two institutions. The decision accompanies Sudan’s recent normalisation of relations with Israel in a deal brokered by Washington. Sudan is one of four Arab countries – together with the United Arab Emirates, Bahrain, and, most recently, Morocco – to do so in the past three months. Khartoum in October revealed that it had agreed to the deal in order to be removed from the US terror blacklist. The US Congress still has to approve a bill that would give Khartoum immunity from future lawsuits in the US by victims of terrorism; Sudan has suggested it could pull out of the normalisation deal with Israel if the bill does not go through.