Geopolitical and Cybersecurity Risk Weekly Brief 21 September 2020

21 september 2020

Executive Summary

Education remains a significant focus for threat actors as students receive exam results and return to schools and universities. Both the FBI and NCSC released warnings concerning ransomware targeting educational institutions, and student and faculty data is seriously at risk.

In Germany, the ‘real world’ effects of a ransomware attack were felt when a patient en route to University Hospital Düsseldorf, which had been hit by a cyberattack, was sent to another hospital further away. The patient received care an hour later than she otherwise would have and is believed to have died as a result.

Cyjax analysts discovered an unsecured database containing logs of roughly 16 million outgoing SMS messages. The logs were mostly One Time Password (OTP) messages for popular services and apps including Microsoft, Google, and Twitter. After Cyjax contacted the company responsible, the database was secured.

The FBI and CISA issued a security advisory after vulnerable VPN products were targeted by Iran-based threat actors. US federal agencies and other US-based networks have been attacked in this campaign. Several publicly known vulnerabilities in VPN products supplied by Pulse Secure, Citrix NetScaler, and F5 BIG-IP have been targeted.

Governments have passed laws further regulating the technology sector. In Poland, the government published a draft bill on 8 September amending the existing law on the ‘national system of cybersecurity’ and requiring suppliers of hardware and software to be scrutinised for potential influence from foreign states. In Uganda, a new law on the use of social media will come into effect on 5 October, requiring all users of online media that are engaged in communications and broadcasting services to obtain a licence and to agree to not engage in the ‘distortion of facts’.

Several COVID-19-linked developments have been recorded. The World Health Organization (WHO) warned of a sharp rise in infection rates across the western hemisphere as normal public and social activities have resumed. Meanwhile, the economic impact of the pandemic continues to take a toll. A recent report by the Asian Development Bank (ADB) warns that up to 160 million people across Asia could be forced into absolute poverty due to COVID-19’s impact on regional economies. The ADB also forecast Sri Lanka's economic growth will contract by 5.5 per cent and that of the Maldives by 20.5 per cent, as both countries’ tourism sectors have been badly affected.

Washington has stated its intention to prevent foreign arms trade with Iran by imposing sanctions on entities who violate a UN arms embargo against Tehran, in addition to denying them access to the US market. Tensions with China have continued and increasingly manifest in the business sphere. The ruling Chinese Communist Party (CCP) on 15 September issued a directive signalling a private sector clampdown, marking a further convergence of the private sector and the state. Meanwhile, the recent acquisition of a UK semiconductor firm will reshape the industry in a way that hands significant control to US commercial interests and disadvantages China.

Attacks and cybersecurity news

An attack on Blackbaud in May 2020 continues to affect organisations around the world. The company is a third-party cloud services provider to the nonprofit, education, healthcare, and religious sectors. Since the attack, tens of businesses have fallen victim to data breaches including high-profile universities in the UK and US, the National Trust, and four healthcare organisations in the US.

The UK National Cyber Security Centre (NCSC) issued an alert warning of a recent spike in ransomware attacks on educational institutions, such as Northumbria and Newcastle University, as well as those schools impacted in the Blackbaud breach. Over the past several weeks, ransomware operators have continuously targeted the education sector across the US. On 16 September, 10 schools in the US had to stop online classes because of a ransomware attack. Due to the coronavirus pandemic, thousands of schools have been relying on technology for distance-learning making it an attractive target for threat actors.

The FBI also recently issued a Private Industry Notification (PIN) warning schools to expect a surge in ransomware attacks. There are now over a dozen ransomware variants that steal victims' data before encrypting their systems, so sensitive educational data is seriously at risk.

The US Department of Justice has indicted five Chinese nationals who it believes were responsible for intrusions at hundreds of organisations. The individuals are thought to have been members of APT41. Although no victims are named directly, the type of targeted organisations cited within the indictment is broadly consistent with the Chinese government’s intelligence priorities. These include software development companies, computer hardware manufacturers, telecommunications providers, think tanks, foreign governments, and Hong Kong activists.

CERT-FR has issued a security advisory concerning a Ransom Denial of Service (RDoS) campaign that has been ongoing since 12 August. French authorities have observed emails masquerading as APT groups such as Lazarus, APT28, Carbanak, Anonymous, and silence.

The aim of this campaign is financial, although there appears to be a secondary objective of destabilisation of critical infrastructure. The FBI released a flash warning that thousands of organisations around the world, and across multiple industries, have been threatened with DDoS attacks unless they pay a Bitcoin ransom.

A ransomware attack on the University Hospital Düsseldorf (UKD) in Germany has forced a patient in a life-threatening condition to travel to a more distant hospital which may have resulted in their death. The attackers used a vulnerability in the Citrix ADC, tracked as CVE-2019-19781, to compromise the hospital systems. Planned and outpatient treatment and emergency care at the hospital was suspended. The attack may now be treated as negligent manslaughter by German investigators.

Data breaches, fraud and vulnerabilities

Data Breaches

Cyjax analysts discovered an unsecured database containing logs of roughly 16 million outgoing SMS messages. The logs were mostly One Time Password (OTP) messages for popular services and apps including: Microsoft, Google, Twitter, TikTok, Snapchat, Sony, Samsung, and WeChat. The logs contain the message content, recipient number, status and a timestamp. A brief analysis of the data showed that the service is only routing to European county codes. After Cyjax contacted the company that owns the data, the database was taken offline.

Public Health Wales (PHW) announced a data breach involving the personal information of 18,105 people who had previously tested positive for coronavirus. The information was mistakenly uploaded to a public server and exposed for around 20 hours until PHW removed it on 31 August. By the time the data was removed it had been viewed 56 times; the NHS Trust, however, noted that there was no evidence of malicious actors misusing the information.

The operators behind the LockBit ransomware have now launched their own data leaks blog. Currently, only two victims are named on the blog: Croatian shipping company, Overseas Express; and Yaskawa Electric a leading Japanese manufacturer of industrial robots.

A database containing 2.4 million records belonging to Zhenhua Data, a Shenzhen-based private Chinese surveillance firm, have been leaked. The records contain the detailed personal information of more than 250,000 users from the US, UK, Canada, Australia, and Indonesia, among others. Zhenhua Data reportedly uses its data to conduct espionage; it works closely with the Chinese Ministry of State Security (MSS), the Chinese Communist Party (CCP), and the Chinese People’s Liberation Army (PLA). Researchers found that much of the data had been scraped from open sources and formatted into profiles for each user. Some of the records, however, also contain sensitive data such as bank details, job applications, and psychological profiles.

Fraud

A new phishing campaign is using an email template that claims to be a reminder to complete security awareness training from KnowBe4, a well-known phishing awareness company. The email reminds the user to log in and take their phishing training, adding a sense of urgency by saying the link will expire within 24 hours. The campaign operators have anticipated their recipient's suspicion by warning that the link provided will not lead to a standard training platform but to an external site. This is likely to be an attempt to put the target at ease with the fact that the landing page may be unfamiliar, meaning they may overlook a malicious URL.

Vulnerabilities

Vulnerabilities in the multi-factor authentication (MFA) system used by Microsoft’s Office 365 platform have resulted in attackers accessing cloud applications by bypassing the security system. These can only be used against environments in which WS-Trust is enabled. An attacker could use these flaws to gain full access to a target's accounts, including mail, files, contacts, and data. They can also be used to gain access to various Microsoft-provided cloud services, including production and development environments such as Azure and Visual Studio.

Hundreds of security vulnerabilities have been revealed in the websites of major airlines, tour operators, and hotel chains. Marriott, British Airways, and EasyJet were among the five companies with the most risks identified: all three of the firms have previously experienced breaches affecting a total of 350 million customers. Details about the vulnerabilities have not yet been released to give the companies time to patch.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Drupal has released patches for several vulnerabilities in its content management system.
  • CISA then issued an advisory for the latest Drupal security updates.
  • Multiple high-risk vulnerabilities disclosed in plugins for the Jenkins automation software.
  • Multiple vulnerabilities disclosed in Nitro Pro PDF reader.
  • Vulnerability in Google Chrome’s PDFium.
  • Local privilege escalation (LPE) vulnerability in Rapid7’s Nexpose Installer (used by Fortune 500 organisations and government entities).
  • IBM issued patches for two vulnerabilities in its Spectrum Protect Plus data-storage protection solution.
  • Vulnerabilities in MobileIron's mobile device management (MDM) solutions: MobileIron Core, MobileIron Sentry, MobileIron Cloud, Enterprise Connector, and Reporting Database. There are approximately 10,000 potentially exposed servers online – 30 per cent of all active servers - even though a patch has been available since June.
  • Citrix has published a security advisory for its Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
  • Multiple vulnerabilities disclosed in ICS and medical solutions manufactured by Phillips, Advantech, and Wibu-Systems.
  • CISA issued a security advisory concerning Apple’s new updates.

APT ACTIVITY AND MALWARE CAMPAIGNS

APT ACTIVITY

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on an Iranian threat group known as APT39. It reportedly comprises 45 individuals and one front company. The government of Iran is said to have used the front company, Rana Intelligence Computing Company, to orchestrate a year-long malware campaign. Iranian dissidents, journalists, and international travel companies were all targeted. Three additional Iranian nationals were then indicted on charges of hacking US aerospace and satellite companies. The accused are said to have orchestrated a years-long hacking campaign on behalf of the Iranian government and to be linked to the Elfin threat group (also known as APT33). Symantec has noted both that the targets and tactics described in the indictment closely resemble Elfin's activity, and the commonality in tools used.

The FBI and CISA have issued a security advisory after vulnerable VPN products were targeted by Iran-based threat actors. US federal agencies and other US-based networks have been attacked in this campaign. The tactics, techniques, and procedures (TTPs) reportedly correlate with those of PioneerKitten (also known as UNC757) which has targeted several publicly known vulnerabilities in VPN products supplied by Pulse Secure, Citrix NetScaler, and F5 BIG-IP. In July 2020, threat actors believed to be associated with PioneerKitten were found selling access to compromised networks on an underground forum. This behaviour suggests that the APT is attempting to diversify its revenue stream, away from a reliance on the Iranian government.

MALWARE

New research has shown that the operators of the Maze ransomware appear to be leveraging a technique pioneered by the Ragnar Locker threat group: distributing their ransomware payload inside a virtual machine (VM). To ensure that the device on which the file was dropped could run the ransomware in a VM, a stripped-down version of the VirtualBox hypervisor was also downloaded. The use of a VM was not a technique that had previously been associated with the operators of Maze. As such, this new research from Sophos reveals that this group of threat actors is particularly adept at adopting techniques that have been tested and proven successful by other ransomware groups. Other tactics adopted in this way include the use of extortion as a means of making it more likely that a victim will pay victims. All these evolutions in the TTPs of ransomware threat actors have come about in direct response to the developments in defence mechanisms against ransomware by endpoint protection products.

Threat researchers shared samples of an Android remote access Trojan (RAT), detected as Trojan.AndroidOS/Ahmyth which is disguised as a French COVID-19 test and trace app. It is pushed by a website called as 'maladiecoronavirus'. Earlier in 2020, Android banking Trojans and spyware masqueraded as contract tracing apps, exploiting the coronavirus pandemic. Multiple Android Trojans with similar code bases exploited the pandemic to spread COVID-19 themed malicious Android packages (APKs). Countries around the world are increasingly concerned about the chances of a second wave of coronavirus infections and this will be leveraged in phishing lures and fake applications being distributed by threat actors.

DARKNET

It has been a quiet week on the darknet. Icarus, one of the preeminent markets since Empire’s demise, had been striving for top spot in the marketplace ecosystem but has now been down for around ten days, as of 21 September. There has been no communication from the market admins, and many are assuming that Icarus has fallen foul of yet another exit scam. It is unclear whether this is the case, however, as various rumours are circulating that suggest the FBI may have located Icarus’s servers. These rumours, however, have little evidence to back them up.

geopolitical threats and impacts

AMERICAS

VENEZUELA – UN Human Rights Report Detailing Abuses Highlights Reputational Risks

On 16 September, a fact-finding mission for the United Nations Human Rights Council (UNHRC) published the findings of its investigation into human rights violations in Venezuela since 2014. The its highly critical report accused the government of ‘egregious violations’ of human rights, with some of which amounting to crimes against humanity. The report found evidence of unlawful executions, enforced disappearances, arbitrary detentions, and torture. Investigators said that President Nicolás Maduro and other senior government officials oversaw and sometimes directed the oppression.

The report’s findings are credible, despite Venezuelan authorities labelling the mission as a ‘hostile initiative’. Under Maduro, the government has strengthened its grip on state institutions and eroded the powers of democratic bodies, such as the national assembly. This has also coincided with an uptick in political repression, as well as the detention of prominent opposition leaders. The Venezuelan opposition and much of the international community had coalesced their support around opposition leader Juan Guaidó; however, in the past year his movement has become increasingly side-lined. Foreign companies doing business in the country, particularly those with public contracts, are likely to come under scrutiny from civil society organisations and potentially their home governments for their operations and links to the Venezuelan authorities. Corporates with interests in Venezuela should carefully assess the reputational implications of operations and adjust planning accordingly.

BOLIVIA – Interim President Quits Presidential Race as Leftist Candidate Ahead in Polls

On 17 September, interim President Jeanine Áñez withdrew her candidacy for the presidential election scheduled to take place on 18 October. Áñez said that she was exiting the race in order not to split the vote and potentially lead to the return to power of exiled former president Evo Morales’ MAS party.

Áñez replaced Morales as president in November 2019, when Morales fled the country amid widespread violent protests over disputed election results. Recent polling had put the conservative Áñez in fourth position with approximately 11 per cent of the vote, well behind the 40 per cent supporting Luis Arce of Morales’ MAS. The return of the leftist MAS party to power remains the most likely outcome, particularly as Morales remains popular with many Bolivians, for his government’s economic and social record. Corporates with interests in Bolivia and next month’s general election should monitor updates on polling and leading candidates, and scenario plan for likely plausible outcomes, including victories for each leading candidate.

REGIONAL – WHO Warns of Health Risks from Latin America’s Re-Opening

On 16 September, the Regional Director for the Americas of the World Health Organization (WHO) warned that many countries in the western hemisphere have begun to resume normal public and social activities, despite the COVID-19 pandemic still requiring major control interventions. Speaking at a virtual briefing, Carissa Etienne warned that infection rates have sharply risen along the border between Colombia and Venezuela in recent weeks, and that death rates continue to rise in areas of countries including Mexico and Bolivia, with areas of Argentina showing similar trends.

The western hemisphere has been the world’s worst-affected region by COVID-19, with the US, Brazil, and Mexico among the four countries with the highest number of deaths linked to the virus. Etienne’s remarks come as countries across the Americas seek to resume economic and social activities, largely to minimise the economic impact of the pandemic. While such an approach provides an economic boost, it risks prompting a spike in COVID-19 cases as people resume their regular activities and increasingly come into contact with one another. This elevates the likelihood of a reversal of re-openings, as has occurred in European countries including Spain and the UK, or a second lockdown. Corporates with staff and assets in Latin America should carefully monitor COVID-19 trends and government policies in their locations of interest, and scenario plan for partial and complete reversals of economic re-openings.

Asia-Pacific

SRI LANKA & MALDIVES – Economies to Contract by 5.5 Per Cent, 20.5 Per Cent Respectively

The Asian Development Bank (ADB) has forecast Sri Lanka's economic growth will contract by 5.5 per cent and that of the Maldives by 20.5 per cent due to the impact of the coronavirus (COVID-19). Tourism in 2019 contributed around 12.5 per cent of Sri Lanka’s GDP, earning around USD5 billion from three million visitors. Tourism in the Maldives prior to COVID-19 contributed almost two-thirds of GDP and was the largest single source of waged employment.

With no clear end to restrictive travel measures intended to control the virus – both Sri Lanka and the Maldives effectively closed their borders to foreign visitors in late March – the economic impact of COVID-19 will continue to deteriorate. Predications of a resurgence of the disease during the northern hemisphere’s winter months is certain to extend the bar on overseas arrivals well into 2021. Companies involved in the industry should assess their six-month to one-year outlook regarding any resumption of tourism in both countries because of these dual threats to the sector.

REGIONAL – Coronavirus to Force up to 160M People Across Asia into Absolute Poverty

A recent report by the Asian Development Bank (ADB) warns that up to 160 million people across Asia could be forced into absolute poverty due to the impact of the coronavirus (COVID-19) on regional economies. The ADB also forecasts that overall GDP for what it terms developing Asia will contract by 0.7 per cent in 2020, the first negative economic growth in the region since 1962. The international poverty threshold is currently USD3.2 per person per day. The ADB’s assessment is supported by the Bill and Melinda Gates Foundation’s 2020 Goalkeepers report published on Monday (14 September) that notes efforts to improve the incomes and health of millions of the world’s poorest communities have ‘been set back about 25 years in about 25 weeks.’

In addition to the evident economic impact of COVID-19, both the ADB and Gates reports highlight the reversal of efforts to improve the life chances of millions of families. Experience indicates that while those who remain in absolute poverty are generally too intent on daily survival to mobilise in order to seek a change to their circumstances, those who have been reduced to such a condition are far less likely to accept the outcome. The result of a huge increase in poverty is certain to increase the likelihood of social and political unrest, notably across South Asia, Indonesia, and the Philippines. However, even autocratic regimes and wealthy countries will struggle to maintain social order if the pandemic continues to severely impact economic activity. Companies throughout the region should assess how their staff, operations and assets will be affected over the six-month outlook if the pandemic serves as a catalyst for increased volatility and instability.

CHINA – Party Directive Signals Private Sector Clampdown, Heightened Political Risks

The ruling Chinese Communist Party (CCP) on 15 September issued a directive instructing the United Front Work Department (UFWD) – a CCP agency that carries out influence operations both domestically and abroad – to increase its engagement with private businesses. The directive said that the UFWD should target all private firms and personnel, including those owned by individuals in Hong Kong and Macau, exercising CCP influence on firing, hiring, and training decisions via a new database of staff and possible new hires. Party committees will be created or bolstered in certain firms, while those that do not have them will be provided with direct training from local party committees instead, according to the document. The CCP will also reportedly enroll more private sector members.

The document affects all China-based non-state businesses except for non-government groups providing social services, Taiwanese- and foreign-invested firms, as well as individual entrepreneurs. It marks a further convergence of the private sector and the state, which has ramped up significantly throughout President Xi Jinping’s tenure. Private businesses, which have suffered from the strain of COVID-19-linked economic fallout, as well as diplomatic and commercial rows, employ 80 per cent of the urban workforce and comprise 60 per cent of the country’s economic output. Businesses should anticipate heightened political risks in at least the medium-to-long term as instability risks persist.


Europe and Russia

POLAND – Draft Bill Seeks to Enhance Political Oversight on foreign Technology Suppliers

The government published a draft bill on 8 September, which amends the existing law on the ‘national system of cybersecurity’ and requires suppliers of hardware and software to be scrutinised for potential influence from foreign states. Factors such as whether a company’s home country adequately protects human rights and the processing of personal data would form part of the vetting process. A ‘high risk’ provider would face a ban and see products being used in the market withdrawn.

While the draft does not specifically mention China-based technology provider Huawei, it is clearly part of a broader effort to address national cyber security concerns. Washington, which claims Huawei has strong ties to the Chinese state, has pressured allies across Europe to limit or implement an outright ban on the company. Huawei has repeatedly denied the claims. Polish government scrutiny on Huawei has steadily increased since 2019, when a company employee and a former Polish security official were detained on espionage charges. Beyond Huawei, the bill could be used to ban other non-EU technology and software providers. Technology firms supplying Poland-based telecommunications firms with equipment should monitor the bill’s passage through parliament and factor its likely adoption into strategic planning.

UK, US, & CHINA – Acquisition of UK Semiconductor Firm Attracts Political, Regulatory Risks

On 14 September, Japanese conglomerate SoftBank Group said it had agreed to sell Arm Holdings, a prominent UK semiconductor design firm, to Nvidia for nearly USD40 billion. The planned acquisition by the US technology firm carries wide ranging implications for the global semiconductor market. In a related development, the UK government is under pressure to intervene against the foreign takeover or impose conditions on the sale. In an op-ed published on 16 September, Chinese state-backed media source Global Times said that the acquisition was ‘disturbing’, calling on global regulators to exercise caution as they scrutinise the deal. The deal requires approval from regulators in multiple countries, including China, before it can go ahead.

If it receives the necessary regulatory approval, the deal will reshape the semiconductor industry in a way that hands over significant control to US commercial interests of the market, disadvantaging China. Regulators in the UK are unlikely to block the deal as it will likely receive strong political backing from the ruling Conservative Party; a takeover of a British firm via a US investment forms part of broader effort to foster closer bilateral trade ties after the Brexit transition period ends in December. As a result of the transaction, Chinese firms included on the ‘Entity List’ – which restricts companies’ access to items produced domestically and abroad from US technology firms – may be prevented from using chips manufactured by Arm. Chinese purchasing of Arm-designed products from other European companies could also be limited.


MENA and Central Asia

LEBANON – More Time for Talks on New Government as Deadline to Form Cabinet Passes

Prime Minister-designate Mustapha Adib and President Michel Aoun on Thursday 17 September agreed to allow more time for consultations regarding the formation of a new government. Talks are currently deadlocked as Lebanese politicians missed a 15-day deadline on 16 September set by French President Emmanuel Macron to form a crisis cabinet.

Meanwhile, the US Treasury on Thursday imposed sanctions on two Lebanon-based companies, Arch Consulting and Meamar Construction, for links to Hezbollah. Sanctions were also imposed on an individual, identified as Sultan Khalifah Asaad, alleged to be a Hezbollah official closely associated with both companies.

Negotiations over the new cabinet have been at an impasse since Parliament Speaker Nabih Berri, backed by Hezbollah, has insisted that the Shiite sect retain the finance ministry. Adib is in favour of rotating the leadership of the finance ministry, along with the defence, interior and foreign ministries, among the country’s main sects.

The new US sanctions highlight the ramped-up pressure Washington is putting on Hezbollah. On 8 September, the US Treasury sanctioned two former Lebanese Cabinet ministers allied with Hezbollah. With this latest pressure, it is almost certain that Hezbollah will work hard to expand its political influence and will therefore be unlikely to concede the finance ministry. Operations managers should monitor the situation for updates and expect negotiations over the government formation to be delayed. There is a realistic possibility that Adib will step down should an agreement not be reached, which would increase the risk of political instability.

IRAN & US – Plans to Impose Sanctions Against Violators of UN Arms Embargo

Secretary of State Mike Pompeo said on 16 September that the US intends to prevent foreign arms trade with Iran by imposing sanctions on entities who violate a UN arms embargo against Tehran, in addition to denying them access to the US market. The embargo was first imposed in 2015 and is scheduled to expire in October. On 12 August, the US pursued a resolution that would extend the embargo at the UN Security Council; while this was overwhelmingly voted against on 14 August, the US responded on 20 August by initiating a process at the Security Council to trigger a ‘snapback mechanism’, which would effectively re-impose all sanctions imposed against Iran prior to the 2015 JCPOA nuclear agreement deal. A resolution to block the snapback has not yet been introduced by other Security Council members, the deadline for which was 19 September.

Despite the US intentions to uphold the arms embargo, the proposal has been met with widespread opposition from Security Council members. The lack of international support would likely make it difficult for US authorities to enforce the sanctions, but not impossible.

Washington is unlikely to back down in its efforts to continue pursuing a maximum pressure campaign against Iran; US Special Representative for Venezuela and Iran Elliott Abrams indicated on Wednesday that announcements will follow in the coming days involving secondary sanctions that will be used as a means of enforcing the arms embargo. Businesses with interests in Iran should monitor all government updates regarding the potential reimposition of a wide range of US sanctions in the coming months. Companies are also advised to carry out due diligence on business and operations practices to ensure they are in compliance with any existing sanctions.

Sub-Saharan Africa

MALI – Regional Leaders Accept 18-Month Transition Indicating Progress in Talks with Junta

The Economic Community of West African States (ECOWAS) issued a statement on 15 September, announcing that it was accepting an 18-month transition, following the coup d’etat in Mali on 14 August. The transition period will begin on 22 September. ECOWAS also agreed to lift sanctions once a president and a prime minister have been nominated; both roles need to be held by civilians, ECOWAS said. Furthermore, it stressed that the vice president could not ‘in any case’ replace the president during the transition, and that the Comité national pour le salut du people (CNSP) military junta would be dissolved as soon as the civilian transition begins. The announcement followed a special summit held by ECOWAS and leaders of the CNSP in Aburi, about 35km north of the Ghanaian capital Accra.

The announcement suggests that ECOWAS is making some concessions towards the CNSP, who initially had called for a three-year transition, signalling progress in the negotiations. However, it is unclear if the CNSP will accept ECOWAS’ demands for a civilian president, given its previous allusions to nominating its own candidate and a transitional council. The response of civil society and the political sphere are also unclear at this point. The broad-based coalition Mouvement du 5 juin-Rassemblement des forces patriotiques (M5-RFP) over the weekend rejected the CNSP transition plan, saying the CNSP was ‘monopolising’ power. Further talks are therefore likely in the one to two-week outlook. In the meantime, ECOWAS sanctions will be maintained, in line with our forecast.

UGANDA – New Social Media Law Likely to Elevate Security and Political Risks from 5 October

There are now three weeks until a new law on the use of social media becomes effective. By 5 October, when the law is due to come into effect, all users of social media and other online media that are engaged in communications and broadcasting services need to obtain a licence with the Uganda Communications Commission (UCC). The licences will cost UGX100,000 (USD26.97) per year, and licence holders need to agree to not engage in the ‘distortion of facts’. According to the UCC notice that was sent out on 7 September, the new regulation targets the activities of radios, television channels, newspapers, video on demand services, internet protocol TV, bloggers, and similar online services.

Critics, such as UK-based advocacy group Amnesty International, claim the new law will muzzle opposition activists and restrict freedom of expression. Some argue it is intended to limit anti-government criticism ahead of presidential elections in January and February 2021. It is unclear if the new law will impact individuals, although this is probable particularly if they have a large number of followers online. Managers of companies and organisations that are likely to be affected by the new law, including private businesses and non-governmental organisations that publish content on social media platforms, should assess the likely risks to their organisation and staff and consider developing new codes of conduct for online commentary on behalf of their organisation to limit the risk of legal retributions in the coming four to five months.

SOMALIA – Report on Money Transfer Firms Underscores Heightened Compliance Risks

Somali money transfer firms moved over USD3.7 million in cash between suspected weapons traffickers in recent years, including to a Yemeni sanctioned by the US for alleged militant ties, according to news agency Reuters on 18 September. The Central Bank of Somalia said it would probe the discovery by Switzerland-based research group Global Initiative Against Transnational Organized Crime.  

Almost two-thirds of the 176 transactions in the report, which seemed to be tied to suspected arms dealers in Somalia and Yemen, were over the USD10,000 threshold that should have activated an automatic report to regulators. The four money transfer businesses said they complied with international ‘know your customer’ rules and used third-party databases of internationally sanctioned individuals, although some admitted it was difficult since Somalia has no national identity card. Two of the alleged money transfer firms accused certain transfer slips in the report of being forged, while one said it reported transactions above the threshold to Somali authorities.

Few banks conduct business with Somali money transfer firms because of heightened risks of breaching international anti-money laundering and transparency rules. The report is likely to further raise scrutiny over such businesses in the immediate term. Businesses, particularly those in the financial sector, with interests in Somalia should ensure that all transactions are above board and factor the development into their risk assessments in order to mitigate potential reputational and compliance risks.