Geopolitical and Cybersecurity Risk Weekly Brief 4 January 2021

4 January 2021

EXECUTIVE SUMMARY

Cyberattacks within the political sphere remain a concern. Finnish police announced on 28 December that the email accounts of several Finnish MPs had been breached in a cyberattack on the country’s parliament in autumn. The Scottish Environment Protection Agency (SEPA) was hit by a cyberattack on 24 December, and internal networks at various Lithuanian municipal governments and the country’s National Centre for Public Health (NVSC) were infected with Emotet in the last fortnight. Coupled with the fallout from the SolarWinds attack (for which CISA has issued updated guidance for companies looking to mitigate the effects), these attacks demonstrate a continued focus by malicious actors on centres of governance and weaknesses in the networks used by them. 

Several developments have been reported in the technology sector. Microsoft revealed that additional malicious activity was discovered in its environment after the SolarWinds attacks. The company claims to have detected "unusual activity with a small number of internal accounts," with one of them being used to view source code in various repositories. The attackers did not, however, have the required permissions to change any source code or systems. 

Elsewhere in the sector, the US Federal Aviation Administration (FAA) published new rules stating that small drones will be permitted to fly over people and at night, while drones may also fly over moving vehicles in certain circumstances. US prosecutors charged a China-based executive at video conferencing firm Zoom with involvement in a scheme to disrupt video calls commemorating the 31st anniversary of the Tiananmen Square Incident in China, highlighting the potential for politically linked disruptions. 

Google Project Zero researchers have warned that a 0day vulnerability, discovered in May and affecting Internet Explorer and the Windows operating system, has not yet been successfully patched. It is likely that the bug, tracked as CVE-2020-0986, is being exploited in the wild. It was patched in June by Microsoft but was not fixed entirely. The bug was being exploited by an unnamed APT group (thought to be DarkHotel). The company planned a patch for November 2020, but problems identified during the testing stage pushed the release to the following Patch Tuesday, on 12 January 2021. 

Tensions with China continue. A court in southern China on Wednesday (30 December) sentenced 10 Hong Kong residents to prison terms for illegally attempting to reach Taiwan by sea in August 2020. China’s National People’s Congress ratified a 2017 treaty with Turkey on Sunday (28 December) allowing for the forcible deportation of ethnic Uighur Muslims who have fled the crackdown in northwest China and sought refuge in Turkey. Opposition lawmakers in Turkey, including those from the pro-Kurdish Peoples’ Democratic Party (HDP), have vowed to block ratification in their own parliament

ATTACKS AND CYBERSECURITY NEWS

The SolarWinds fallout continues to worsen. Most recently, Microsoft revealed that additional malicious activity was discovered in its environment after the SolarWinds attacks. The company claims to have detected "unusual activity with a small number of internal accounts," with one of them being used to view source code in various repositories. The attackers did not, however, have the required permissions to change any source code or systems. Last week, Microsoft had reported that the end goal of the SolarWinds supply chain attack was to compromise victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local network. Once the attackers have an initial foothold in the system, they can choose which organisations to continue operating within. The second stages of the attack involved "on-premises activity with the goal of off-premises access to cloud resources." 

CISA has updated its official guidance for mitigating the effects of the SolarWinds attack. All US government agencies running SolarWinds Orion platforms must update to version 2020.2.1HF2 by the end of the year. Those that cannot update should take all Orion systems offline. 

Researchers from Citizen Lab have accused the Israeli company NSO Group of violating the privacy of thousands of people to sell its contact-tracing technology. NSO is a well-known vendor of spyware and surveillance products: its Fleming system is designed to help governments monitor and trace the spread of COVID-19 by providing and visualising location data provided by telecoms companies. In May 2020, a security researcher uncovered an unsecured database containing thousands of location data points. This database was the same one used by NSO to demonstrate its contact tracing system. An investigation by researchers at Goldsmiths, University of London claims that the exposed data was likely based on real phone location data and that the NSO could have violated the privacy of some 32,000 individuals around the world. NSO has rejected the investigation’s findings and reiterated that "the demo material was not based on real and genuine data related to infected COVID19 individuals." 

The Scottish Environment Protection Agency (SEPA) was hit by a cyberattack on 24 December. It had a significant impact on the organisation's contact centre, internal systems, processes and internal communications. However, core regulatory, monitoring, flood forecasting and warning services remained unaffected by the attack. The organisation's Emergency Management Team continues to work with the Scottish Government, Police Scotland, and the National Cyber Security Centre in investigating the attack and to identify the threat actors responsible. 

Emotet recently infected the internal networks of Lithuania's National Centre for Public Health (NVSC) and several municipal governments. Malicious emails were sent to numerous recipients that had previously received correspondence from the NVSC. This included government officials, ministry representatives and epidemiologists. The NVSC's email systems were suspended on 29 December to stop the spread. Efforts are ongoing to recover infected systems. This is the second substantial Emotet campaign to target Lithuania this year. The previous campaign was detected in October. Emotet recently returned after a brief hiatus, distributing hundreds of thousands of malicious emails since 21 December. 

DATA SECURITY, FRAUD, AND DARKNET

DATA SECURITY

T-Mobile USA has announced a "security incident" that impacted customer account information. A threat actor gained unauthorised access to Customer Proprietary Network Information (CPNI). This may have included "phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless device". No other information was compromised, and the relatively limited range of compromised information reduces the risk of its misuse. Affected customers are being notified; an investigation into the incident remains ongoing.

FRAUD

Security researchers have identified a recent large-scale phishing campaign that exploits Facebook ads to redirect victims to fake login pages. Sophisticated phishing pages were hosted on GitHub to target Facebook users in multiple countries, including Egypt, the Philippines, Pakistan, and Nepal. The attackers behind the campaign used 500+ GitHub repositories to host the pages. The researchers were able to gain access to the list of phished credentials, which is reported to contain 615,000 records, is growing. Leveraging Facebook ads in malicious campaigns has become increasingly common. In October 2020, Ragnar Locker ransomware operators used Facebook ads to pressure Italian beverage vendor Campari into paying for a decryption key. Other advertising media and platforms could be targeted in future. 

Livecoin, a Russian cryptocurrency exchange, has reportedly been compromised and had its exchange rates modified to 10 or 15 times higher than the usual price. Livecoin left a message on its website on Christmas Eve claiming it was hacked and had lost control of its servers. Customers were warned to stop using the service. According to ZDNet, before the Livecoin administrators regained access the Bitcoin exchange rate had risen from USD23,000/BTC to over USD450,000/BTC, alongside similar growth in the value of other cryptocurrencies. Once the exchange rates had been tampered with, the attackers began cashing out, generating vast profits. Livecoin stated in its notification that the attack was “carefully planned” and had been prepared “over the last few months”. The company added: “We lost control of all of our servers, backend and nodes. Thus, we were not able to stop our service in time. Our news channels were compromised as well." As happens with most cryptocurrency exchange attacks, several users believe there to have been foul play and are now claiming the entire hack was an inside job.

DARKNET

The last fortnight has seen various developments in the darknet ecosystem. A reply from Joker, the operator of the Joker’s Stash credit card market, was published after the seizure by the FBI of servers belonging to the market. Joker claims that the FBI was unable to capture anything of interest or value, and that the market will be back up as soon as possible. The market resumed full operations on 23 December 2020. 

We have detected multiple listings for access to companies, as well as their data for sale. Telefonica and Orange Telecom have both had credentials stolen and leaked to hacking forums for a price tag of USD450. An unnamed UK based financial company has also had access offered for USD50 on a Russian hacking forum. The threat actor offering the access provided screenshots of an internal platform, however, unfortunately it was not possible to identify the company from these pictures. The UAE Zakat Fund also had admin access offered for sale on a Russian speaking hacking forum. 

Koe Tecmo has also been victim to a cyberattack after a threat actor claimed to have penetrated the company using a spear phishing attack. The customer database of Koe Tecmo has been offered for USD1,300 (now, however, being offered free), and a web shell has been offered for USD6,500. 

Data from “various financial companies” has been offered on a Russian hacking forum. According to the threat actor who posted the advertisement the private dump would contain over one billion unique emails that have been collected since 2017. The asking price for this data is USD30,000. Finally, a general ransomware update. The week leading up to Christmas we saw approximately 20 new victims across the ransomware groups monitored by Cyjax. However, it seems that these operators took a break over the period of New Year, as new victims have yet to start appearing on the leaks sites.

APT ACTIVITY, MALWARE CAMPAIGNS, AND VULNERABILITIES

APT ACTIVITY

The StrongPity threat group has extended its global reach with new attack infrastructure. StrongPity runs several malicious domains that offer trojanised versions of legitimate software. Primarily these drop Truvasys, a first-stage malware that receives regular updates. This latest campaign uses a malicious version of Partition Find and Mount alongside the updated C&C infrastructure. StrongPity is believed to be a state-sponsored group that has been active since at least 2012. The group is sophisticated, utilising 0day vulnerabilities and advanced attack tools. It has not been successfully linked to any particular nation or other known threat groups. 

Cyjax analysts have uncovered two malicious documents referencing the COVID-19 pandemic in North Korea. The two documents are titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc”. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The theme of the malicious Word documents is noteworthy as North Korean cyber-operators often use similar weaponised lures to infiltrate their targets. Only a limited number of sources have also observed DPRK threat actors using Amadey in the past. 

MALWARE

Researchers have analysed IceRat, a modular backdoor that can provide remote access and deliver subsequent malware, including Coinminers. Most IceRat components are written in JPHP - a PHP implementation that runs on the Java VM. This uses .phb files which are less supported by antivirus products resulting in low detection rates on VirusTotal. Splitting IceRat into multiple components aids obfuscation. A downloader would be flagged as malicious if accompanied by malware but may be mistaken as benign in isolation. IceRat remains a relatively uncommon malware, which could gain popularity if it maintains its stealthy attributes. 

VULNERABILITIES 

The FBI has released a public service announcement warning of the risk of swatting for devices with video and voice capabilities. Pranksters are hijacking smart devices with weak security and using them to generate a response from the police or the S.W.A.T. (Special Weapons and Tactics) team against a target. The perpetrators use the compromised devices to live-stream the incidents and engage with responding officers. To increase their credibility, offenders in some cases spoof the victim's phone number, which makes spotting a fake emergency call a difficult task. The FBI has urged the owners of smart devices to strengthen their login credentials by using strong, unique passwords and activating two-factor authentication. 

Google Project Zero researchers have warned that a 0day vulnerability, discovered in May and affecting Internet Explorer and the Windows operating system, has not yet been successfully patched. It is likely that the bug, tracked as CVE-2020-0986, is being exploited in the wild. It was patched in June by Microsoft but was not fixed entirely. The bug was being exploited by an unnamed APT group (thought to be DarkHotel). Publicly available proof-of-concept (PoC) code has been disclosed by security researchers. If exploited successfully it can be used for privilege escalation and remote code execution on an unprotected device. Microsoft received the report on 24 September and confirmed the issue a day later, assigning it the tracking number CVE-2020-17008. The company planned a patch for November 2020, but problems identified during the testing stage pushed the release to the following Patch Tuesday, on 12 January 2021.

GEOPOLITICAL THREATS AND IMPACTS

AMERICAS

UNITED STATES & CHINA – CHARGE AGAINST ZOOM STAFFER UNDERSCORES INSIDER THREATS 

US prosecutors on Friday (18 December) charged a China-based executive at video conferencing firm Zoom with involvement in a scheme to disrupt video calls commemorating the 31st anniversary of the Tiananmen Square Incident in China. The US Department of Justice (DOJ) said that the executive could face a jail sentence of up to 10 years if convicted of conspiring since January 2019 to use his firm’s systems to censor speech. The software engineer, Zoom’s primary liaison with Chinese law enforcement and intelligence, allegedly concocted breaches of the company’s terms of service to justify his actions to superiors. The engineer’s accomplices allegedly made bogus email and Zoom accounts, including in Tiananmen-linked dissidents’ names, to suggest that hosts and participants supported criminal and terrorist activity. The company has reportedly dismissed the executive for breaching policy, placed other personnel on leave, and is cooperating with US law enforcement authorities. The development highlights difficulties in ensuring adherence to company policy across different jurisdictions and the potential harm caused by insider threats. Zoom in August halted direct sales to China after the US-based firm came under increasing scrutiny over its China-linked policies, including the temporary suspension in June of an account tied to a US-based group of Chinese prodemocracy activists. Increasingly sophisticated insider threats pose significant legal, reputational, and financial risks to businesses. Businesses are advised to periodically conduct detection operations for insider threats, including behavioural analysis, to identify any patterns of suspicious activity. Remind personnel to practice good operational security at all times. 

COLOMBIA & RUSSIA – RUSSIAN SPIES EXPELLED, HIGHLIGHTING ENERGY INDUSTRY THREATS

The Colombian foreign ministry confirmed that it had expelled two diplomats at the Russian embassy in Bogota for violating the Vienna Convention on Diplomatic Relations, according to an announcement made on Wednesday (22 December). While the ministry provided no further details, local television outlet NTN24 reported that the Russian citizens were expelled on 8 December over espionage allegations related to military and economic intelligence gathering operations. The two had been identified as Alexander Paristov, an alleged member of Russia’s Foreign Intelligence Service (SVR) and Alexandre Belousov, who is believed to be a member of the military’s GRU intelligence service. Moscow responded by expelling two Colombian diplomats from Russia. El Tiempo newspaper reported that the Russian operatives were actively recruiting sources in Cali who worked in the energy and minerals sectors. There is uncertainty over the extent of sensitive data extracted or the number of recruits achieved from their operations. Nonetheless, the incident represents a serious escalation in diplomatic tensions between Moscow and Colombia, which may merit further actions. 

UNITED STATES – FAA UNVEILS NEW DRONE RULES, PAVING THE WAY FOR MORE COMMERCIAL USES

 On Monday (28 December), the US Federal Aviation Administration (FAA) published new rules for the manufacture and usage of unmanned aerial vehicles (UAVs), also referred to as drones. Under the new rules, small drones will be permitted to fly over people and at night, while drones may also fly over moving vehicles in certain circumstances. Drones weighing over 0.25kg must be equipped with remote identification (ID) technology, while lighter drones must also have remote IDs to operate in certain environments, such as over an open-air assembly. The new regulations will be published in the federal register in January and come into effect after 60 days of their publication, with manufacturers given 18 months to begin producing drones with remote IDs. The new rules pave the way for the expansion of drone usage in commercial environments. Specifically, the new rules may eventually facilitate the widespread use of drones for some commercial deliveries, such as groceries. Several major US companies have expressed interest in or begun testing drones for commercial delivery purposes, including Amazon, Walmart, and United Parcel Service. The mass usage of drones for commercial delivery purposes, however, is unlikely in the immediate term, particularly amid safety concerns. Moreover, eventual services are set to face burdensome restrictions on where and how they can operate, such as restrictions on operations near airports and other sensitive critical infrastructure. 

APAC 

HONG KONG – HONGKONGERS IMPRISONED IN CHINA AFTER ILLEGAL ATTEMPT TO REACH TAIWAN 

A court in southern China on Wednesday (30 December) sentenced 10 Hong Kong residents to prison terms for illegally attempting to reach Taiwan by sea in August 2020. The court in Yantian, Guangdong province, sentenced the two men found guilty of organising the attempt by the so-called ‘Hong Kong 12’ to travel to Taiwan in a bid to avoid charges related to protests in 2019 to between two and three years’ imprisonment. Eight others were sentenced to seven months imprisonment and fined for illegally crossing the border between the territory and China; two minors were returned to Hong Kong. The case attracted worldwide attention, notably in the US where it was linked to the imposition of additional sanctions against the territory’s administration. However, the relatively lenient sentences, far less severe than many in Hong Kong had anticipated, indicates a possible effort by the Chinese government to indicate a willingness to reduce opposition to its policies in the territory from local and foreign critics. Attention will now return to the ability of Hong Kong’s judiciary to retain its independence and credibility in how local cases are processed under China’s imposed national security law (NSL). 

PAKISTAN – AT LEAST SEVEN PARAMILITARY PERSONNEL KILLED IN BALOCHISTAN PROVINCE ATTACK 

At least seven members of Pakistan’s paramilitary Frontier Corps (FC) were killed in an attack on a checkpoint in the Shahrag region of Balochistan province’s Harnai district on Saturday (26 December). The well-armed attackers, described by the military as ‘terrorists,’ were almost certainly from one of the Balochistan separatist groups who have been in conflict with the Pakistan government for decades. Shahrag, about 70km east of the provincial capital Quetta, is the location of one of Pakistan’s five major coalfields. The attack does not appear to be linked to any specific target other than the FC personnel, suggesting it may have been a response to recent local operations by the paramilitary unit. An increasing number of attacks in the province in recent years have targeted infrastructure projects linked to Beijing’s huge investment programme in Balochistan intended to create an economic and transport corridor between southwestern China and the Arabian Sea. Following the latest incident Pakistan’s Imran Khan commented on social media that ‘our nation stands with our courageous soldiers who face attacks from Indian-backed terrorists.’ Pakistan has long accused India of supporting Baloch insurgent groups in a bid to deny China access to its western flank and generally undermine foreign investment in the country. 

INDONESIA – COUNTRY BANS POLITICALLY POWERFUL ISLAMIC DEFENDERS FRONT GROUP 

The Indonesian government on Wednesday (30 December) announced that it had banned the politically powerful hard-line Islamic Defenders Front (FPI) with immediate effect. The FPI is led by an Islamic cleric Rizieq Shihab who was arrested earlier this month shortly after returning from three years of self-exile in Saudi Arabia. Rizieq’s arrest was followed by protests by his supporters, and an incident in which six FPI activists were shot dead in a confrontation with the police near the capital Jakarta, which many Indonesians consider to be an extrajudicial killing. The FPI has shown that it has extensive support among many conservative and radical Muslims disenchanted by the economic and social policies of the present administration. In banning the FPI the government is likely to intensify such sentiments without possessing the means, and in all probability the will, to marginalise the group through legal measures. It is now highly likely that more radical FPI supporters will employ other measures to challenge the state, including illegal protests and potentially more violent and targeted actions. While the FPI’s specific political focus may be on the government, foreign companies and individuals are now assessed to be at higher risk in at least the 12-month outlook as radical factions seek targets intended to undermine the state’s credibility and ability to govern. 

EUROPE AND RUSSIA

FINLAND – PARLIAMENT HACK UNDERSCORES ELEVATED CYBERSECURITY THREATS AMID PANDEMIC 

Finnish police on Monday (28 December) announced that email accounts of a number of Finland’s MPs were breached in a cyberattack on the country’s parliament in autumn, and that a probe has been launched in response. Exact details on the compromised data were not specified. Threat actors may have acquired data through the attack to damage Finland or for the profit of a foreign government, according to crime commissioner Tero Muurman. The hack is especially concerning because of ‘the quality of the target’ according to Muurman. The breach illustrates increased cyberattacks on both public and private sector entities during the COVID-19 pandemic in this rapidly evolving threat landscape. The European Union (EU) on 16 December introduced a bloc-wide Cyber Shield and Joint Cyber Unit among other measures in an effort to strengthen European cybersecurity by allowing earlier cyber threat detection and bolster defences against cross-border cyberattacks. The development reflects a growing focus on cybersecurity, spurred on by cyberattacks on medical systems during the pandemic. The European Medicines Agency on 9 December said that documents linked to a COVID-19 vaccine were accessed in a cyberattack on its IT infrastructure the same day. 

MONTENEGRO – LARGE PROTESTS IN CAPITAL AS GOV’T APPROVES AMENDMENTS TO RELIGIOUS LAW 

Montenegro’s parliament on Tuesday (29 December) approved amendments to a religious property law following protests by several thousand people on Monday (28 December) against the amendments outside the country’s parliament in the capital Podgorica. Demonstrators accused the new government of being pro-Serb because the law to be amended has been objected to by the Serbian Orthodox Church, who claim that the law aims to remove the church’s property. The Montenegrin President Milo Đukanović has seven days to sign the amendments into law or return them to parliament. If the amendments are voted for again, then Đukanović is required to enact them. The rallies are the first larger-scale protests since the new government came into power after winning a slim majority in August’s parliamentary election. The government has denied the church’s accusations against the law, though months of demonstrations before the election bolstered the opposition. Protests against the amendments are likely to intensify in the coming weeks. 

NORTH MACEDONIA – POLICE ARREST EIGHT OVER ALLEGED ISLAMIC STATE-LINKED TERROR PLOT

 The Interior Ministry on Monday (28 December) said that police on Sunday (27 December) after a months-long probe arrested eight in the city of Kumanovo and the capital Skopje on suspicion of forming an Islamic State (IS)-like terrorist group and plotting terrorist attacks in the country. No exact targets were specified. Authorities said the suspects belonged to the same group as three others arrested in September on suspicion of storing large weapons caches close to Kumanovo. The latest arrests come after Austria requested closer cooperation in future probes following an incident on 2 November in which an Austrian-born man of Macedonian-Albanian descent went on a shooting spree in Vienna, killing four people and injuring over 20 before being shot dead by police. Overall, the developments portend to a heightened terrorism risk profile for North Macedonia. Ethnic Albanian demonstrators in 2014 protesting over terrorism convictions of alleged Albanian Islamists for the killing of five ethnic Macedonians hurled projectiles at government buildings and police, who responded with the deployment of tear gas, water cannon, and stun grenades. 

MENA AND CENTRAL ASIA

CHINA & TURKEY – CHINA RATIFIES EXTRADITION TREATY, PRESSURE ON TURKEY TO FOLLOW SUIT 

China’s National People’s Congress ratified a 2017 treaty with Turkey on Sunday (28 December) allowing for the forcible deportation of ethnic Uighur Muslims who have fled the crackdown in northwest China and sought refuge in Turkey. Opposition lawmakers in Turkey, including those from the pro-Kurdish Peoples’ Democratic Party (HDP), have vowed to block ratification in their own parliament. Critics warn that the agreement will be used as a bargaining chip to assert pressure to deport Uighur refugees, of whom some 50,000 are thought to reside in Turkey. Opposition lawmakers have cited the delayed shipment of Chinese-made coronavirus vaccines, which had been due to arrive on 11 December but were postponed by Beijing due to a re-tightening of coronavirus measures. According to state-run Anadolu News Agency, the first three million doses of CoronaVac, developed by Chinese biopharmaceutical company Sinovac Biotech, was eventually delivered on Wednesday (30 December). Turkey signed contracts to purchase 50 million doses of CoronaVac. It is uncertain whether Turkey’s parliament will ratify the deal: President Recep Tayyip Erdoğan’s Justice and Development Party (AKP) does not hold a parliamentary majority, but relies on support from the Nationalist Movement Party (MHP). Meanwhile there has been growing popular opposition including protests against the AKP’s perceived inaction toward the crackdown on Uighurs in China’s Xinjiang, and ratification would likely spark widespread unrest. However, there is a realistic possibility that Beijing could withhold investment and vaccine shipments should ratification not occur. 

SAUDI ARABIA – PROMINENT WOMEN'S RIGHTS ACTIVIST SENTENCED TO NEARLY SIX YEARS IN PRISON 

A prominent women’s rights activist, 31-year-old Loujain al-Hathloul, was sentenced on Monday (28 December) to five years and eight months in prison on terrorism-related charges. Two years and ten months of the sentence are said to have been suspended, meaning she could be released in March 2021. The prosecutor had called for the maximum sentence of 20 years, Al-Hathloul was also banned from leaving the country for five years. The sentencing has sparked a torrent of international criticism. She and her family have denied all charges and said she has been tortured in prison. Her family, who have called the trial a ‘sham’ and ‘politically motivated’, will appeal her prison sentence but expressed little hope in the Saudi judicial system. Al-Hathloul was arrested in May 2018 with about a dozen other women’s rights activists, just weeks before women were allowed to drive in the country. It was a reform she had been campaigning for. Her case has highlighted the apparent strategy of Crown Prince Mohamed bin Salman (MbS) to usher in sweeping reforms while simultaneously cracking down on activists who had pushed for change. This is likely an attempt to project the image of reforms as being ‘top-down’ and discouraging activism and a more ‘bottom-up’ approach. Al-Hathloul’s case has also come to symbolise the Kingdom’s persistent human rights abuses despite its push for economic and social reform. Joe Biden, who will be inaugurated as US president in January, is expected to take a tougher stance on human rights violations. He has said he would reverse President Donald Trump’s policy of giving Saudi Arabia ‘a blank check’ for its policies, including the targeting of female activists. Company managers should monitor the situation in the months following Biden’s inauguration and factor the potential worsening of bilateral relations due to Biden’s more assertive stance on human rights into business plans. 

SUB-SAHARAN AFRICA

ETHIOPIA – CONFLICT ESCALATION BETWEEN AFAR AND SOMALI REGIONAL STATES AFTER REPORTS OF SKIRMISH 

Fighting erupted between the Afar and Somali regional forces on Sunday (27 December), resulting in numerous casualties. Details of the attack are unclear as both sides have been issuing different accounts of the incident through official channels and on social media. One account claimed that Afar Regional Special Forces (SF) attacked elements from the Somali Regional State Special Forces in Danlahelay in Afdem Woreda, Sitti Zone, leading to 39 Somali SF casualties. However, an official statement from the Somali regional government discredited this report, claiming that non-combatant civilians were killed in Helei Kebele in Afdem Woreda. The Afar regional government denied the allegations. The conflicting reports underscore the opaqueness of the information environment in a country where the government strongly filters such reporting and propagandising such events is critical for strategic leveraging. Nonetheless, it still does not detract from the fact that hostilities and conflict in this region presents a significant threat. 

MOZAMBIQUE – ISLAMIST INSURGENT ATTACK HIGHLIGHTS THREAT TO LNG FACILITY IN CABO DELGADO

On Tuesday (29 December), Islamist insurgents reportedly attacked Mozambican security forces in the town of Monjane in the northern province of Cabo Delgado. There were no further details on the incident, including casualty counts. There have also been no claims of responsibility, however, there is strong speculation that the attack was carried out by members of the Islamic State or more commonly known as Ansar al-Sunnah wal-Jammah. This latest attack has garnered a significant amount of attention, given that it occurred almost 5km south of a liquefied natural gas (LNG) plant operated by Total SE. There are mounting concerns that these insurgents will inevitably be able to execute a relatively successful attack on the facility. The Islamist insurgents have expressed its intentions to target the LNG operations in Cabo Delgado on multiple occasions. The Mozambican security forces have struggled to contain the threat in a conflict that is protracting in its third year, resulting in around 2,500 fatalities and the exodus of around 570,000 local inhabitants.