Geopolitical and Cybersecurity Risk Weekly Brief 5 October 2020

5 october 2020

Executive Summary

A key development in the cybersecurity sphere this week came in the shape of a warning from the US Treasury Department's Office of Foreign Assets Control (OFAC) that organisations assisting victims of ransomware to make ransom payments to threat actors are at risk of having sanctions imposed upon them. Furthermore, these payments are only likely to encourage future ransom payment demands, according to OFAC.

As if to confirm the use to which ransomware’s ill-gotten gains are put, the REvil (Sodinokibi) ransomware operators this week deposited USD1 million in Bitcoin to a Russian-speaking darknet forum along with an announcement that they are once again recruiting new affiliates for ransomware distribution. This raises the potential for the hiring of skilled affiliates, further elevating the threat from this malware. The group claims that it generates more than USD1 million per week in profit, indicating that many victims of REvil attacks ultimately pay up.

The UK Cabinet Office's Huawei Cyber Security Evaluation Centre (HCSEC) has published a report detailing a flaw of ‘national significance.’  The specific flaw found has not been detailed due to its potential impact on UK services. HCSEC is also delaying the release of full details of the vulnerability to Huawei, to allow the UK to assess and mitigate its impact. The BBC reports that the flaw was related to broadband, but that it was not exploited in the wild.

APT groups continue to present a serious threat to both public and private sector organisations. Notably, a credential harvesting operation attributed to North Korean APT Kimsuky has targeted journalists, media firms, and civil society organisations around the globe and a UN report from August disclosed that the same group had launched multiple spear-phishing attacks against Security Council officials. The reporting country claimed that it observed a similar campaign targeting members of its government, which took place via WhatsApp as well as email.

In the geopolitical sphere, US President Donald Trump announced that he and First Lady Melania Trump have both tested positive for the novel coronavirus (COVID-19). In Lebanon, Prime Minister-designate Mustapha Adib resigned amid growing discord with Shia parties seeking to control the finance ministry. In India, a special court acquitted all 32 defendants accused of conspiring or otherwise planning to destroy a mosque in nearby Ayodhya in 1992.

Geopolitical and national tensions continue to have the potential to manifest in cyberattacks. In Egypt, a surveillance campaign carried out by an unknown hacking group with alleged links to the state was revealed, highlighting the risk of domestic surveillance and censorship amid renewed anti-government protest activity. Iran announced it had received gold shipments from Venezuela in return for gasoline fuel load in a likely show of resilience amid escalated US sanctions.

The banking and commercial sector continues to be a primary target for cyberattacks. In South Africa, the Department of Justice and Constitutional Development (DoJCD) said it was targeted in a cyberattack by the so-called DoppelPaymer ransomware, a hacking group which commonly takes advantage of major news events such as the pandemic to lure victims in phishing emails to gain access to networks. In Hungary, a number of banks and telecommunications providers were targeted by a distributed-denial-of-service (DDoS) cyberattack involving hackers attempting to disrupt systems by flooding a network with high volumes of traffic. The attack was launched from servers based in China, Russia, and Vietnam.

Tensions with China continue. On 30 September, the US Department of Labor (DOL) published its biennial list of goods thought to be produced by child or forced labour. China was the largest source of listed products. In Germany, Berlin will introduce new strict conditions on telecommunications firms that will effectively exclude China-based technology firm Huawei from contributing towards installing 5G networks.

Attacks and cybersecurity news

The US Treasury Department's Office of Foreign Assets Control (OFAC) has warned that organisations assisting victims of ransomware to make ransom payments to threat actors, are at risk of having sanctions imposed upon them. Their actions could violate OFAC regulations.

OFAC explains that companies which facilitate ransomware payments on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response only encourage future ransomware payment demands. The company could be held civilly liable even if it did not know it was engaging in a transaction with a prohibited party under sanctions, laws, and regulations administered by OFAC.

Companies that have been the victim of a ransomware attack are also encouraged to disclose this to law enforcement to reduce the potential risks of sanctions violations. Under the guidelines, ‘OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus,’ according to the agency.

Employees at UHS hospitals told the media that ‘all computers are completely shut down’ and that ‘we are using paper for everything’. Doctors told 6abs News that they no longer have access to any patient files. Wait times have gone from 45 minutes to 6 hours and medical workers cannot access X-ray or CT scans. It appears that UHS was infected with the Ryuk ransomware following a likely phishing attack. Both Emotet and Trickbot were detected on UHS systems as recently as September 2020. Universal Health Services has reported that 250 of its US facilities were affected by the attack on its systems, but efforts to restore hospital networks are still ongoing. The chain has still not commented on reports that it was hit by ransomware.

The REvil (Sodinokibi) ransomware operators deposited USD1 million in Bitcoin to a Russian-speaking darknet forum along with an announcement that they are once again recruiting new affiliates for ransomware distribution. This large deposit indicates that ransomware operators are well-funded. It also raises the potential for hiring additional skilled affiliates, further elevating the threat. The group claims that it generates more than USD1 million per week in profit, indicating that many victims of REvil attacks ultimately pay up.

CMA CGM, the French maritime transport and logistics firm, has disclosed that a ransomware attack is affecting some of its servers. The attack forced the firm to shut down internet access to some of its IT infrastructure to prevent further spread of the ransomware. Issues mainly affect the firm’s two Asia-Pacific subsidiaries. Some of its offices in China, including Shanghai and Guangzhou, have been affected and staff were asked not to use computers. The ransomware responsible belongs to the RagnarLocker family.

Swiss watchmaker Swatch Group shut down its IT systems over the weekend to contain a cyberattack. The company has reportedly assessed and mitigated the attack. Normal operations will resume ‘as soon as possible’.  Further information was not provided.

Multiple flight tracking services, including Plane Finder and Flightradar24, experienced service disruptions due to distributed denial of service (DDoS) attacks. There was some speculation that the attacks were potentially linked to the ongoing conflict between Armenia and Azerbaijan. Turkey has allegedly been providing Azerbaijan with air support via drones and fighter jets, so these DDoS attacks may have been conducted to conceal their movements.

The SunCrypt ransomware operators are using distributed denial of service (DDoS) attacks as an extortion tactic. One victim reported a DDoS attack on its website after ransom negotiations with one of the SunCrypt affiliates stalled. When the victim logged into the ransomware's TOR payment site, a message told them that SunCrypt was responsible for the DDoS attack, and that the attacks will continue if negotiations do not resume. Once the company continued negotiations, the ransomware operators agreed to stop the DDoS attack.

Data breaches, fraud, and vulnerabilities

Data Breaches

Security researcher Bob Diachenko has found an exposed database containing 15 million Angolan voter records. The database is thought to be part of SINFIC (www.sinfic.com) infrastructure. Exposed data includes voter IDs, groups, voter numbers, names, birthplace, gender, mother name, fathers name, date of birth, height, country, province, proof of identity, and parent records.

Documents relating to the UK government’s activities in Syria from the UK Foreign Commonwealth and Development Office (FCDO) have been leaked online. Unknown threat actors allegedly penetrated the network of the FCDO and exfiltrated hundreds of potentially sensitive documents concerning Syria. Some of these documents were then leaked by individuals claiming to be part of Anonymous, with more expected to be leaked in the coming weeks. The leaks allegedly show the UK government working closely with contractors to develop a communications strategy targeting Syrian citizens. The documents further alleged that the UK helped fund Syrian citizen journalists who were critical of the Assad regime.

Kylie Jenner's make-up company has warned customers that it was among those affected in the recent Shopify breach. The notification states that some customers' personal data may have been among the information stolen by the two rogue employees. Shopify has given assurances that it has implemented additional controls to mitigate this type of incident from recurring in the future.

Fraud

Japan Post Bank has issued an apology to customers after cybercriminals stole 60 million yen (USD570,000) from 380 accounts. The attackers ‘exploited security weaknesses’ in its partner companies' electronic payment services to complete the theft. The attacks reportedly occurred between July 2017 and September 2019. The bank noted that suspicious transactions were made from over 600 customer accounts. Consequently, the total sum stolen could still rise.

A new phishing campaign has been observed targeting businesses with fake General Data Protection Regulation (GDPR) compliance emails. The phish warns the recipient that their email security is not GDPR compliant and requires immediate action. The emails appear legitimate and the address spoofed to seem like they have been sent from the company's security department. Users are asked to click on the link and sign in with their employee credentials. The credentials are subsequently stolen and exfiltrated to the attacker.

A newly detected business email compromise (BEC) campaign has stolen more than USD15 million from at least 150 organisations worldwide. The cybercriminals responsible are impersonating senior executives via Office 365 email services to intercept sensitive communications and change wire transfer details.

Vulnerabilities

The UK Cabinet Office's Huawei Cyber Security Evaluation Centre (HCSEC) has published a report analysing technology from Chinese networking company Huawei, where researchers discovered a flaw of ‘national significance.’ The HCSEC was founded in 2010 to mitigate any potential risk of using Huawei technologies as part of the UK's critical national infrastructure. The specific flaw found has not been detailed due to its potential impact on UK services. The HCSEC is also delaying the release of full details of the vulnerability to Huawei, to allow the UK to assess and mitigate the impact. The BBC reports that the flaw was related to broadband, but that it was not exploited in the wild.

It has been found that 61.10 per cent (247,986 out of a total of 405,873) of servers vulnerable to serious vulnerabilities in Microsoft Exchange remain unpatched. Compromised accounts used in attacks against Exchange servers can easily be discovered by checking Windows Event and IIS logs. For CVE-2020-0688 there are no mitigating measures, so the only choice is to patch the server before an attacker finds it.

CISA has issued security alerts for multiple vulnerabilities in industrial control system (ICS) products. Successful exploitation could lead to a remote attacker gaining unauthorised access, abnormal program termination, and information disclosure. The products are as follows: MB Connect line mbCONNECT24, mymbCONNECT24; Yokogawa WideField3; B&R Automation SiteManager and GateManager.

An authentication bypass vulnerability has been uncovered in multiple wireless router chipsets. These flaws are tracked as CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991, and affect a variety of chipsets in Mediatek, Qualcomm, and Realtek routers.

APT Activity and Malware Campaigns

APT activity

A newly discovered APT group, dubbed XDSpy, evaded detection for nine years. The group ran intelligence-gathering operations for over a decade leading to the compromise of many government agencies – including militaries and Ministries of Foreign Affairs – as well as private companies. XDSpy’s only known infection vector is via carefully crafted spear-phishing emails - some leveraging COVID-19 - to compromise their targets. In June, the APT group began using CVE-2020-0968, a remote code execution (RCE) vulnerability in Internet Explorer that was patched in April.

A new attack campaign, dubbed HpReact, has been attributed to APT-C-34 (also known as Machete). The campaign aimed to steal Venezuelan military secrets to support the recent attempted military coup. The malware used in this campaign is called Pyark, a new fileless backdoor written in Python that is delivered via spear-phishing documents. The researchers claim they found the Pyark backdoor present in various military institutions in Venezuela. The C&C infrastructure used by the Pyark backdoor was located primarily in Colombia.

An active credential harvesting operation has been attributed to North Korean APT Kimsuky. The targets of this campaign include journalists, media firms, and civil society organisations. Kimsuky has targeted the Korean Studies Institute at George Washington University, The American Enterprise Institute (AEI), Radio Free Asia and the Office of the United Nations High Commissioner for Human Rights.

Elsewhere, a UN report from August disclosed that North Korean threat group Kimsuky has launched multiple spear-phishing attacks against United Nations Security Council (UNSC) officials. The emails were designed to look like UN security alerts or interview requests to trick targets into accessing a phishing page or running malware. The reporting country claimed that it observed a similar campaign targeting members of its government, which took place via WhatsApp as well as email.

BlackTech, a cyberespionage group, is using a new suite of custom malware to target media, construction, engineering, electronics, and finance organisations in Japan, Taiwan, China, and the US. The attacks began in 2019 and have continued into 2020 using dual-use tools and custom malware.

A new campaign distributing Android spyware has been attributed to APT-C-23 (also tracked as Two-TailedScorpion), a threat group that mainly targets users in the Middle East. APT-C-23 is known to use both Android and Windows malware for its operations. Its Android spyware first appeared in 2017 and has been updated since. The spyware has expanded its spying functionality.

Malware

The Exorcist 2.0 ransomware operators are using the PopCash malvertising network to redirect victims to fake software cracking sites that distribute their malware. One of the sites purports to be a free 'Windows 10 Activator'. The downloaded archive includes a password-protected zip file and a text file containing the password. Password-protecting the file allows the download to evade Google Safe Browsing, Microsoft SmartScreen, or installed security software. If the user runs the program, the ransomware is deployed.

Several attacks have deployed the LodaRAT, which has reportedly received multiple updates by the malware authors. One of the latest versions uses a hex-encoded PowerShell keylogger, along with a new VB script that was later removed. LodaRAT is typically distributed via malicious Microsoft Word documents.

Zscaler has disclosed a new attack campaign targeting the oil and gas supply chain industries in the Middle East. The phishing campaign leveraged the fact that the Abu Dhabi National Oil Company (ADNOC) had terminated several engineering, procurement, and construction (EPC) contracts. The targeted attacks aimed to deploy malware such as AZORult, which specialises in silently harvesting sensitive data.

The Linkury (SafeFinder) adware family, known primarily for distributing browser hijackers, has been distributing fully functioning malware. Its main method of distribution is the 'SafeFinder' widget, a browser extension advertised as a way of performing safe searches on the internet. SafeFinder is often bundled with other free applications as a secondary installer or distributed via online ads. Downloading SafeFinder changes the user's default settings and installs additional binaries based on the user's country. Some of the malware delivered by SafeFinder includes the Socelars, Glupteba, and Kpot infostealer Trojans. SearchNewTab adware, which uses PowerShell to disable Windows Defender, has also been dropped. Even if the user declines the installation of SafeFinder, it is still downloaded.

A new IoT RAT, dubbed Ttint, is compromising fully patched devices via two 0day vulnerabilities. The attacks are targeting routers manufactured by Tenda to spread the RAT, which is based in Mirai code. Mirai variants typically focus on DDoS attacks, but this version is different. In addition to DDoS capabilities, the Ttint RAT implements a SOCKS5 proxy for encrypted communication with the compromised routers. This enables the malware operators to tamper with DNS settings, iptables settings, execute system commands, and control up to 12 devices remotely.

US Cyber Command has issued a security alert regarding a new remote access Trojan (RAT) used by a sophisticated threat actor, dubbed SlothfulMedia. It can log keystrokes, stealing files, and is used for intelligence gathering operations. It has reportedly been deployed to target victims in several countries, including India, Kazakhstan, Kyrgyzstan, Malaysia, Russia, and Ukraine.

Darknet

The darknet has seemingly settled into a new status quo: White House market has taken top spot and Monopoly remains firmly behind it. Icarus has vanished with no communication from its admins for several weeks, suggesting that the market has exit scammed. Elsewhere, we have seen multiple new ransomware groups emerge and start adding victims to their leaks sites.

Egregor is the latest group included in our monitoring. Since 23 September, Cyjax observed 14 new victims added to the Egregor leaks site. The data is less substantial compared with other groups, but victims are being added at a greater frequency.

Cyjax also observed an uptick in ransomware groups adopting the Ransomware-as-a-Service (RaaS) model. Zeoticus, Smaug, and Darkside all switched to the model last month and are making good use of their affiliates. REvil deposited USD1 million in the Russian hacking forum xss.is to bolster their ransomware recruitment program. The move underscores ransomware's evolution from a private criminal affair to a global business.

Access to the internal network of an undisclosed market research company is currently for sale on the darknet. Although the name of the market research company is not disclosed, based on the revenue figures, it could be Ipsos. In subsequent posts, the threat actor also mentions the company is based in France, which again points towards Ipsos. This should not be treated as confirmation.

Geopolitical Threats and Impacts

Americas

UNITED STATES – Implications for governance, election as Trump tests positive for COVID-19

On 2 October, President Donald Trump announced via Twitter that he and First Lady Melania Trump have both tested positive for the novel coronavirus (COVID-19). With this diagnosis, Trump should remain in isolation until at least 12 October. Trump’s diagnosis halts his election campaigning and casts doubt over whether scheduled presidential debates will take place on 15 and 22 October. Furthermore, it raises questions over Trump’s personal attitude towards COVID-19, given his initial unwillingness to wear a face covering, holding of large outdoor election rallies, and mocking comments about rival Joe Biden frequently wearing a mask during the debate. Whether these factors will impact polling and the eventual outcome of the race, however, is deemed unlikely, with Trump’s diagnosis unlikely to change the existing views of many of his supporters.

US & CHINA – Washington places China at top of forced labour list

On 30 September, the US Department of Labor (DOL) published its biennial list of goods thought to be produced by child or forced labour. The list included 155 products from 77 countries, of which the largest source was China, with 17 products. Chinese products listed ranged from footwear and gloves to toys, electronics, and coal. The list states that various Chinese products were produced by forced labour from Muslim minority, particularly ethnic Uyghurs in the western Xinjiang region. The list likely influences decisions by the US Customs and Border Protection (CBP) agency to block products thought to be produced by child or forced labour. The list is highly likely to irritate Beijing, where authorities deny mistreatment of ethnic Uyghurs. More broadly, the list adds to openly hostile Sino-US relations.  

VENEZUELA – Protests erupt across country over shortages, disruption to services

More than 100 protests have taken place across the country since the weekend of 26 September amid widespread anger over fuel shortages and disruption to utilities such as water and electricity. The protests do not appear to be organised by opposition political parties and have instead erupted amid much of the population’s difficulty accessing basic public services such as electricity and running water. The coronavirus (COVID-19) pandemic and attendant restriction on travel and assembly have exacerbated Venezuela’s existing economic crisis, worsening gasoline shortages and hampering economic activity. While national authorities are seeking to alleviate fuel shortages through the import of Iranian oil, these appear insufficient to fulfil demand nationwide and also face US opposition.

Asia-pacific

INDIA – Court acquits Hindu party leaders for alleged role in 1992 demolition of mosque

A special court in Lucknow, Uttar Pradesh state, on 30 September acquitted all 32 defendants accused of conspiring or otherwise planning to destroy a mosque in nearby Ayodhya in 1992. The destruction of the Babri mosque, located on the site of a previous Hindu temple, by crowds closely associated with the now ruling Bharatiya Janata Party (BJP) triggered a wave of intercommunal violence across northern India that led to deaths of at least 2,000 people, most of them Muslims. Controversy over the Babri mosque and subsequent violence remains a key source of friction between India’s Hindu majority and the country’s estimated 195 million Muslims. While Muslim organisations have said they will appeal the court’s ruling there are concerns the response at street level will increase tension between members of both faiths. Any widespread displays of Hindu ‘triumphalism’ over the decision could lead to counter-protests by Muslims, greatly increasing the potential for confrontation between activists and involving the police and paramilitary units.

INDONESIA – Country’s investment reform legislation expected to be ratified on 8 October

The Indonesian government and legislature on 3 October ended the debate on the Jobs Creation Bill (popularly known as the ‘Omnibus Bill’), allowing it to be ratified on 8 October when it will become law. The bill is intended to improve the country’s investment climate by reducing bureaucratic obstacles and some employee rights. Trades unions have long opposed the bill on the basis it reverses gains made by their members and millions of other waged employees over the past two decades, citing its revision on employment termination rules, foreign workers, minimum wages and the removal of criminal sanctions in labour disputes. Passing the Omnibus Bill into law during the coronavirus (COVID-19) pandemic at a time when job security for millions of employees is compromised may lessen the impact in terms of protests, albeit at the price of deepening divisions between workers, management and the state.  Long term consequences are likely to include continuous efforts by organised labour to restore lost rights and income.

Europe and Russia

UNITED KINGDOM – Lawmakers support bill undermining EU-UK agreement

On 29 September, lawmakers in the House of Commons voted in favour of the Internal Market Bill by 340 votes to 256. If adopted, the bill will give ministers the power to overrule the internationally binding Withdrawal Agreement (WA) with the EU. The vote carries significant implications; it brings the bill one step closer to becoming legislation as it moves to the House of Lords, the upper house of parliament. Moreover, it is interpreted in Brussels as a provocative move that damages mutual trust between EU and UK officials at a critical time in negotiations. An EU summit on 16 December will see EU leaders gathering to decide whether tangible process has been made in trade negotiations and determine future steps.

While the legislation indicates the UK is willing to renege on past commitments and potentially leave without a deal, there have been reports of concessions being made on key issues such as fisheries. This supports the view that the UK government’s negotiating strategy consists of two parallel and mutually reinforcing efforts; one seeking to offer concessions on key obstacles and the other aimed at encouraging officials across the channel to reach an agreement before the 15 October deadline.

HUNGARY – DDoS attack targets financial institutions, telecommunications firm

A number of banks and telecommunications providers were targeted by a distributed-denial-of-service (DDoS) cyberattack – involving hackers attempting to disrupt systems by flooding a network with high volumes of traffic – on 24 September. The attack was launched from servers based in China, Russia, and Vietnam, according to telecommunications firm Magyar Telekom, which described the incident as ‘one of the biggest hacker attacks in Hungary’. The attack occurred in multiple waves, temporarily disrupting Magyar Telekom coverage in some parts of Budapest. The size and complexity of the attack indicates a heightened risk posed to Hungarian financial institutions, government agencies, and telecommunications providers. The server location identified in the attacks may give some indication of where the hackers responsible are based in and the potential motivations behind the incident. DDoS attacks are usually carried out by a group of hackers with a specific aim. A geopolitical motive for the attack should not be discounted altogether but would run against the normally good ties Hungary holds with both China and Russia.

GERMANY & CHINA – New conditions effectively exclude Huawei from 5G development

Berlin will introduce new strict conditions on telecommunications firms that will effectively exclude China-based technology firm Huawei from contributing towards installing 5G networks. Under the information technology bill the cabinet is planning to adopt in the coming weeks, bureaucratic hurdles including the introduction of a political assessment examining a provider’s ‘trustworthiness’ will severely limit the potential for Huawei to supply key components. As with similar legislation adopted in other European countries, the bill does not explicitly ban Huawei.

The US has accused Huawei of having close links to the Chinese state and warns the firm may be used to conduct espionage of allies. As part of a political and public pressure campaign, US officials have threatened to reduce intelligence-sharing with other countries, including Germany, if they did not take a bold stance on Huawei. Huawei has consistently denied the charges. German Chancellor Angela Merkel shifted away from a more moderate stance to reflect growing pressure from members of her own party and the Social Democrats calling for a harder stance.

MENA and Central Asia

EGYPT – FinSpy software used against civil society organisations; elevated security risk

On 25 September, Amnesty International unveiled details of a surveillance campaign carried out by an unknown hacking group with alleged links to the state, which has targeted civil society organisations in Egypt. The group has used a software named FinSpy, a commercial spyware suite produced by Munich-based company FinFisher Gmbh, which targets systems including Android, iOS, Windows, Linux and macOS. It has previously been sold to governments as a legal law enforcement tool that enables authorities to conduct covert surveillance activities on desktop and mobile systems. This includes turning on microphones and cameras, accessing private data, recording notes typed into keyboards and intercepting calls. While the spyware has been used by governments for legal enforcement investigations, since 2011 it has allegedly been deployed in the region against activists, journalists, and dissidents under state-oppression tactics. The Amnesty report underlines the elevated risk in Egypt of domestic surveillance and censorship against anti-government activists; these tactics are likely further heightened given the current spate of demonstrations taking place across urban centres in Egypt. Ways to protect against FinSpy include remaining vigilant against any suspicious links in emails or text messages, blocking the installation of programs from unknown sources in device settings, and refraining from storing unfamiliar files or applications on devices.

IRAN & VENEZUELA – Confirmation of oil and gold transactions show burgeoning relations

On 27 September, Yahya Rahim-Safavi, the chief commander of the Islamic Revolutionary Guard Corps (IRGC) said that Iran had received gold shipments from Venezuela in return for gasoline fuel loads. Safavi also said that Tehran was providing technical support to Caracas to help the government prevent cyberattacks. The announcement marks a reversal of Iran’s previous position on the allegations that they were receiving gold in return for fuel shipments, which were first levelled in April by US Special Representative for Venezuela, Elliot Abrams. Washington has worked to curb a burgeoning Iran-Venezuela relationship, and Safavi’s confirmation of gold and oil transactions is likely meant as a provocation as the US ramps up sanctions. Iran will be aiming to demonstrate its economic resilience in the face of this via methods including the establishment of new sources of foreign exchange revenue.

LEBANON – Prime minister-designate resigns signalling serious blow to political process

On 26 September, Prime Minister-designate Mustapha Adib announced his resignation in a televised speech. A significant contributing factor to the resignation was likely the growing discord with Shia parties seeking to control the finance ministry. The ministry has previously been under the control of Shia authorities. Adib had consistently stated that a new cabinet was to be solely made up of technocratic experts and free from partisan interests; this has generated opposition from Hezbollah and its ally Amal. A deadline established in a roadmap provided by France to quickly implement the necessary reforms in order to release foreign aid was missed on 16 September due to the political deadlock. Adib’s resignation will signal a huge blow to this process, creating further delays that could last months and worsening an already critically unstable economy.

Sub-Saharan Africa

SOUTH AFRICA – ZAR10 million reportedly stolen from justice department in cyberattack

The Department of Justice and Constitutional Development (DoJCD) on 30 September confirmed it had been targeted in a cyberattack the week before. The attack was conducted by the so-called DoppelPaymer ransomware, although the DoJCD denied it had received any ransom demands. Reports suggest ZAR10 million (USD602,000) may have been stolen in 11 different transactions from the Guardian’s Fund, which manages funds of persons who do not have the capacity to manage their own funds, such as minors, missing people, or unborn heirs. Johannesburg-based bank Absa Group Limited was investigating the incident along with the DoJCD, as the breach is believed to have originated from Absa. The incident underscores growing cybersecurity risks to financial service providers and banks, and follows a major data leak targeting credit and personal data company Experian, which was confirmed in August. The DoppelPaymer criminal hacking group, which has created the malicious software used in this incident, commonly takes advantage of major news events, including the COVID-19 pandemic, to lure victims in phishing emails to gain access to networks. DP also targets insecure remote desktop configurations, underscoring its diversified modus operandi.

REGIONAL (AFRICA) – UNCTAD report on illicit financial flows likely to increase compliance burden

The United Nations Conference on Trade And Development (UNCTAD) – a permanent UN body – said in a report on 28 September that African countries were losing USD88.6 billion (or 3.7 per cent of regional GDP) in illicit financial flows every year; that is equivalent to what the region receives in development aid and foreign investment. The UNCTAD Economic Development in Africa Report 2020 identifies the trade in extractive commodities as the largest component of illicit capital flows, accounting for about USD40bn. Of this, about 70 per cent is from the trade of gold, and 12 per cent is from the trade of diamonds. The publication of the report is likely to increase medium-term political risks, form the basis of advocacy efforts, and may intensify so-called resource nationalism in countries where such practices are believed to be extensive. It may also motivate newly elected governments to launch reviews or establish committees to assess the extent of such practices.