Geopolitical and Cybersecurity Risk Weekly Brief 9 November 2020
In the US, media outlets called the presidential election in the Democratic Party candidate Joe Biden’s favour following the widening of his electoral lead in key swing state Pennsylvania. Biden is scheduled to name a 12-member taskforce to tackle the coronavirus (COVID-19) pandemic, marking the beginning of his transition plan. In a continuation of US authorities’ efforts crack down on attempts to covertly manipulate public opinion and influence US policies, the US DoJ seized 27 additional domains created by Iran’s Islamic Revolutionary Guard Corps (IRGC) as part of its global disinformation and influence campaigns. Four of the domains purported to be genuine news outlets but were instead controlled by IRGC operators and targeted the United States.
Geopolitical tensions frequently have an economic impact. In Venezuela, oil exports hit a new low in October, highlighting the impact of US sanctions. Elevated tensions persist between France and majority-Muslim countries continue, fuelled by the French government’s response to the recent murder of a schoolteacher by an Islamic militant. The French president on 31 October accused Turkey of taking a ‘bellicose’ stance amid these heightened sentiments and the continued boycott of French goods in Turkey and neighbouring Muslim-majority countries.
In the same way, cyber-concerns often have ‘real world’ consequences. On 29 October, the FBI and DHS issued a warning about ransomware activity targeting the healthcare and public health (HPH) sector. Later in the week, other researchers claimed that these attacks were being launched against a wider array of industries than just healthcare in the US. The ransomware used in these attacks, Ryuk, has caused more than USD61 million in damages as of February this year.
New research has been released analysing an ongoing malware campaign targeting companies in the manufacturing, oil and gas, metals, engineering, energy, construction, mining, and logistics sectors. The researchers believe that this is a financially motivated campaign orchestrated by Russian-speaking threat actors.
Tensions with China continue. Canada’s senior diplomat in Hong Kong said his government has prepared plans to evacuate citizens from Hong Kong if their safety and security are threatened by China. Chinese threats of duties on Australian wine highlights Beijing’s continued use of trade measures to express its displeasure with Australia on various diplomatic fronts. Meanwhile, China-based technology firm Huawei remains at the centre of controversy. Huawei claims that national bans in Poland and Romania on Chinese vendors for 5G technology represent violations of EU law.
Election-related unrest is ongoing in several Sub-Saharan African countries. In Tanzania, President John Magufuli was on 5 November sworn-in for a second five-year term; the country’s opposition has called for a new election, the breaking up of the electoral commission, and indefinite non-violent protests. In Cote d’Ivoire, Alassane Ouattara has been declared the winner of the presidential poll, while the main opposition groups intend to form a transitional government that will organise a new election.
Attacks and cybersecurity news
On 29 October, the FBI and DHS issued a warning about ransomware activity targeting the healthcare and public health (HPH) sector. Later in the week, other researchers claimed that these attacks were being launched against a wider array of industries than just healthcare in the US. The attacks, all of which use similar lures, are bypassing traditional email security protections by putting the payloads in cloud-based Google Docs and Microsoft Word files. Ryuk has been one of the most prolific ransomware gangs of 2020. The FBI estimates that USD61 million has been paid to the group as of February 2020. Ryuk attacks are more penetrating and damaging due to the combination of the Emotet and Trickbot malware alongside the ransomware.
Water ISAC issued a security alert regarding an Egregor ransomware attack on 29 October targeting a large water and wastewater utility in the US. Notably, the ransomware’s most likely initial infection vector was a macro-enabled document attachment containing the Qakbot Trojan. Over 100 workstations and multiple servers, including a backup server, were targeted. This is the first documented incident where both Egregor and Qbot were used in tandem. This gives defenders further indication that any potential Qakbot infections are likely to lead to Ergregor ransomware attacks. The risk of additional water utilities being targeted by ransomware is high.
Japan’s Nuclear Regulation Authority (NRA) issued a warning of temporary suspension of its email systems, believed to have been caused by a cyberattack. The operations of Japanese nuclear plants are not believed to have been affected, and it is unclear if any data was impacted in the attack. Information on nuclear material protection is managed by an independent system that is not connected to the rest of the system. There has been no other official statement on the incident.
A new threat actor, dubbed UNC1945, leveraged a 0day vulnerability in the Solaris Pluggable Authentication Module (PAM) as a method to infiltrate networks belonging to organisations in sectors such as telecommunications, finance, and professional services. The group has reportedly been operating since 2018. The current objective of UNC1945 is unclear: researchers have not observed data exfiltration in attacks linked to the group. Only in one instance was ransomware deployed in the same environment on which UNC1945 was present. Nonetheless, organisations in telecommunications, finance, and professional services should remain vigilant for this threat due to its advanced capabilities.
Other incidents of note this week included a ransomware attack on Brazil's Superior Court of Justice bringing systems to a halt. The attackers were able to encrypt all case files and backups. Elsewhere, Saarbrücken Airport reported that it was hit by a cyberattack on 3 November. According to the airport, flight operations were not affected, and technical details of the attack have not yet been revealed.
Data security, fraud, and vulnerabilities
Folksam, one of Sweden’s largest insurance companies, has disclosed a data breach. The breach affects an estimated one million Folksam customers, whose personal data was shared with Facebook, Google, Microsoft, Linkedin, and Adobe. The breach was discovered during an internal audit. Folksam has stated there is currently no evidence to suggest these third parties have misused this data.
Several hotel brands managed by the Pyramid Hotel Group (PHG) were recently involved in a cyber incident in which sensitive data was leaked. Researchers uncovered 85.4GB of security audit logs that were up-to-date and went back to April 2019. Affected parties seem to include Tarrytown House Estate (New York), Carton House Luxury Hotel (Ireland), Aloft Hotels (Florida), Temple Bar Hotel (Ireland) and other brands in the Pyramid Hotel Group. Marriott properties were also included in the leak. The information leaked in this exposure would give any attacker a clear path for a successful intrusion.
A popular online food and grocery store in India, BigBasket, has been the victim of a data breach resulting in the compromise of over 20 million user records; this is now being sold for over USD40,000 on the darknet. The archive contains details including names, email IDs, password hashes, mobile numbers, addresses, dates of birth, location, and IP addresses. Due to the COVID-19 pandemic, millions of shoppers around the world are choosing to shop online instead. In October 2020 Singapore online grocery platform RedMart was also the victim of a data breach, with 1.1 million accounts compromised. It is to be expected that online stores such as BigBasket will be increasingly targeted both as the pandemic continues and in the run-up to Christmas.
The US DoJ seized 27 additional domains created by Iran’s Islamic Revolutionary Guard Corps (IRGC) as part of its global disinformation and influence campaigns. Four of the domains purported to be genuine news outlets but were instead controlled by IRGC operators and targeted the United States. The seizure, supported by Google, Facebook, and Twitter, among others, was a continuation of US authorities’ crack down on attempts to covertly manipulate public opinion and influence US policies. They recently seized 92 domain names that were leveraged by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign.
Multiple links related to Adobe Campaign and belonging to several different companies are being abused in phishing attacks. Adobe Campaign is an email campaign manager sold by Adobe Systems. The attackers look for vulnerable links inside marketing emails and abuse open redirects in their phishing campaigns. When designing a system that uses redirects in this way, you must apply backend checks to ensure the user is only able to be sent to a small number of predefined domains or URLs and reject all others. We are attempting to contact the affected companies and Adobe to patch the issue.
The Canadian Centre for Cyber Security (CCCS) has issued an advisory after multiple updates were released for IBM products to patch numerous critical vulnerabilities. Products affected include IBM Rational Build Forge (versions prior to 18.104.22.168), IBM Cloud Pak for Multicloud Management (version 2.0), and Bouncy Castle as used by IBM QRadar SIEM (versions 7.3 and 7.4). These should be updated as soon as possible.
Adobe has released patches for 14 vulnerabilities affecting Adobe Reader and Adobe Acrobat for Windows and macOS. Four of these vulnerabilities were rated as critical and could enable arbitrary code execution. Users are advised to update their Adobe products to the latest versions to patch these vulnerabilities. There is currently no indication these vulnerabilities are being exploited in the wild.
Multiple unpatched Linux vulnerabilities have recently been disclosed. The Linux kernel has multiple resource leakage bugs in the implementation of NFC socket-related functions. At present, the Linux community has not yet provided patches for these vulnerabilities. Tencent recommends that affected users disable the NFC kernel module (which will make it impossible to use NFC devices).
VMware has warned customers to patch their software after a critical use-after-free vulnerability was disclosed in its ESXi product. Successful exploitation can lead to remote, unauthenticated execution of arbitrary code.
APT Activity and Malware Campaigns
New research has been released analysing an ongoing malware campaign targeting networks involved in industrial production, mainly from Russia. The companies targeted in this campaign were from the manufacturing, oil and gas, metals, engineering, energy, construction, mining, and logistics sectors. The researchers believe that this is a financially motivated campaign orchestrated by Russian-speaking threat actors.
When the attackers connect to a victim’s computer, they look for financial and accounting software. Most of the legitimate documents used as decoys are from the energy sector. This could indicate a specific interest in the energy sector for this threat group. Although the cybercriminals' focus appears to be financial, once inside these critical systems, disruption and physical damage could potentially be incurred. Industrial control systems and other operational technology (OT) are the targets of advanced persistent threat (APT) groups and cybercriminals alike. IBM X-Force recently revealed that 41 per cent of all ransomware attacks in 2020 targeted organisations with operational technology (OT) networks.
There has been a large outbreak of Ryuk ransomware attacks this quarter. The threat actors responsible, tracked as WizardSpider (also known as UNC1878) have upgraded the malware and infection chain. It is now capable of taking over an entire enterprise network in hours. Unfortunately, many in the healthcare sector have been susceptible to these attacks. The Ryuk ransomware operators, however, have claimed victims across almost every sector and their malware is one of the most prolific on the threat landscape. This ransomware was also the subject of a recent FBI security advisory (see Attacks and Cybersecurity News section).
The Roaming Mantis group is targeting the US with a banking Trojan known as Wroba that can steal user information, harvest financial data, and self-propagate through texts. This malware previously targeted APAC users: this is the first time it has targeted Android and iPhone users in the US. This campaign uses fake notifications for package deliveries as a lure. In June, Roaming Mantis focused on delivering various malware to victims across Europe, Asia and the US. Fake apps would be delivered to targets primarily via SMS phishing, similarly to the way in which Wroba is currently being delivered.
Security researchers have shared multiple samples of the IcedID banking Trojan sent in emails written in Japanese, with malicious documents also in Japanese. IcedID has typically targeted users in North America: however, it now appears that the campaign has shifted to focus more on users in Japan. The Shathak email distribution network, operated by TA551, is responsible for this new wave of spam emails. Researchers are reporting that the volume of spam emails targeting Japan is comparable to the numbers distributed by the Emotet botnet. The Shathak email distribution network has quickly become a significant threat, sending waves of malicious emails containing high-end banking Trojans developed by organised cybercriminal gangs from Eastern Europe.
A new strain of ransomware, dubbed Pay2Key, is targeting the Israeli private sector. The malware operators are believed to have gained access to the networks of several unnamed organisations some time before the attack but managed to spread the ransomware within an hour to the entire system. Victims received a customised ransom note which demanded a relatively low sum of between 7 and 9 Bitcoin (approximately GBP85,000-GBP110,000). The Pay2Key attacks suggest that a new threat actor is joining the trend of human-operated ransomware strains, as well as demonstrating a well-designed operation that aims to maximise damage and minimise exposure. Based on the tactics, techniques, and procedures of this operation, it is highly likely that the group will expand its scope outside of Israel.
German police have seized nine Telegram channels which were being used for drug distribution. There has been an observable long-term trend of darknet drug vendors moving to instant messaging platforms, but this latest development suggests law enforcement is tracking them precisely. Twenty-eight suspects were identified, leading to multiple raids and the confiscation of drugs and firearms. As is often the case in these law enforcement action, the channels have been rendered inactive while displaying a seizure banner from German authorities. Notably, Telegram cooperated with this investigation, which may deter some vendors from operating on the platform.
The US government seized 69,370 Bitcoin (roughly USD1 billion), which was originally stolen from Silk Road by an unknown threat actor in 2013. The identity of the hacker remains unknown, but it is believed that US law enforcement officials managed to successfully track them down with the assistance of the blockchain analysis firm, Chainalysis. Given the vast sum which has been seized, this may lead to an increased focus on blockchain analysis by law enforcement entities.
Cyjax has observed multiple high-profile leaks being posted to darknet forums over the week. To name a few: James Delivery, Order Snap, Nintendo, and a group of other previously unseen databases.
Furthermore, initial-access-brokers offering network access have increased. With access to a European insurance provider, a large European telecommunications company, webshell access to Zaincom, and a large US-based energy company all being offered on darknet forums. Cyjax has been unable to verify the validity of these offers. However, the growing number of these access posts is a worrying trend.
Geopolitical Threats and Impacts
UNITED STATES – BIDEN FOCUSES ON TRANSITION, RAPID REVERSAL OF SEVERAL TRUMP POLICIES
On 9 November, President-elect Joe Biden is scheduled to name a 12-member taskforce to tackle the coronavirus (COVID-19) pandemic, marking the beginning of his transition plan. On November, US media outlets called the presidential election in the Democratic Party candidate’s favour following the widening of his electoral lead in key swing state Pennsylvania. Biden’s victory was promptly recognised by numerous world leaders, despite incumbent President Donald Trump’s refusal to concede amid almost entirely unsubstantiated allegations of electoral fraud. Biden’s first major policy announcements as president following his inauguration on 20 January 2021 are likely to be a string of executive orders reversing Trump administration policies. These include a re-joining of the Paris Agreement on climate change and the World Health Organization (WHO), the ending of travel bans on mostly Muslim-majority countries, as well as restoring immigration status to undocumented migrants who entered the country as children. The incoming administration’s most urgent policy challenges are likely to be related to the pandemic. The Biden administration also faces major economic challenges, with many COVID-19 containment measures likely to negatively affect short-run economic activity.
VENEZUELA – OIL EXPORTS HIT NEW LOW, HIGHLIGHTING IMPACT OF US SANCTIONS
According to new data from state-owned oil company PDVSA, oil exports averaged 359,000 barrels per day (bpd) in October, the lowest monthly figure reported since early 1943. Last month’s figure marks a sharp drop from September’s 703,000 bpd of oil exports. The new figure comes as several long-term international clients halted their purchases of Venezuelan oil in compliance with US sanctions on the South American country. Among companies to halt purchases were Italy’s Eni, Spain’s Repsol, and India’s Reliance Industries. According to the latest figures, the largest export destination for Venezuelan oil was Asia, which received approximately a third of exports, followed by long-standing ally Cuba. The latest figures highlight the impact of US sanctions on Venezuela, which holds the world’s largest proven oil reserves yet has been marred in political and economic instability for at least a decade. In the immediate term, there is little prospect for an improvement in the sector’s performance amid client concern over US sanctions and multiple infrastructure deficiencies affecting production and refining
CHINA & AUSTRALIA – THREATENED TRADE MEASURES COULD SERIOUSLY DENT BILATERAL TRADE
Australian winemaker Treasury Wine Estates on 4 November said in a filing that it had been informed that the China Alcoholic Drinks Association wrote to China’s Ministry of Commerce asking for duties on Australian wine as part of an ongoing anti-dumping investigation. Depending on the outcome of the probe, which was initiated in August, Australian wine could face a punitive import levy of 202.7 per cent. The move illustrates Beijing’s continued use of trade measures to express its displeasure with Australia on various diplomatic fronts. Such threats appear to confirm fears by Australian businesses in China that bilateral tensions are a greater risk to their operations than economic factors.
HONG KONG & CANADA – OTTAWA REVEALS CONTINGENCY PLAN TO EVACUATE CITIZENS FROM HK
Canada’s senior diplomat in Hong Kong on 3 November revealed that his government has prepared ‘detailed plans’ to evacuate a ‘large number’ of its citizens from Hong Kong if their safety and security are threatened by China. Jeff Nankivell, Canada’s consul general in Hong Kong and Macau, was addressing a parliamentary committee examining the country’s ties with China in the Canadian capital Ottawa. An estimated 300,000 Canadian citizens, the overwhelming majority ethnic Chinese, currently reside in Hong Kong. Nankivell’s testimony follows a recent warning by Beijing’s ambassador to Canada, Cong Peiwu, that any ‘interference in China’s domestic affairs’ could jeopardise ‘the good health and safety’ of Canadian citizens living in Hong Kong. The plan is certain to further erode already strained diplomatic relations between Canada and China. Canada’s move also highlights the position of other mainly Western nations with significant numbers of citizens in the territory and whose ties with China are increasingly stressed. China, for example, has threatened the UK with retaliation over London’s offer of de facto ‘sanctuary’ to around three million Hong Kong Chinese, while relations with the US are set to remain tense regardless of Joe Biden’s victory in the presidential election.
Europe and Russia
POLAND – WIDESPREAD PROTESTS TO CONTINUE FOLLOWING UNPOPULAR COURT RULING
Hundreds of thousands marched across the capital Warsaw and other cities on 2 November calling for a reversal in a ruling from the constitutional tribunal on 22 October, which added more restrictions on the right to have an abortion. All-Poland Women's Strike (OSK), a women’s rights advocacy group, promised to continue protests with traffic blockades planned throughout this week. In the 22 October ruling, the court ruled that terminating pregnancies due to foetal abnormalities is unconstitutional. The ruling effectively means that the right to abortion will be extremely limited, as terminations due to defects in foetuses accounted for over 90 per cent of some 1,100 legal abortions last year. The actual number of abortions is estimated at 100,000 each year. Critics argue that the court is subject to political influence from the ruling conservative Law and Justice (PiS) party.
FRANCE & TURKEY – TENSIONS DEEPEN AFTER FRENCH PRESIDENT ACCUSES TURKEY OF ‘BELLICOSE’ STANCE
On 31 October, French President Emmanuel Macron in an interview accused Turkey of taking a ‘bellicose’ stance vis-a-vis NATO allies. Macron also said that Turkey’s ‘imperial inclinations’ in the eastern Mediterranean undermined regional stability. In the interview, the French leader sought to ease tensions amid an adverse reaction to a 21 October speech where Macron defended the right organisations had to publish visual representations of Muhammad, considered offensive by many in the Muslim faith. The comments signify that tough exchanges between Macron and Recep Tayyip Erdoğan will continue as part of bilateral tensions. Geopolitically there is a lot that separates the two countries. For instance, France has criticised Turkey not complying with an arms embargo in Libya, and Macron described Ankara’s intervention in northern Syria as a ‘surprise’. In the likely event that fragmented relations continue, this elevates the likelihood of a continued boycott on French goods in Turkey and neighbouring Muslim-majority countries.
REGIONAL – HUAWEI CHALLENGES LEGAL BASIS FOR BANS IN POLAND AND ROMANIA
China-based technology firm Huawei has sent a letter to European Commission (EC) chief Margrethe Vestager claiming that national bans on Chinese vendors for 5G technology ‘are predicated on several violations of EU law’. The letter claims Poland and Romania plan to block suppliers ‘on the basis of biased and ambiguous criteria’ such as their geographic origin. The firm argues that by adopting new security rules, both countries are effectively preventing Huawei from appealing decisions and rigging national spectrum auctions against EU rules. Huawei is losing a growing number of customers across Europe and has very few options through which it can respond to increasing political pressure. One solution would be to seek legal action that may set a precedent and perhaps re-establish the company as a core supplier. Blanket bans that discriminate against foreign firms constitute a violation of EU regulations and international market obligations. The EC cannot prevent member states from taking national security rules but can intervene if states impose laws regulating telecommunications that directly contravene EU rules. Thus far, countries have largely followed EU-wide measures that allow them to block ‘high-risk vendors’; by not explicitly naming Huawei in legislation and official statements, governments can claim that measures are not discriminatory. Even if Huawei gets legal backing that improves its standing, telecommunications operators with a low risk appetite will continue to phase out Huawei’s involvement in 5G development.
MENA and Central Asia
TURKEY – AUTHORITIES FINE FOREIGN SOCIAL MEDIA COMPANIES FOR FAILING TO COMPLY WITH LAW
Turkey imposed fines on global social media companies for not complying with a new social media law, according to a report in Bloomberg on 4 November. Companies targeted include Facebook, Twitter, Instagram, Periscope, YouTube and TikTok; they were given fines of TRY10m (USD1.18m) each. The new law was passed in July and came into effect in October. It requires platforms with more than one million daily users in Turkey to open local offices, store user data in Turkey, and abide by orders to remove ‘offensive’ content within 48 hours. Companies that do not comply will face fines and bandwidth reductions. Indeed, the aforementioned companies face the risk of an additional TRY30m (USD3.5m) fine, a ban on advertisement, and a 50 per cent bandwidth cut within five months in the case of non-compliance. Companies could ultimately see their bandwidth cut by 90 per cent in the case of continued flouting of the law; this would effectively block their access within Turkey. Critics have said the legislation will serve to silence dissent from people who use online platforms to voice grievances and threaten media freedoms. Indeed, the new law and issuing of fines suggests the government is indeed pursuing efforts to pressure online platforms into complying with its censorship demands. It is unclear whether the government will follow through with the ultimate penalty of rendering the platform inaccessible, especially given the government’s own use of social media to spread political messages among youth.
KUWAIT & ISRAEL – SALE OF ISRAELI PRODUCTS PROSECUTED, LIKELY REAFFIRMING ANTI-ISRAEL STANCE
On 2 November the ministry of commerce and industry announced that eight stores in Kuwait City had been closed and referred to the public prosecution office. The closures came alongside confirmation from the ministry that ‘inspection teams seized products made in Israel’ from one of the stores; other stores were found to be in violation of a law prohibiting the sale of counterfeit goods. Under Article 6, Boycott of Israeli Commodities Law, the sale of Israeli goods in local markets is forbidden. The announcement of a store’s closure and referral to prosecution services due to the sale of Israeli goods comes as fellow Arab League members, Bahrain and UAE, have definitively shifted their position on Israel over recent months. It is therefore likely that the closure of a store on these lines reflects a broader decision from Kuwait to publicly reaffirm its position on Israel in the face of these regional geo-political realignments. The comparatively forceful and unchanging anti-Israel position of Kuwait is likely in part down to the semi-democratic political system which grants relative autonomy to Islamists in the National Assembly. Islamist groups demonstrate the strongest anti-normalisation positions and are therefore able to wield significant influence on this issue.
QATAR – EMIR ANNOUNCES ELECTIONS FOR SHURA COUNCIL TO BE HELD OCTOBER 2021
Emir Tamim bin Hamad Al Thani announced on 3 November that the country will hold long-promised elections for its advisory Shura Council in October 2021. It is the first time that elections for the 45-member Shura Council, Qatar’s legislative body, will take place; the announcement comes after the popular election has been delayed for several years. The constitution, which was overwhelmingly approved in a 2003 referendum, states that the council will gain new areas of jurisdiction following the elections, including the authority to dismiss ministers, approve the national budget and propose legislation. The announcement of an election date suggests that the government is going forward with efforts to increase public participation in politics amid growing demand. It comes at a time the country is cutting subsidies and social spending programmes and increasing taxes amid declining oil and gas revenues; the announcement may be an effort to appease grievances linked to these moves. It is likely that Doha also intends the holding of elections to boost its public image ahead of its hosting of the football World Cup in 2022.
CÔTE D'IVOIRE – HIGH RISK OF VIOLENCE AS OPPOSITION CONTESTS OUATTARA’S ELECTION VICTORY
Alassane Ouattara has been declared the winner after taking 94 per cent of the vote in an election boycotted by the opposition. The main opposition groups led by candidates Pascal Affi N'Guessan and Henri Konan Bédié have outlined their intention to form a transitional government that would organise a new election. The result must be confirmed by the constitutional council, which is due to occur between 10 and 17 November. Opposition supporters claim Ouattara’s decision to run for a third term in the 31 October poll is unlawful as it breaches term limits. Pro-Ouattara supporters claim a new constitution allows the president to run for a new term. Unrest escalated significantly in the run up to the election, with at least 40 people reported killed in clashes. Protests are likely to continue and may escalate into widespread violence involving live ammunition with little notice.
TANZANIA – RISKS OF POST-ELECTION VIOLENCE ELEVATED AMID OPPOSITION CRACKDOWN
President John Magufuli was on 5 November sworn-in for a second five-year term. Meanwhile, the country’s opposition – which accused the election of irregularities – has called for a new election, the breaking up of the electoral commission, and indefinite non-violent protests over the 28 October vote. Magufuli over the weekend announced that he would not run for a third term amid concerns that the ruling party, which won a vast majority of seats in parliament, may attempt to prolong the presidency’s two-term limit. Ahead of the ceremony, leaders of the country’s two primary opposition parties, ACT Wazalendo and CHADEMA, were charged with organising illegal gatherings and protests. The crackdown on the opposition, including the arrests of party leaders and prohibitions on gatherings, heighten the risk of violent unrest in both the Tanzanian mainland and the semi-autonomous archipelago of Zanzibar in the short term. Such risks are likely to escalate should the government decide to prolong Magufuli’s tenure despite his announcement to the contrary.