Geopolitical and Cybersecurity Risk Weekly Brief 11 January 2021

11 January 2021

Executive Summary

The US Congress certified Joe Biden’s victory in the 2020 presidential election in the early hours of Thursday (7 January) in a sitting delayed by a three-hour mob assault on the US Capitol Building in Washington, DC hours earlier. The incident highlights the likelihood for further politically-linked unrest in the weeks leading up to Biden’s inauguration on 20 January and beyond.

In the cybersecurity sphere, the fallout from the SolarWinds attack continues. The threat actors, believed to be a Russian APT, accessed the Department's Microsoft Office365 email environment and "around 3 per cent" of its mailboxes and the Administrative Office of the US Courts (AO) reported that it, too, had been compromised. Elsewhere, the Reserve Bank of New Zealand reported a “malicious incident.” Details are scarce at the time of publication, but the institution has released a statement concerning the potentially serious data breach incident.

An espionage campaign, dubbed Operation Kremlin, has been detected targeting the Russian government. Many of the techniques and tactics being used in this campaign share similarities to Operation Domino, observed in September 2020. This campaign further demonstrates the fact that cyber-espionage campaigns are regularly carried out by state-sponsored groups looking to gather intelligence on behalf of their nation state.

In the technology sector, WhatsApp is set to change its terms of service, forcing all users to share their data with Facebook-affiliated companies or delete their accounts. Users in the UK and EU will not be affected at this time. Nairobi-based telecommunications provider Safaricom, a subsidiary of South Africa’s Vodacom Group, has announced the halt to its roll-out of 5G telephony in Kenya that was due by end of 2020.

Tensions with China continue and can have commercial implications. British retail giant Marks & Spencer (M&S) has signed onto a call to action against labour human rights abuses of ethnic Uyghurs in China’s western Xinjiang province. US President Donald Trump signed an executive order banning transactions with eight Chinese software apps on purported national security grounds, marking the latest US measure against Chinese technology interests in the US. The move comes as Trump prepares to leave office with Sino-US relations at a contemporary low point. Meanwhile, the New York Stock Exchange (NYSE) said it will delist three Chinese telecom companies in a move that could see US companies operating in China targeted by retaliatory action.

Multilateral tensions elevate the threat of cyberattacks. Iran’s Islamic Revolutionary Guard Corps Navy (IRGCN) seized a South Korean oil tanker vessel headed for Al Jubail port in Saudi Arabia. The Chinese government warned that the United States would pay what it termed a ‘heavy price’ if its United Nations Ambassador Kelly Craft travelled to Taiwan in the coming days.

Attacks and cybersecurity news

On 22 December 2020, Germany’s third-largest publisher, Funke Media Group, was affected by the domain-wide deployment of ransomware. Funke reported that its network of around 6,000 workstations and laptops, and thousands of other systems were encrypted in the attack. The media group has said that since the initial attack, 1,200 endpoints have been checked, re-installed, and then returned to users. There is currently no indication which ransomware group is behind the attack. Major ransomware operators publish stolen data to leak sites, yet Funke Media Group has yet to appear on any of those tracked by Cyjax. If the ransomware operators successfully stole information from Funke, any number of sensitive documents collected by journalists could be at risk, as well as the identity of sources and more.

New Zealand’s central bank, The Reserve Bank of New Zealand, has reported a possibly serious data breach after a third-party sharing system which it uses was illegally accessed. Adrian Orr, the Governor of the bank, said: “We are working closely with domestic and international cybersecurity experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information." Further information has not yet been revealed.

The effects of the SolarWinds attack continue to be felt across the US. The Department of Justice (DoJ) recently disclosed malicious activity connected to this operation. The threat actors, believed to be a Russian APT, accessed the Department's Microsoft Office365 email environment and "around 3 per cent" of its mailboxes. There is currently no indication that any classified systems were impacted. Elsewhere, the Administrative Office of the US Courts (AO) reported that it, too, had been compromised. A source familiar with the investigation stated that the federal court document system was "hit hard" by group responsible for the supply-chain attack (tracked as UNC2452 and DarkHalo, depending on the source). AO's network was infected with the group's second-stage malware dubbed TEARDROP, which was delivered by the SUNBURST backdoor.

New research has claimed that Metasploit and Cobalt Strike were deployed on more than a quarter of C&C servers used for malicious purposes in 2020. This research was based on analysis of over 10,000 C&C servers; over 40 per cent of detections were attributed to open-source tools, particularly Metasploit and Cobalt Strike. The use of open-source offensive security tools by threat actors has been a long-term trend, providing multiple benefits to threat actors. Firstly, it complicates the process of attribution and grouping intrusion sets, a clear advantage for state-sponsored threat actors. Secondly, using open-source offensive security tools also allows threat actors to increase the scale of their operation more rapidly because such tools are generally easier to operate and require less training. Thirdly, using pre-existing open-source tools allows threat actors to focus their development resources on other areas.

WhatsApp is notifying users of its mobile app that they will be required to share their personal data with a range of Facebook companies when a new Privacy Policy and Terms of Service come into effect on 8 February. Facebook, Facebook Payments, Onavo, Facebook Technologies and CrowdTangle will now all have access to WhatsApp account information. Whereas users were previously able to opt out from allowing the companies mentioned above to access their data, WhatsApp is now only permitting three options: users must accept the sharing of their data, stop using the app, or delete their accounts. It is important to note that the new policy applies to everyone, including people who have never had a Facebook page. This change will not affect users in the UK or EU.

Data security, fraud, and darknet

DATA SECURITY

The source code of multiple mobile apps and internal tools belonging to Nissan North America was exposed to the public after an unsecured Git server was discovered by security researcher Tillie Kottmann (@antiproprietary). Nissan shut down access to the Git server after the public disclosure of the leak. Tillie Kottmann was also responsible for leaking source code from more than 50 companies, including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox and Disney. While these exposures appear severe at first, the researcher actively complies with takedown requests, and has already removed the repositories for Lenovo, Daimler AG and Mercedes-Benz. In addition, many companies make these repositories public themselves, and others had not been updated for a long time, meaning that they would be of little use for any type of exploitation by threat actors.

Ho Mobile, an Italian mobile operator owned by Vodafone, has confirmed a significant data breach. It was first detected on 28 December, when a security researcher identified a user on a darknet forum selling a Ho Mobile database. The database included name, email address, DOB, phone number and city of residence. The breach is estimated to have impacted around 2.5 million customers. Ho Mobile officially confirmed the incident in a statement released on 4 January. The company is now offering all impacted customers replacement SIM cards free of charge. The company has stated that an investigation into the breach is ongoing and has not provided any further details.

Multiple sites associated with the Indian government have potentially exposed thousands of patients' COVID-19 test results. Sites hosted on gov[.]in and nic[.]in domains contained publicly available PDF files showing hundreds of COVID-19 patient test results. Exposed data included name, age, DOB, unique identifier used by government entities for tracking results, as well as the result, date and location of the test. The majority of these test results are dated between November 2020 and January 2021, although some are from as early as April 2020. This exposure has been disclosed to the relevant Indian governmental agencies but is still available at the time of writing.

FRAUD 

A new malware incident has been linked to an APT group tracked as ReconHellcat that is likely to be state-sponsored. The attack leveraged a spear-phishing document that was uploaded to VirusTotal by a user in Turkmenistan. It is currently not possible to accurately state who the target of this attack was. What we do know is that the threat actor typically focuses on government, diplomatic, and military-related entities. However, there is not enough information about the APT to suggest what else it may be seeking to infiltrate. The TTPs leveraged by the ReconHellcat operators were separate enough from any known APT that QuoInt classified it as a new threat group altogether. There are limited, yet sufficient similarities between the BlackSoul attack and the BlackWater campaign.

The NCSC has warned users of SMS, email, and online scams using COVID-19 information as a lure. The NCSC warning lists the 'Top 4 SMS Scams' as following similar patterns: fake government (GOV.UK) links, lockdown fines, health supplements to protect against the virus, and financial support from the recipient's bank. Scammers have launched numerous campaigns in the weeks since early December, looking to steal personal information, conduct identity theft, scam victims, and for potential financial gain. In the case of the scam leveraging the UK government, SMS were sent from UK_Gov, rather than GOV.UK.

DARKNET

The operators of a new ransomware variant, known as Babuk Locker, have begun leaking victim data on Raid Forums. So far, multiple victims have seen samples of their leaked, including personal information relating to either employees or customers. The operators of the Babuk Locker ransomware are also in the process of creating a darknet leaks site to post additional victim data.

World Market, a relatively new darknet marketplace, has established a presence on Dread. As with most darknet markets, most of the listings consist of drugs. World Market also contains several products related to financial crime and claim to have a built-in card checker for fraud vendors. However, as with most new markets, it is not yet considered a credible market and many of the listings appear to be fraudulent.

Data from Capital Economics, a UK-based financial consultancy, has been leaked on Raid Forums. Capital Economics disclosed the data breach in December but stated customer payment information was not compromised. The database posted on Raid Forums includes over 200,000 entries, which contain personal information including email addresses, phone number, address and much more.

APT activity, malware campaigns, and vulnerabilities

APT ACTIVITY

An espionage campaign, dubbed Operation Kremlin, has been detected targeting the Russian government. Many of the techniques and tactics being used in this campaign share similarities to Operation Domino, observed in September 2020. This campaign further demonstrates the fact that cyber-espionage campaigns are regularly carried out by state-sponsored groups looking to gather intelligence on behalf of their nation-state. The TTPs leveraged in this attack were advanced and employed a high level of operational security to evade attribution. However, the reuse of the same IP addresses by VBScript gave researchers an opportunity to investigate this unnamed APT group’s tradecraft. The language settings of the documents from Operation Kremlin – and Operation Domino – were also of note: they were set to Russian and Arabic from Saudi Arabia. Interestingly, the exploit for CVE-2020-0968 is like those used during the XDSpy campaign and the DarkHotel APT groups in the past. However, security experts do not believe that this activity is related and that it is more likely the APT groups bought an exploit from the same exploit broker.

Trend Micro has disclosed a new APT campaign dubbed Operation Earth Wendigo. Since May 2019, the attacks have targeted several organisations in Taiwan, aiming to steal emails by installing JavaScript backdoors in local webmail systems. The attacks were not able to be linked conclusively to any known APT, so the group responsible has been dubbed EarthWendigo. The threat actors behind Operation Earth Wendigo are certainly an advanced group that leveraged a high level of operational security to evade attribution and used previously undisclosed TTPs in the attacks. While using standard spear-phishing techniques, the APT's persistence and communication techniques were unusual. Although, no known overlaps with other documented threat groups have been discovered at this time. The targets of these attacks, specifically Taiwanese entities, align closely with state-sponsored Chinese APT groups.

MALWARE

The FBI has issued a private industry notification regarding an ongoing Egregor ransomware campaign targeting businesses in the US. The ransomware first appeared in September 2020 and has since accumulated over 150 victims around the world. The FBI recommends that organisations prioritise the patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, and CVE-2019-1108). The threat of ransomware will continue to evolve. Over 22 ransomware operators are known to perform data-theft-extortion hybrid attacks and, based on current trends, this stands to increase in 2021. According to statistics provided by DarkTracer, the number of affected organisations across the leak sites totalled 1,315 at the time of writing.

A new malicious document used to deliver the Formbook infostealer is notable for using a lure leveraging the Federal Emergency Management Agency (FEMA) to trick users into clicking “enable editing” to trigger the embedded macros. Formbook continues to be a persistent threat to users around the world. The malware is a commodity crimeware used by cybercriminals in financially motivated campaigns. It has been around since 2016 but has evolved since its early days being distributed on hacking forums. The malware automatically collects data entered into forms and exfiltrates this to the attacker’s C&C server. VMRay recently analysed the latest version of Formbook which has become more evasive. It avoids virtualised environments and debugging, and has multiple layers of obfuscation to hinder static analysis.

VULNERABILITIES

Security researchers have uncovered a 0day vulnerability in PsExec and provided a free micropatch for the open-source Sysinternals tool. The bug, if exploited successfully, can be used to trigger local privilege escalation (LPE). After leveraging the PsExec 0day bug, threat actors could execute arbitrary processes as SYSTEM, which essentially gives them full control over the machine.  The proof-of-concept exploit developed by the researchers has been confirmed to work on multiple versions of Windows from XP to Windows 10. A video demo is available here. Affected PsExec versions include v1.71 through to v2.2, covering the last 14 years for which the product was in use and the 0day was present.

Two major browsers, Google Chrome and Mozilla’s Firefox, were recently the subject of several security updates. The vulnerabilities in the browsers are serious and they should be addressed as soon as possible with the updates available. 

Geopolitical Threats and Impacts

AMERICAS 

UNITED STATES – DEADLY ATTACK ON CAPITOL OVERSHADOWS BIDEN VICTORY CERTIFICATION

The US Congress certified Joe Biden’s victory in the 2020 presidential election in the early hours of Thursday (7 January) in a sitting delayed by a three-hour mob assault on the US Capitol Building in Washington, DC hours earlier. Five people died during the unrest, including a Capital police officer and a female protester shot by Capitol security personnel, after scores of President Donald Trump’s supporters stormed the Capitol Building on 6 January. Capitol authorities evacuated lawmakers as pro-Trump protesters, including some with firearms, invaded the legislature and Senate chamber, ransacked congressional offices, and denounced lawmakers voting to approve Biden’s victory. Following the announcement of Biden’s victory, Trump released a statement pledging an ‘orderly transition’ of power. The assault on the Capitol Building is unprecedented in modern US history and has prompted widespread condemnation both domestically and internationally, including from governments viewed as close to the Trump administration. The events have also triggered resignations from several senior Trump administration officials. While the immediate impact of the attack on Congress appears to have subsided, the long-term implications for US democracy and its international role will emerge in the coming weeks and months. Most significantly, the events exemplify the highly polarised and violent political climate which has emerged in US politics in recent years, and which is almost certain to long outlast Trump’s administration. Moreover, the attack dilutes the power of Washington’s statements and actions related to democracy and the rule of law overseas, particularly when criticising democratic practices in other countries. In turn, this may lead to an emboldening of anti-democratic practices and the gradual degradation of democratic norms. Organisations with interests in the US should anticipate potential further politically-linked unrest in the weeks leading up to Biden’s inauguration on 20 January and beyond.

US & CHINA – WASHINGTON BANS TRANSACTIONS WITH EIGHT CHINESE SOFTWARE APPS

On Tuesday (5 January), US President Donald Trump signed an executive order banning transactions with eight Chinese software apps on purported national security grounds. The measure targets Alipay, a mobile payment app from Ant Group, as well as fellow payment apps QQ Wallet and WeChat Pay. The executive order instructs the US Department of Commerce to define which transactions will be banned within 45 days. The targeted apps have limited use in the US, which thereby curtails the executive order’s practical impact. The bans mark the latest US measure against Chinese technology interests in the US, and come as Trump prepares to leave office with Sino-US relations at a contemporary low point. Under President-elect Biden, however, Washington is unlikely to rapidly remove US restrictions on Chinese companies, amid a host of bilateral disputes, including related to Hong Kong’s political status, Beijing’s treatment of ethnic Uyghurs, and Chinese trade practices. Biden has said he will pursue a more multilateral approach to countering China’s perceived unfair trade practices, and will therefore likely use the potential removal of commercial restrictions as leverage in trade negotiations.

APAC

CHINA – CHINA APPEARS TO THWART WHO BID TO INVESTIGATE ORIGINS OF CORONAVIRUS PANDEMIC

Media on Tuesday (5 January) reports that members of a World Health Organisation (WHO) team due to investigate the origins of the coronavirus (COVID-19) pandemic have been denied entry to China. Beijing has said the delay in allowing the researchers permission to travel to the city of Wuhan, capital of Hubei province and widely seen as the epicentre of the pandemic, was technical and is being addressed. Beijing has resisted any attempt to attribute ‘blame’ for COVID-19 on either China or the actions of the country’s political and health authorities, and the latest setback to the WHO investigation corresponds with this policy. Unless the issue is resolved quickly and a credible investigation is permitted to go ahead many foreign governments can be expected to conclude that Beijing is prepared to conceal key medical data in a bid to deflect or minimise its initial response to the outbreak. This is certain to result in condemnation that will further increase tension between China and many foreign powers, with potential commercial and administrative implications for international companies operating in the country.

CHINA & US – CHINESE TELECOMS COMPANIES AGAIN DELISTED IN NY, OTHER STOCKS AT RISK

On Wednesday (6 January) the New York Stock Exchange (NYSE) said it will delist three Chinese telecom companies a day after US Treasury Secretary Steve Mnuchin told the bourse management that he opposed an earlier decision to reverse the delistings. The reversal is seen as highlighting confusion within the outgoing Trump administration in the final two weeks of its term in office, amplified by media reports that other major Chinese entities may also be barred from the NYSE. On Wednesday the Reuters news agency reported that the US government is considering adding China’s leading high-technology companies Alibaba and Tencent to a list of entities with allegedly strong ties to the Chinese military. The restitution of the NYSE delisting China Mobile Ltd, China Telecom Corp. Ltd and China Unicom Hong Kong Ltd and the threat to Alibaba and Tencent, which have a combined worth of around USD1.3 trillion, would mark an escalation in the deepening confrontation between Beijing and Washington. The ruling communist party in Beijing would be unable to resist responding to what it would view as provocation, regardless to impact such action may have on China’s own economic interests. However, the events in Washington when the Capitol building was stormed by supporters of President Trump will prove sufficient distraction for Beijing not to act precipitously, and no doubt hope the incoming Biden administration adopts more pragmatic policies towards China. Nevertheless, US companies operating in China should prepare for retaliatory action against their staff, assets and operations in the near-term outlook.

CHINA, US & TAIWAN – BEIJING WARNS US WILL PAY ‘HEAVY PRICE’ IF UN ENVOY VISITS TAIWAN

The Chinese government on Thursday (7 January) warned that the United States would pay what it termed a ‘heavy price’ if its United Nations Ambassador Kelly Craft travelled to Taiwan in the coming days. The warning follows US Secretary of State Mike Pompeo’s decision to send Craft to Taiwan for a meeting being held between 13-15 January. Craft met Taiwan’s top official in the US in September soon after US Health Secretary Alex Azar travelled to the island in August. Azar's trip marked the highest-level US Cabinet official to visit since Washington formally transferred relations from Taiwan to China in 1979. With less than two weeks before the inauguration of the incoming Biden administration, the decision to send Craft to Taiwan owes more to US domestic politics than diplomacy. Beijing will be aware of this and its response will indicate whether it intends to seek a more settled relationship with the new US government or is prepared to continue its present assertive policy by demonstrating its anger over Craft’s proposed visit. Any action taken by China to signal its displeasure is likely to take the form of either a largely symbolic military demonstration close to Taiwan involving its air and naval assets, actions it has been undertaking for months, or a more targeted response involving US commercial interests in China.

EUROPE & RUSSIA 

UNITED KINGDOM – LAW FIRM SAYS BRITISH AIRWAYS READY TO SETTLE OVER 2018 DATA BREACHES

Your Lawyers law firm has called for customers affected by two data breaches at UK flag carrier British Airways (BA) in 2018 to join a class action suit, with a deadline set to expire on 19 March. This comes after the law firm said that BA had voiced its intention to launch settlement discussions in the first quarter of this year. By doing this, Your Layers said, the airline was admitting culpability and was trying to ‘avoid the burden of litigation.’ The two data breaches had led to the exposure of personal data for reward-booking customers, including names, billing addresses and credit card details, including the CVV code. According to the court’s Group Litigation Order that formally launches the class-action suit, more than 429,000 credit cards were exposed. In total, BA could face fines of up to GBP2.4 billion for the breaches, a large figure given the poor outlook for the aviation industry amid the COVID-19 pandemic. The UK’s Information Commissioner’s Office (ICO) fined BA GBP183 million in September 2018 in relation to one of the breaches. The combination of fines and high legal costs underscore the potentially adverse financial impact of failing to protect personal data and adequately secure ICT infrastructure. All companies with online services that use client data should monitor the legal case and review internal processes to ensure they adopt a risk-based approach to cyber-threats in a bid to identify emerging threats. Public pressure on companies and organisations to protect personal data is also mounting, indicating that failing to protect against data breaches will lead to increasingly costly fines over the coming three to five years.

UK & CHINA – RETAIL GIANT M&S SIGNS UYGHUR LABOUR ABUSE CALL TO ACTION

British retail giant Marks & Spencer (M&S) has signed onto a call to action against labour human rights abuses of ethnic Uyghurs in China’s western Xinjiang province, media outlets reported on Wednesday (6 December). The call to action, which has been led by civil society groups and labour unions, calls for an end to human rights abuses against Uyghur people, including their participation in hard, manual labour in Xinjiang cotton fields. M&S said that although it no longer sources cotton from Xinjiang, it signed onto the call to action to encourage other companies to examine their supply chains. Xinjiang province accounts for approximately 20 per cent of the world’s cotton output. The region has received increasing attention globally in recent years, amid rising concern over human rights abuses against ethnic Uyghurs by government authorities. This has led the US to impose restrictive measures against Chinese officials. Beijing, meanwhile, has rejected claims of human rights abuses and said it is operating ‘vocational training schools’ in the province. M&S’s announcement comes amid growing corporate awareness and activism over human rights in Xinjiang region, particularly in the apparel industry, with French fashion and sports clothing company Lacoste last year suspending shipments from the province over abuse allegations. Organisations with interests in Xinjiang province, particularly in the apparel sector, should monitor updates and examine their supply chains to rule out any possibility of labour and human rights abuses.

MENA & CENTRAL ASIA 

IRAN, S. KOREA & US – OIL TANKER SEIZURE FIRST IN OVER A YEAR AMID ELEVATED TENSIONS

On Monday (4 January) the Islamic Revolutionary Guard Corps Navy (IRGCN) seized a South Korean oil tanker vessel identified as MT Hankuk Chemi, which was headed for Al Jubail port in Saudi Arabia. According to an announcement released by IRGCN, the vessel was stopped near the Strait of Hormuz due to ‘violating environmental protocols’ with all 20 crew members from countries including South Korea, Indonesia, Vietnam and Myanmar subsequently detained. Following the move, South Korea’s foreign ministry published a statement demanding the immediate release of the vessel and said that an anti-piracy unit had also been dispatched to the area. The incident marks the first time that a major oil tanker vessel has been seized in over a year. Notably between July-December 2019, IRGCN seized a number of tankers around the Strait of Hormuz signalling heightened hostilities in the Gulf region amid US President Donald Trump’s maximum pressure campaign. The move was likely retaliatory against Seoul amid an ongoing dispute between the two countries over the release of USD7 billion dollars currently frozen under US sanctions in South Korean banks. It is also worth noting that the seizure ahead of plans for a foreign minister from Seoul to travel to Tehran to discuss the frozen accounts and potentially allow for payments to be released on humanitarian grounds. The ramping up of tensions further jeopardises what Vice Admiral Sam Paparo, the top US Navy official in the Middle East, asserted on 6 December 2020 was an ‘uneasy deterrence’ with Iran. In recent weeks, the US navy has been steadily increasing its presence in the Persian Gulf region. Monday’s event further elevates the risk of open conflict in the coming weeks.

QATAR – GCC AGREE TO END THREE YEAR BLOCKADE; SIGNIFICANT BOOST TO AVIATION INDUSTRY

A formal agreement to end the Qatar blockade, began in June 2017 and led by Saudi Arabia, Bahrain, Egypt, and the United Arab Emirates, was reached in a Gulf Cooperation Council (GCC) summit on Tuesday (5 January). The blockade effectively cut all diplomatic and travel ties with Qatar and GCC members. It directly impacted Qatar’s land, sea, and air borders, causing significantly longer flight times for passengers on Qatar Airway flights. It also required the airline to pay around USD100million annually to Iran to use its airspace. While local media reports indicate that Qatar has not fulfilled much of the longstanding 13 point ultimatum set out by the GCC as a requirement for terminating the blockade, the country has reportedly agreed to a joint security declaration. Further details on this deal have yet to be revealed. Given the apparent conciliations from GCC members, it is likely that countries such as Saudi Arabia are acting strategically and intend to use this as a means of building greater relations with the US under the incoming Biden administration. Elsewhere, the US Trump administration will likely welcome this as a further demonstration of their success in recent months to bolster stability and security across the Arab region. An end to the blockade is set to greatly benefit Qatar, which will now be able to access airspace over GCC countries and thereby enable the resumption of flights from hubs across the MENA region including Abu Dhabi, Dubai, Jeddah, and Manama.

SUB-SAHARAN AFRICA 

KENYA – SAFARICOM HALTS ROLL-OUT OF 5G NETWORK BEING BUILT BY CHINA’S HUAWEI

Nairobi-based telecommunications provider Safaricom, a subsidiary of South Africa’s Vodacom Group, has announced the halt to its roll-out of 5G telephony in Kenya that was due by end of 2020. Safaricom CEO Peter Ndegwa said the decision was made to focus on existing 2-4G technology and boost data usage and mobile calls. The move is somewhat surprising due to its late date, and there is speculation about whether the decision was politically motivated. Safaricom’s 5G technology was being built by Chinese telecoms giant Huawei Technologies. During his term, US President Donald Trump has undertaken an intense campaign among Western countries to halt their co-operation with Huawei. The speculation comes amid ongoing free trade negotiations between Kenya and the US. Furthermore, Safaricom is a subsidiary to Vodacom, which in turn is a subsidiary of British company Vodafone. Vodafone’s European business has reduced its partnership with Huawei amid growing government scrutiny and new restrictive legislation being adopted in multiple countries over the past two years. Nevertheless, the decision may also be strategic, as stated. Safaricom and Vodacom have stated their interest in entering the Ethiopian telecoms market which is under Prime Minister Abiy Ahmed. Given lower-than-anticipated revenue in Kenya, it is plausible that the company would also seek to cut costs in other markets in order to focus on areas that could be deemed more lucrative.

CENTRAL AFRICAN REPUBLIC – BROAD-BASED CALL FOR ELECTION ANNULMENT UNDERSCORES POLITICAL FRAGILITY

Ten out of 17 presidential candidates on Tuesday (5 January) issued a joint statement, calling for the annulment of the 27 December 2020 election results and a re-run of the polls. Their call followed confirmation on Sunday (3 December) by the electoral commission, ANE, of President Faustin-Archange Touadera’s re-election in the first round with more than 50 per cent plus 1 of the votes. The candidates’ call is in line with our prediction, and signals continued Extreme risks of instability over the coming month. The government and key opposition leaders have not reacted to the statement. The reaction of former president François Bozizé, whose presidential bid was rejected by the Constitutional Court but who remains a powerful opposition figure, is key.  Should he support their call, this is likely to galvanise supporters who may engage in sporadic protests, particularly in larger urban areas. In addition, it may also motivate a coalition of NSAGs, who seized control of several areas and cities but were ultimately halted by the UN peacekeeping mission MINUSCA days prior to the elections, to relaunch operations to take Bangui by force. The high level of uncertainty means that the security situation will become unpredictable and highly fluid.

REGIONAL – CONTINENTAL FREE TRADE AREA COMES INTO EFFECT BUT NON-TARIFF BARRIERS REMAIN

The African Continental Free Trade Area (AfCTFA) agreement came into force on 1 January, creating the world’s largest common market based on the number of member states which is anticipated to be worth USD6.7 trillion by 2030. The AfCTFA agreement seeks to eliminate tariffs on 90 per cent of intra-African goods trade and envisages to create a Common Customs Union in a bid to expedite trade processes and harmonise customs regulations between countries. It also aims to create a new dispute-settlement process, although this will likely largely resemble the existing one for World Trade Organization (WTO) jurisdictions. While the operationalisation of the AfCTFA is a move that has the potential to transform many of the economies of the region in the long term, significant non-tariff barriers such as under-developed road infrastructure are likely to undermine its successes over the agreement’s initial years. Furthermore, the slow ratification by signatory states may be another; while all 55 African countries except Eritrea have signed the AfCTFA, only 31 have ratified it,  Nigeria being one of the latest countries to do so. It is probable that countries with access to ports will benefit the most in the initial years, as goods will be able to more easily traded between international trade corridors.