Geopolics and Cybersecurity Weekly Brief – 25 January 2021

In the Americas, rivalries in geopolitics are having a significant influence on efforts to combat the COVID-19 pandemic. Russian and Chinese-made vaccines are being widely distributed in Latin America, particularly among politically left-leaning countries seeking cheaper alternatives. This is likely to pave the way for enhanced cooperation, potentially side-lining the interests of both the US and its allies. Meanwhile, Washington imposed more targeted sanctions against the Venezuelan oil sector.

The Australian government and Google are at loggerheads over Canberra’s attempts to get the tech giant and other open-source information-aggregating firms to pay royalties to domestic media outlets. The imposition of the regulation could force Google and other similar companies to vacate the market or offer reduced services. The Thai government has been ramping up its enforcement of laws aimed at suppressing criticism of the monarchy to quell months of protests; however, in doing so, there is an increased risk of foreign companies and nationals being targeted by local nationalist groups should their respective home governments impose sanctions or other restraints on commercial or diplomatic relations with Thailand.

In Europe, regulators are continuing with their legal investigations into multinational technology and e-commerce firms, particularly Amazon and Google, over unfair and uncompetitive business practices. Additionally, regulatory scrutiny against such firms are unlikely going to subside, posing major compliance and financial burdens in the future. Meanwhile, Poland’s conservative government is seeking to protect free speech by moving towards passing legislation that would prohibit social media companies from deleting and banning users.

Several laptops distributed by the UK Department for Education (DfE) to vulnerable students have been found to contain malware. The devices were given out for the purposes of remote education taking place because of the COVID-19 pandemic, with over 800,000 laptops and tablets provided as of January 2021. DfE IT teams believe that this is not a widespread issue and that only a small number of devices have been impacted – an exact number has not been provided.

German authorities from the Federal Office for the Protection of the Constitution have disclosed a new campaign attributed to a state-sponsored threat group known as Zirconium. German public authorities are the likely target of these attacks. In 2020, the group targeted members of both Joe Biden’s and Donald Trump’s presidential campaigns. This malicious operation is ongoing.

Further information regarding the massive supply-chain attack on SolarWinds has been revealed. A fourth malware is now known to have been distributed through the company’s supply chain. Over 18,000 organisations reportedly downloaded the Trojanised update for the SolarWinds Orion platform. US intelligence officials have since officially stated they believe UNC2452 is likely Russian, which orchestrated this attack for information gathering and espionage purposes – rather than cause disruption or destruction.

The Swiss government is seeking cooperation with its Lebanese counterparts in connection to a money-laundering case into Banque du Liban, which could significantly impact Lebanon’s banking sector. Elsewhere, the Iranian government imposed sanctions against ex-president Trump and some of his former cabinet officials; a symbolic gesture that is unlikely going to have any bearing on future discussions with the Biden administrations over non-proliferation.

In the Sub-Saharan Africa region, the US government imposes travel bans against Tanzanian government officials over alleged 2020 election fraud. In eSwatini, the government signed up to the Clean Network programme, which is aimed at blocking Chinese technology companies from entering into regional telecommunications infrastructure projects. Despite it joining, the programme is unlikely going to have a significant impact on Chinese investment in the region.

Attacks and cybersecurity news

Scottish Environmental Protection Agency (Sepa) officials have reported that the attack on its systems late last year led to the theft of thousands of confidential documents, as well as shutting down key operations, and is still ongoing. 1.2GB of data, including “personal information about Sepa staff, contract and procurement documents, pollution permits, enforcement notices and commercial work with overseas agencies” was taken in the attack and is now being used to extort the agency. Sepa’s chief executive has said that the threat actors are believed to have deliberately targeted the agency; Sepa has rejected all ransom demands from the cybercriminals. On 17 January, Sepa reported that it was still attempting to recover data stolen in the attack. Two days prior to that announcement, however, the operators of the Conti ransomware had posted information linked to Sepa on their darknet leaks blog, where it is still in the public domain.

Team Cymru has analysed the infrastructure of a phishing campaign targeting banking customers in Japan. The financial institution with the most phishing pages was AEON bank; further investigation revealed that The 77th Bank and Jibun Bank were also impersonated. The campaign operators used Tor exit nodes to conceal their IP addresses, demonstrating a reasonable level of operational security (OPSEC) and sophistication. Phishing attacks against the financial sector in Japan are increasing. Recently, the Japan Post Bank warned customers of an ongoing wave of cybercriminals leveraging SMiShing attacks to drain accounts. The attackers are impersonating the bank to collect online banking credentials. Interestingly, the phishing pages only permit entry if the user-agent string is that of an iPhone or Android mobile device and the source IP address is located in Japan – making the attacks tailored to their victims and designed to evade analysis.

QNAP customers are being urged to secure their network-attached storage (NAS) devices against a malware campaign that has been active for at least three months. NAS devices can be infected if they are connected to the internet and using a weak password. This campaign delivers a Bitcoin mining malware, dubbed Dovecat. It renders compromised devices almost unusable because almost all CPU and memory resources are used up for cryptomining. Dovecat attacks devices running dovecat and dedpma processes. QNAP is a Taiwanese network-attached storage (NAS) appliance used for file sharing, virtualisation, storage management, and surveillance applications. These systems are often used for backing up important files and storage for other sensitive data. This makes them high-value targets for cybercriminals, especially if they are unpatched and exposed to the internet.

Cybercrime groups are abusing Windows Remote Desktop Protocol (RDP) systems to amplify distributed denial of service (DDoS) attacks. The RDP service can run on either TCP/3389 or UDP/3389. Approximately 33,000 vulnerable Windows RDP servers have been identified so far. System administrators have been advised to either disable UDP-based services or deploy Windows RDP servers behind VPN concentrators, to prevent them from being used in these types of attacks.

Data security, fraud, and darknet

Data Security

Threat actors are claiming to have successfully attacked Beximco, a major Bangladeshi export-import conglomerate with 70,000 employees around the world. The ALTDOS threat group contacted to report that it had compromised Beximco in December 2020, but the company had not responded to the group’s ransom demands. The attackers claim to have stolen hundreds of gigabytes of files, source code, and databases from 34 different Beximco websites, providing a small sample of data and screenshots as proof of the attack. Beximco has operations and investments across various industries, including textiles, pharmaceuticals, PPE, ceramics, real estate development, construction, trading, marine food, information and communication technologies, media, Direct to Home (DTH) services, financial services, and energy. It has been engaged in various stages of the rollout of COVID-19 vaccines in countries around the world.

Intel has reported that an unknown threat actor stole an infographic from the company due to an internal error. The infographic contained information about the organisation’s Q4 and full year 2020 financial results. This data had not yet been published, as the company was planning to file the information with the US Securities and Exchange Commission after the stock market closed on 21 January, which is when the attack occurred. The data was accessed and stolen from Intel’s corporate PR newsroom website. Intel proceeded to publish the report minutes before the stock market closed, to stop this information from being illegally used to gain an unfair advantage on the market. As Intel published the data early, it was made significantly less valuable to the threat actors.


Cyjax analysts recently intercepted a malspam attack targeting a retailer in the UK. The emails masqueraded as a DocuSign-protected Excel spreadsheet. A weaponised document, delivered in an archive file called “”, contains embedded macros that, if enabled, download the Qakbot banking Trojan. This attack was highly evasive and uses several techniques to bypass detection. Qakbot malware was a persistent threat throughout 2020; the malware has seen several major developments in the last 12 months, despite being one of the oldest banking Trojans on the threat landscape. It has mainly used fake DocuSign protected spreadsheets embedded with malicious macros distributed in ZIP files.

The FBI issued a warning about ongoing voice phishing attacks, also known as vishing, which are targeting corporate accounts from both US organisations and international-based companies. The threat actors behind the campaign are targeting personnel with network access and maintenance privileges, so that network privileges can be escalated. The private industry notification warns that due to COVID-19, many companies had to quickly adapt to remote working and technology, so network access and privilege escalation may not be properly monitored within an organisation, which attackers could take advantage of. These types of attacks can be mitigated by implementing multi-factor authentication on corporate accounts, and restricting the privileges of new or lower-level employees.

The Japan Post Bank has warned customers of an ongoing wave of cybercriminals leveraging SMiShing attacks to drain accounts. The attackers are impersonating the bank to collect online banking credentials. Interestingly, the phishing pages only permit entry if the user-agent string is that of an iPhone or Android mobile device and the source IP address is in Japan. SMiShing attacks launched to steal bank account credentials are one of the most common threats targeting customers of financial institutions worldwide. Another threat that primarily targets users in Japan with SMiShing attacks is the Roaming Mantis botnet. To defraud victims, the botnet sends malicious links to Trojanised Android apps or fake login pages that impersonate brands such as Japan Post, Sagawa Express, Yamato Transport, and Japan Net Bank.


The operators of the Cuba ransomware are the latest to launch a darknet leaks site on which to leak victim data. Several victims have already been named on the site. The group first appeared in 2019, but publicly observable activity was limited up until now. This latest development reaffirms that publicly naming victims and leaking their data is now integral to ransomware groups operations.

The admin of the darknet market Darkode has announced the implementation of a new system designed to mitigate DDoS attacks. According to the Darkode admin, private market links will be issued to users with significant activity on the market, facilitating market access even when the main links are unavailable. It remains to be seen whether this system will prove effective, however, limiting access may have a significant impact on the markets overall growth.

The Nitro PDF data breach, which was disclosed late last year, was recently posted on multiple hacking forums. The breach contains an estimated 70 million entries, as well as documents which were converted using Nitro PDF. Although this data breach is not new, there will now likely be a surge of activity against the affected parties as the contents of the leak becomes widely available.

APT activity, malware campaigns, and vulnerabilities

APT activity

German authorities from the Federal Office for the Protection of the Constitution have disclosed a new campaign attributed to a state-sponsored threat group known as Zirconium. German public authorities are the likely target of these attacks. This includes government ministries, officials, political organisations, and foundations. During the 2020 US Presidential Election, Zirconium reportedly targeted high-profile individuals, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community, according to a Microsoft report. At least one person who was previously involved at a high level in the Trump administration was also targeted. Prior to this, the group conducted a spear-phishing attack against an individual deeply involved with the pro-democracy protests in Hong Kong.


Symantec has disclosed another post-exploitation tool connected to the SolarWinds supply-chain attack. The malware, dubbed Raindrop, was reportedly leveraged by the attackers, tracked as UNC2452. Raindrop is the fourth malware family to have been connected to the SolarWinds incident since it was disclosed. It is a Loader that delivers a payload of Cobalt Strike. Raindrop is like Teardrop with some key differences: Teardrop is dropped by the Sunburst backdoor, whereas Raindrop appears to have been used for spreading across the victim’s network. Over 18,000 organisations reportedly downloaded the Trojanised update for the SolarWinds Orion platform.

US intelligence officials have since officially stated they believe UNC2452 is likely Russian, and orchestrated this attack for information gathering and espionage purposes – rather than cause disruption or destruction. Last week, threat actors created a site called ‘SolarLeaks’ that was allegedly selling the source code for Microsoft, Cisco, and SolarWinds products, as well as the FireEye Red Team tools. If this is genuinely found to be the source code of the products listed above, additional vulnerabilities could be discovered and weaponised for future attack campaigns.

Cyjax analysts have uncovered the latest WizardSpider malspam campaign pushing Trickbot and the BazarBackdoor. This is a dangerous combination of malware developed by the group to evade detection, virtual environments, and establish an initial foothold on target environments. The WizardSpider cybercriminal organisation continues to be one of the most active of the threat landscape. Trickbot has been developed to evade modern detection systems and virtualised environments used for analysis. The botnet has reportedly amassed over one million infected devices that provide access to target organisations for the WizardSpider operators to deploy ransomware such as Conti or Ryuk.

Several laptops distributed by the UK Department for Education (DfE) to vulnerable students have been found to contain malware. The devices were given out for the purposes of remote education taking place because of the COVID-19 pandemic, with over 800,000 laptops and tablets provided as of January 2021. Some of the files found on the device were infected with the Gamarue malware (also known as Andromeda), which was discovered by Bradford schoolteachers as they were preparing the devices to give to students. DfE IT teams believe that this is not a widespread issue and that only a small number of devices have been impacted – an exact number has not been provided. The worming capability could have allowed attackers to infiltrate an entire home network through the device, which could be dangerous, since many adults are also working from home because of the coronavirus, using the same network as their children. This could have led to larger-scale attacks on various types of businesses and organisations.


Vulnerabilities have been uncovered in multiple video conferencing mobile applications which could have allowed threat actors to listen to users’ surroundings before the person picks up the call. These flaws were found in the Signal, Google Dup, Facebook Messenger, JioChat, and Mocha messaging applications. These vulnerabilities were present in peer-to-peer calls, rather than group calls. In some cases, such as in the Google Duo and Mocha applications, the bugs allowed both audio and video to be transmitted without the victim’s knowledge. There is no indication that these vulnerabilities have been exploited in the wild, but they could be an asset to cyber-espionage and state-sponsored threat actors.

Tencent has issued a security alert for organisations to patch the latest high-risk vulnerability in Drupal. Successful exploitation can lead to directory traversal and potentially remote code execution.

Geopolitical Threats and Impacts

Provided by A2 Global Risk



On Tuesday (19 January), the government announced the details of its vaccine distribution plan, with 7.4 million doses of Russian-developed vaccine Sputnik V to be distributed to the population by the end of March. According to government officials, Mexico plans to purchase 12 million doses of Sputnik V, with 400,000 doses set to arrive in Mexico during the week ending 29 January. Alongside Sputnik V, Mexico also plans to distribute the US’s Pfizer-BioNTech vaccine, UK’s Oxford-AstraZeneca vaccine, and China’s CanSino vaccine.

In purchasing the Russian vaccine, Mexico joins several other Latin American countries governed by left-wing administrations to secure Sputnik V doses. Argentina, Venezuela, and Bolivia have all approved Sputnik V for emergency use, while Nicaragua is in talks with Russian authorities over purchasing the vaccine. The broader Latin America region has also seen interest in deploying Chinese-made vaccines, with Brazil, Chile and Peru all ordering Chinese-made inoculations. Latin America’s uptake of non-US and non-European vaccines signals the growing influence of Russia and China in a region previously viewed as tightly linked to the US and Europe. Their uptake of non-Western vaccines evidences the global scramble to secure vaccine doses, regardless of their origin, and is likely to bolster Russian and Chinese influence in the region, particularly related to the pandemic response. More broadly, this growing influence may lead to enhanced diplomatic and commercial interests in the region, which in turn could side-line Western countries’ interests in Latin America, particularly in countries governed by left-wing administrations.


On Tuesday (19 January), the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions against three individuals, 14 entities and six vessels over their links to a network seeking to evade US sanctions against Venezuela’s oil sector. The sanctioned individuals are Italian, Swiss, and Venezuelan-Spanish nationals, respectively, while the designated entities are located in Malta, the UK, Panama, Italy, Zimbabwe, Venezuela and the US. Among the six sanctioned vessels are four owned by Ukraine-based Fides Ship Management, one owned by Venezuelan water authority INEA, and one owned by Russian company Rustanker.

In a separate development on Tuesday, President-elect Joe Biden’s nominee for Secretary of State, Anthony Blinken, told a US Senate hearing that Biden’s administration would continue to recognise Venezuelan opposition leader Juan Guaidó as the country’s president.

The US first imposed sanctions against Venezuela’s state-owned oil company PDVSA in 2019, however, repeated sanctions and recognition of Guaidó have failed to significantly alter the balance of power within Venezuela, with President Nicolás Maduro retaining control of the national government and armed forces. Under Biden, the US is likely to continue targeting sanctions against high-ranking officials in Maduro’s government, while seeking to alleviate wider economic suffering experienced by the Venezuelan population. Washington is likely to offer targeted sanctions relief in exchange for concessions on Venezuela’s democratic practices and broader human rights environment. Swift moves to facilitate US companies’ involvement in Venezuela’s large oil sector, however, are highly unlikely, in turn benefiting the interests of US adversaries in the sector, particularly Russia, China and Iran.



Google Australia’s chief executive warned on Friday (22 January) that the US technology giant could remove its search engine function in the country due to the Canberra government’s efforts to require such companies to pay royalties to news publishers. Australia is the first country in the world to consider introducing laws that will require Google, Facebook and by extension, other technology firms pay for all news content obtained from traditional media sources. Google Australia managing director Mel Silva told Australian legislators the proposed laws are ‘unworkable’ and would ’give us no real choice but to stop making Google Search available’ in the country. Australia’s Prime Minister Scott Morrison warned his country’s legislators would not yield to what he described as ’threats.’

Google’s warning that it could remove its search function has global implications for many technology companies that use third party output or data. The implications for all businesses that rely on customer access to their products and services are also profound within Australia and potentially elsewhere if Google carries out its threat. More broadly the case highlights many governments’ concerns over the often unregulated influence and power held by major technology companies and what measures may be required to manage or reduce their potentially disruptive economic and political impact. The most probable outcome in the dispute between Google and the Australian government will be a compromise, likely following the agreement reached on 21 January between the US company and French news publishers linking payment for limited news items displayed in search results on copyright law.


A Thai court on Tuesday (19 January) sentenced a former civil servant to a prison term of 43 years and six months for breaching the country’s strict lese majesté laws designed to protect the monarchy from criticism or abuse. The Bangkok Criminal Court found the woman, known only by her first name Anchan, was initially sentenced to a record 87 years’ imprisonment on 29 lese majesté charges related to posting comments to social media platforms deemed critical of the monarchy, but the term was halved as she pleaded guilty.

The verdict is widely viewed as part of the government efforts to quell months of pro-democracy, anti-government protests that have included unprecedented criticism of the country’s monarchy. A large number of the mainly young protesters who have taken part in demonstrations over the past six or so months are potentially liable to face similar lese majesté charges. While the sentencing of an individual to effectively life imprisonment for a non-violent offence will be condemned by most of Thailand’s Western allies, similar action against hundreds of young activists would almost certainly result in many foreign governments considering more direct sanctions against the Thai state and monarchy. This calculation of international support is also likely to ensure further large scale protests are now probable in Bangkok in the coming months, with a concomitant effort by the authorities to restore control. The six-month outlook and beyond is set to remain volatile, with foreign companies and nationals at heightened risk from local nationalist groups in the event their home governments impose sanctions or other restraints on commercial or diplomatic relations with Thailand or implicitly or explicitly criticise the country’s monarch.

Europe and Russia


Amazon is suing EU antitrust regulators for allowing Italy’s competition AGCM, to pursue a case over the way it chooses sellers. In a separate development, EU regulators have sought information from advertisers over Google’s practices amid two on-going EU probes into the company focusing on technology and data.

The lawsuit comes after the European Commission initiated a probe into the criteria by which Amazon selects winners of the ‘buy box’, which allows customers to add items from a specific retailer directly into shopping orders. In addition, the investigation will look into claims that the company gives preferential treatment to its own retail offers and sellers that use its services. Over the last three-year period Google has faced fines totalling EUR8.25 billion for a range of alleged unfair business practices. Combined, Facebook and Google account for over 50 per cent of internet advertisement sales globally. Both developments are consistent with tightening political and regulatory scrutiny on major technology firms in Europe and the United States. Companies accused of engaging in uncompetitive behaviour have pursued legal avenues to challenge those claims and possibly overturning heavy fines. Moreover, the growing importance of tackling hate speech online was highlighted in European Commission head Ursula Von der Leyen’s congratulatory statement to new US President Joe Biden. In many ways, this signifies that pressure on social media actors is unlikely to subside, while officials in Brussels are increasingly viewing more regulations as the only way to secure more compliance.


The country’s justice ministry is preparing ‘ground-breaking’ legislation that would prevent administrators of social media platforms from deleting posts and banning users. Justice Minister Zbigniew Ziobro said representatives of several Polish movements are ‘victims of ideological censorship… whose online content is deleted or blocked’. Under the draft legislation, social media websites will not be allowed to delete posts or suspend user accounts except in cases where administrators suspect the content violates national laws. In those circumstances, users will be allowed to issue complaints to platforms and even sue the platforms if website administrators fail to respond within 48 hours or provide an unsatisfactory response.

The development appears to be a reaction to the decision by various social media firms, including Facebook and Twitter, to ban ex-president Trump. Polish state officials view strengthening regulations around social media bans as rooted in protecting free speech online ‘from the infringements by big corporations’. The ruling conservative PiS party and the Polish government, in general, had maintained a strongly pro-Trump agenda, enjoying warm bilateral ties throughout his tenure, unlike many other fellow EU countries.

MENA and Central Asia


On Tuesday (19 January), Switzerland’s Attorney General submitted a request to the Lebanese Ministry of Justice for legal cooperation with a criminal investigation into Banque du Liban (BDL). The enquiry is centred on alleged money laundering and embezzling activities totalling around USD400m, and allegedly carried out by BDL’s long-standing governor, Riad Salameh, alongside his brother, Raja Salameh and advisor, Marianne Al-Hoayek. In a statement, BDL said that the investigation was based on ‘fabrications and fake news’. Notably, companies that BDL holds large stakes in, such as Middle East Airlines and the Casino du Liban, are also under investigation, according to a Swiss judicial source.

The investigation is the latest blow to Lebanon’s banking sector amid a financial crisis that has crippled the economy and led to serious political instability and widespread social unrest. Riad Salameh has previously been the target of anti-government protesters who have accused him and other political elites of transferring large amounts of money into off-shore bank accounts over 2019 as the country slipped into a financial crisis. Up until now, BDL and the Lebanese government have avoided confirming whether Salameh transferred money offshore, citing banking secrecy laws. However, pressure on the governor has mounted over the past year; in July 2020, a number of his assets were frozen following embezzlement claims. It is likely that if the Swiss Attorney General’s request is complied with by Lebanon’s public prosecutor, Ghassan Khoury, the resulting public release of information could incite more anti-government protests in the weeks ahead. Given that the investigation is also looking at companies affiliated to the bank, businesses with interests in BDL are advised to review compliance risk assessments with money-laundering regulations.


The ministry of foreign affairs in Iran announced via state media outlets on Tuesday (19 January) that it had blacklisted US President Donald Trump alongside senior officials in the Trump administration. The statement indicated that individuals sanctioned had been targeted due to their ‘role in terrorist and anti-human rights activities against Iran and its citizens’. Senior officials sanctioned include Secretary of State Mike Pompeo, Treasury Secretary Steven Mnuchin, Acting Defense Secretary Christopher Miller and ex-Defense Secretary Mark Esper. Other figures on the list include Washington’s special representative on Iran and Venezuela, Elliott Abrams; former National Security Adviser John Bolton, and Central Intelligence Agency Director Gina Haspel.

Any assets that blacklisted individuals hold on Iranian soil will now be seized. Given that those sanctioned are highly unlikely to hold any such assets, the move is largely symbolic, coming on the final full day of Trump’s presidency. Throughout his tenure, Trump has advanced a ‘maximum pressure campaign’ against Iran via harsh financial sanctions that have crippled the country’s economy. His departure will be welcomed by the Iranian regime, which is likely set to recalibrate its relations with the US under US President-elect Joe Biden. This shift was most recently signalled on Wednesday (20 January) when Iranian President Hassan Rouhani underlined the country’s commitment to returning to full compliance with the 2015 JCPOA deal pending Washington’s return. His positive tone towards Biden was further demonstrated when he remarked on Iran’s expectations that the US administration would ‘return to the rule of law and commit themselves and if they can, in the next four years, to remove all the black spots of the previous four years’. While progress towards negotiations on issues such as the JCPOA and the removal of sanctions on Iranian entities are set to be slow, business should anticipate that relations between the two countries will considerably improve over the coming months.

Sub-Saharan Africa


The US state department on Tuesday (19 January) announced visa restrictions on unnamed Tanzanian officials. The US suspects them of complicity in or being responsible for voting irregularities and human rights abuses during general elections in Tanzania last October. The sanctions will effectively restrict the targeted officials from obtaining travel visas to the US, which may complicate the organisations of meetings and events, once COVID-19-related restrictions are lifted. The move is unsurprising, and the sanctions are likely to remain largely intact under the Biden administration, which has pledged to give greater attention to democracy and human rights as part of its foreign policy. They come amid growing geopolitical tensions between Tanzania and Western partners, who are concerned about the President John Magufuli’s increasingly authoritarian turn during his first five-year term, which has seen a tough clampdown on the opposition and an increasingly hostile stance against large foreign investors. The government’s approach is unlikely to change over the coming five years, which may increase reputational risks for investors present in the country and increase the sanctions and compliance risks. Furthermore, the European Union and the United Kingdom may issue similar sanctions over alleged human rights abuses in the country over the coming year.


The government on 15 January signed up to the Clean Network programme becoming the first African country to do so. The programme was launched by the US in 2020 in a bid to block the involvement of Chinese telecommunications and technology companies, such as Huawei, WeChat and TikTok, in backbone internet infrastructure, such as 5G networks and subsea cables, as well as smartphone apps, and apps stores. This is due to their perceived links to the Communist Party of China and Chinese intelligence, widely considered to be hostile actors. The kingdom joins 50 countries, such as Bulgaria,  Sweden, and the UK, and large Western companies that have already signed up, sometimes following intense political. Although eSwatini carries little geopolitical weight due to its small size and market, the move underscores growing geopolitical tensions across Sub-Saharan Africa over the involvement of Chinese companies in its technology expansion efforts over the coming year. The new US administration of President Joe Biden has pledged to continue to take a tough political stance on China. Nevertheless, the Clean Network alliance is likely to struggle to gain a foothold in the region. In large part, this is due to the already extensive presence of and political support for Chinese telecommunications companies, like Huawei and others, in African markets. Furthermore, technology solutions offered by Huawei are more affordable, compared to its Western competitors, and it would likely prove very costly for the countries in the region that have Huawei equipment to replace it with Clean Network-approved ones. In the longer term, this signals growing political risks for Western technology companies with a presence in or looking to expand in Sub-Saharan Africa.

Scroll to Top