Insights: Week of March 28, 2022

Courtesy of Wikimedia Commons

The Federal Communications Commission (FCC) has added Russian software company Kaspersky to its entity list, along with China Telecom and China Mobile because of national security risks. The list, which until now has only featured Chinese firms, bans certain companies from buying parts and components from US companies without government approval. Kaspersky claims the decision is political, but the US government has been watching the company for several years because of concerns about its ties to Russian intelligence. In 2017 the federal government banned the use of Kaspersky products and services by federal entities and contractors. Currently the Biden administration has not decided whether to impose sanctions on Kaspersky, but experts have raised concerns about the challenges of enforcing sanctions against a company that has hundreds of millions of customers globally. In addition, some officials in the United States and Europe fear sanctioning Kaspersky will increase the likelihood of a Russian cyber-attack.

  • The US government began privately warning some US companies at the start of Russia’s invasion of Ukraine that Moscow could manipulate software designed by Kaspersky to cause harm to US customers. In addition, the UK’s cybersecurity agency said this week that organizations providing services related to Ukraine or critical infrastructure should reconsider the risk associated with using Russian computer technology in their supply chains, while not specifically mentioning Kaspersky by name.
  • In 2017, six US intelligence and law enforcement agency chiefs confirmed in an open Senate hearing that they would not allow their networks to use Kaspersky software. US government evidence about Kaspersky’s ties with Russian intelligence is almost certainly classified, but internal company emails released in press reports show that Kaspersky Lab has developed security technology at the behest of the FSB and worked on joint projects with the spy agency that CEO, Eugene Kaspersky—a former Russian intelligence officer—did  not want made public, instructing staff to keep the projects secret.
  • The German Federal Office for Information Security last week warned organizations against using Kaspersky antivirus software because it could be exploited for cyber-espionage or used to launch cyberattacks.
  • A Russian hacking operation in 2015 exploited Kaspersky’s anti-virus software to gain access to sensitive files stolen from the agency by an NSA contractor and placed on his personal computer. The incident prompted US government agencies to ban the use of Kaspersky products on government and contractor systems.

US firms that use Kaspersky products should closely monitor developments about the company, its potential national security implications, and possible upcoming sanctions.


Compliance and Due Diligence

OFAC this week added one individual and four entities to the SDN list—all linked to Iran’s ballistic missile program. Treasury describes the designations as against an “Iran based procurement agent” and his network of companies that “procured ballistic missile propellant-related materials for the Islamic Revolutionary Guard Corps Research and Self Sufficiency Jihad Organization (IRGC RSSJO).” The latest designations may be another sign that the stalled nuclear deal talks in Vienna may not restart anytime soon.

OFAC this week also designated 13 individuals and 21 entities for facilitating the procurement activities of Russian intelligence and military services. The network of entities works to conceal Russian military and intelligence agency end-users that rely on critical western technology. OFAC also targeted key Russian technology companies that are enabling Russia’s invasion of Ukraine, further impeding Russia’s access to western technology and the global financial system.

Senators Grassley and Rubio, along with several colleagues yesterday introduced legislation to reauthorize the Global Magnitsky Human Rights Accountability Act. The law gives the President the authority to leverage economic sanctions against any party responsible for “gross violations of internationally recognized human rights” against human rights defenders or individuals exposing government corruption. The current authorization is set to expire this December. Separately, Rubio sent a letter to Commerce Secretary Gina Raimondo and Attorney General Merrick Garland calling for legal actions against ZTE, a Chinese tech company partially owned by the Chinese Communist Party that has faced repeated legal repercussions for violating US trade sanctions. The letter follows a recent US District Court decision ending ZTE’s probationary period—imposed after a 2017 ruling that convicted ZTE of conspiring to send sensitive American technology to Iran and North Korea—despite credible evidence of continued violations.

The UK this week added 14 more Russian individuals and entities to its sanctions list, including those behind the RT and Sputnik channels, for pushing disinformation. The UK directly sanctioned Russian state media organizations, including Kremlin funded TV-Novosti which owns RT, and Rossiya Segodnya, which controls the Sputnik news agency. Among the individuals sanctioned were RT’s managing director Alexey Nikolov, news anchor at the state-owned Rossiya Television and Radio network, Sergey Brilev, and Sputnik’s Editor-in-Chief, Anton Anisimov. 

The EU is working on the next tranche of sanctions against Russia, possibly looking to retaliate over Russia’s insistence that energy payments be made in rubles. The new sanctions package could be ready as early as next week, as well as a “compliance package” that would apply to anyone facilitating sanctions evasion. EU officials are also discussing how to use the bloc’s “AML blacklist” against countries found to help sanctions evaders, as well as the possibility of including Russia on the blacklist.

A US appeals court this week rejected a request by Russian oligarch Oleg Deripaska to remove him from the SDN list, finding that US officials had sufficient evidence to designate him. A federal judge last year dismissed his lawsuit challenging the sanctions. Deripaska was designated after the Russian invasion of Crimea for acting on behalf of a senior Russian government official.

The United States is planning additional sanctions on more sectors of Russia’s economy that the US government assesses are critical to Moscow’s continued war in Ukraine, including supply chains. Treasury Deputy Secretary Wally Adeyemo this week said that sanctions would also target alternative military suppliers used by Russia, asserting that anyone helping Russia evade sanctions, including crypto exchanges and financial institutions, will suffer economic consequences.

Russian oil company, Roszarubezhneft—used to help Venezuela continue exporting oil in the face of US sanctions—is working to avoid EU and US sanctions over Russia’s invasion of Ukraine. After its incorporation in 2020, Roszarubezhneft acquired the Venezuelan holdings of Russian state-run oil giant Rosneft, as Washington imposed sanctions on two of Rosneft’s units for trading Venezuelan oil. Roszarubezhneft is now working to transfer ownership of its Venezuelan assets from its European units to another company in Russia to avoid asset freezes brought on by western sanctions.

Russian tankers carrying petrochemicals are increasingly concealing their movements, turning off their tracking systems, most likely to evade sanctions. During the past week, occurrences of Russian tankers operating with onboard location systems turned off more than doubled, according to Windward, an Israeli consultancy that specializes in maritime risk using artificial intelligence and satellite imagery. The vessels going dark include Russian ships connected to big corporations and multinational shipping firms, as well as small businesses.

IP addresses alone are not sufficient to determine the location of a transaction for compliance purposes. Although Treasury has issued several guidances highlighting the importance of using IP address monitoring in compliance programs, IP addresses are vulnerable to manipulation because virtual private networks (VPNs) can help obscure the true location of a user. In the past six months, GeoComply Solutions, which provides geolocation compliance data on its clients’ platforms, saw more than 15 million attempted transactions in which users from sanctioned jurisdictions manipulated IP addresses to appear as if they were located in the United States.

Fraud and Abuse

Russia’s more than monthlong war in Ukraine has not only caused a massive refugee crisis, but also exacerbated a human trafficking problem that has been prevalent in the region since the fall of the Soviet Union. FiveBy’s AML and regional experts can help banks and financial institutions structure SARs, recognize red flags specific to human trafficking, and assess the associated jurisdictional risks, including known high levels of organized crime, since transnational criminal organizations are commonly involved in human trafficking, economic instability, and proximity to conflict zones, which create pools of victims for human traffickers to exploit. Read our advisory on human trafficking red flags here.

Some lawmakers in Washington are calling on the Securities and Exchange Commission and the Treasury Department to require firms in the private funds market, such as hedge funds, private equity firms, and venture capital firms, to do the same kind of anti-money laundering checks required of banks, financial institutions, brokerages, mutual funds, and casinos. The calls are not new, but with more and more Russian oligarchs being sanctioned and the increased focus on corruption by the Biden administration as of last year, these requirements could be expanded.

Google’s Threat Analysis Team recently discovered that Russian hackers have been trying to penetrate the networks of NATO and the militaries of some eastern European countries. Google described the efforts as “credential phishing campaigns” launched by a Russia-based group called Coldriver or Callisto. In 2019, Finnish cybersecurity firm F-Secure Labs described Callisto as an unidentified and advanced threat actor “interested in intelligence gathering related to foreign and security policy” in Europe.

Ecuador’s former Comptroller General, Carlos Polit Faggioni, who was convicted in his home country of extorting millions from Brazilian engineering firm Odebrecht S.A., this week was arrested in Miami in a related federal money-laundering case. The position was originally created to combat the fraudulent use of government funds and required Polit to sign off on public budgets, enabling him to demand at least $8 million in bribery payments. The indictment says Polit “solicited and received bribe payments” from Odebrecht’s leadership “in exchange for using his official position and influence as comptroller of Ecuador to prevent the imposition of large fines on Odebrecht by the comptroller’s office relating to Odebrecht’s construction projects in Ecuador.”

California resident, Robert Benlevi, this week was convicted of massive fraud in which he submitted 27 PPP loan applications to four banks on behalf of eight companies he owned in the course of two months in 2020. In the applications, Benlevi sought a total of $27 million in forgivable PPP loans guaranteed by the Small Business Administration under the Coronavirus Aid, Relief, and Economic Security (CARES) Act, claiming that each of his companies had 100 employees and an average monthly payroll of $400,000, which was untrue. The evidence further showed that Benlevi submitted fabricated IRS documents falsely stating that each of the companies had an annual payroll of $4.8 million.

Criminal hackers are gaining access to sensitive customer data from Internet service providers, phone companies, and social media firms by compromising government agency and law enforcement email accounts, posing as police officers, and submitting emergency data requests (EDRs), claiming the information being requested relates to an urgent life-or-death matter and cannot wait for a court order. Apparently both Apple and Facebook not only fell for the hoax EDRs, but also complied. Senator Ron Wyden is requesting information from tech companies and multiple federal agencies to learn more about how EDRs are being abused by hackers. On Telegram, one illicit actor is offering email and government account access allegedly stolen from non-US police and government email accounts, including a police department in India; a UAE government ministry; the Brazilian Secretariat of Education; and Saudi Arabia’s Education Ministry.

Japan will revise its foreign exchange law to prevent Russia from using cryptocurrencies to evade Western sanctions. The revision would require cryptocurrency exchanges to conduct customer due diligence to prevent sanctioned Russians from accessing their services. Although the government has already warned crypto exchanges not to conduct transactions with sanctioned individuals, a legislative revision is a stronger step to ensure these entities abide by existing regulations.

US-designated Russian oligarch Alisher Usmanov has been hiding behind trusts, offshore companies in secrecy havens, Swiss bank accounts, and family members to protect his fortune. Usmanov maintains a 49-percent stake in his main business conglomerate, but the remainder is held by a numerous offshore companies and business associates. One of Usmanov’s sisters was the beneficial owner of 27 Swiss bank accounts that held hundreds of millions of dollars—substantial sums for someone who works as a gynecologist in Tashkent. Usmanov’s $19-million Sardinian villa may have been seized by the Italian government, but German authorities are struggling to formally impound his infamous $600 million yacht, the US-designated Dilbar, which is moored in Hamburg.

Although Finnish company, Nokia, this month announced that it would stop its sales in Russia, it has left behind equipment and software that allows the Russian government to continue conducting digital surveillance against opposition figures through the nation’s largest telecommunications network. The system intercepted the phone calls of a Kremlin foe who was later assassinated and had been used to track supporters of Russian opposition leader Aleksey Navalny. Called the System for Operative Investigative Activities (SORM), it is also most likely being employed to silence antiwar voices inside Russia. The FSB uses SORM to listen in on phone conversations, intercept emails and text messages, and track other internet communications.

 

FiveBy provides to our clients a weekly news roundup of relevant insights to help avoid issues associated with both regulatory and reputational risk. We hope you find this useful, if you would like to see other things included, let us know at insightsfeedback@fiveby.com

Leave a Reply

Your email address will not be published.