Author: Jonathan J. Rusch

On March 22, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Venezuela’s national development bank, Banco De Desarrollo Económico Y Social de Venezuela (BANDES), and four BANDES subsidiaries for operating in the financial sector of the Venezuelan economy.  In a statement, U.S. Secretary of the Treasury Steven T. Mnuchin specifically tied these new sanctions to the arrest of opposition leader Juan Guaidó’s chief of staff Roberto Marrero “and other political prisoners” by the regime of Venezuelan President Nicolás Maduro.

Secretary Mnuchin also declared that

[r]egime insiders have transformed BANDES and its subsidiaries into vehicles to move funds abroad in an attempt to prop up Maduro.  Maduro and his enablers have distorted the original purpose of the bank, which was founded to help the economic and social well-being of the Venezuelan people, as part of a desperate attempt to hold onto power,

Notwithstanding BANDES’s stated purpose as a development bank, the Maduro regime has used BANDES to circumvent existing sanctions.  According to the Treasury Department, in early 2019 Maduro tried to move more than $1 billion out of Venezuela via BANDES to its subsidiary in Uruguay, Banco Bandes Uruguay S.A. (now one of the four sanctioned BANDES subsidiaries).  The other three BANDES subsidiaries that have been sanctioned include Banco Bicentenario del Pueblo, de la Clase Obrera, Mujer y Comunias, Banco Universal C.A., Banco de Venezuela, S.A. Banco Universal, and Banco Prodem S.A.  In addition, the Chief Executive and President of the Board of BANDES, Simon Alejandro Zerpa Delgado, has been subject to OFAC sanctions since 2017.

Note: Financial institutions’ sanctions compliance teams should take note of this latest round of OFAC Venezuelan sanctions, both for its immediate and prospective effects on international financial transactions (including facilitating credit-card transactions, beginning in March 2020) and for its political ramifications.  Although they are far less damaging to the Venezuelan economy than the sanctions already in place against PDVSA, President Donald Trump’s National Security Adviser, John Bolton, stated that BANDES “is to Venezuela’s financial sector what PDVSA is to its oil sector.”

The new sanctions may also create additional collateral pressures on the Maduro regime.  For more than a decade, BANDES reportedly has received billions of dollars from the China Development Bank in exchange for oil.  One opposition legislator has suggested that the sanctions would impede efforts by the regime to restructure its $20 billion debt with China.

Finally, the BANDES sanctions also close another bolt hole for Maduro to transfer state funds out of the country and send a strong signal to the Maduro regime about efforts to repress the burgeoning opposition.  If, as the New York Times suggested, the Marrero arrest was an effort by Maduro to call the Trump Administration’s bluff, the BANDES sanctions are probably sufficient to indicate that the Administration still has hole cards to play.

On March 25, cybersecurity firm Kaspersky Labs reported that it had found an Advanced Persistent Threat (APT) directed at ASUS computers, in the form of a modification to ASUS’s own Live Update Utility.  The actor(s) reportedly “modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.”

In addition, the modified utility – which Kaspersky dramatically labeled “ShadowHammer” —

was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.

Kaspersky calculated that more than 57,000 users of its products had installed the backdoored utility, and estimated that it was distributed to a total of approximately 1 million people.  It also reported that the attacker(s) “targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.”  Finally, Kaspersky stated that while investigating this attack, it found “that the same techniques were used against software from three other vendors,” and notified ASUS and other companies about the attack.

ASUS has since responded, according to TechRadar, that “[a] small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”  It should be noted, however, that another leading cybersecurity firm, Symantec, stated that based on its telemetry, at least 13,000 computers received the malicious updates, and that those victims — 80 percent consumers and 20 percent organizations – were evenly distributed around the world.

ASUS further stated that it had implemented a fix in the latest version of the Live Update software that implements “an enhanced end-to-end encryption mechanism,” and that it had updated and strengthened its server-to-end-user software architecture to prevent similar attacks in the future.  ASUS also has made available a page that shows users how to ensure that they are getting the latest and safest version of Live Update Utility.

Note:  Kaspersky’s assessment on SecureList that ShadowHammer is “a very sophisticated supply chain [malware] attack” appears reasonable.  Prior supply-chain attacks that Kaspersky compared to ShadowHammer, such as ShadowPad and CCleaner in 2017, evidently were less complex and sophisticated in execution.

Accordingly, corporate information-security and compliance teams, even in companies that do not provide ASUS computers to its employees, should disseminate information about ShadowHammer internally, as an example of the more sophisticated APTs that may be directed at their systems.  They should also use this incident as a talking point with all of the third-party providers of hardware and cybersecurity products to their companies, to get current information on what those companies are doing to minimize the risk of sophisticated APTs such as ShadowHammer, ShadowPad, and CCleaner infecting their systems.

On March 11, the Organization for Economic Co-operation and Development (OECD) Working Group on Bribery issued a statement expressing concern about “recent allegations of interference in the prosecution of [Canadian engineering firm] SNC-Lavalin” by Canadian authorities.  This concern was prompted by a sequence of recent events relating to Canadian prosecutors’ pursuit of both SNC-Lavalin and former SNC-Lavalin officials for violations of the Corruption of Foreign Public Officials Act (CFPOA).

In February 2019, allegations came to light that one or more officials in the administration of Canadian Prime Minister Justin Trudeau had pressured then-Attorney General Jody Wilson-Raybould to resolve the prosecution of SNC-Lavalin with a deferred prosecution agreement.  By March 11, three senior Trudeau officials had resigned as the controversy over those allegations expanded: Wilson-Raybould (who had been shifted to the less prestigious post of Minister of Veterans Affairs), Prime Minister Trudeau’s top political adviser Gerald Butts, and Treasury Board President Jane Philpott (who resigned in solidarity with Wilson-Raybould).

In its statement, the Working Group pointedly reminded the Canadian government that

[a]s a Party to the OECD Anti-Bribery Convention, Canada is fully committed to complying with the Convention, which requires prosecutorial independence in foreign bribery cases pursuant to Article 5. In addition, political factors such as a country’s national economic interest and the identity of the alleged perpetrators must not influence foreign bribery investigations and prosecutions.

The Working Group also took note of the fact that in February, two inquiries were opened into the alleged political interference: an investigation by the Canadian Federal Conflict of Interest and Ethics Commission into potential violation of Canada’s Conflict of Interest Act, and a Parliamentary inquiry by the Parliamentary Commons Justice Committee.  The Working Group stated that it “is encouraged by these processes, and notes that the Canadian authorities stress that they are transparent and independent.”

The Working Group also included two statements that indicated that it intends to focus on the controversy in connection with its scheduled Phase Four review of Canada’s compliance with the OECD Anti-Bribery Convention.  First, it recognized “Canada’s willingness to keep it fully informed of developments in the proceedings, including at its [the Working Group’s] next meeting in June 2019.”  Second, it stated that it “will closely monitor Canada’s updates, and has also sent a letter to the Canadian authorities confirming its concerns and next steps in this matter.”

Subsequent public comments by Working Group Chair Drago Kos have confirmed those indications.  Kos said that Canada would be subject to a Phase Four review, and that while that review was routine, one aspect of it would address the SNC-Lavalin controversy.

Note:  The Working Group’s statement is extraordinary in two respects: (1) it is only the second time in the last decade that the Working Group has issued a statement about Canada’s compliance with the Convention; and (2) it indicates that the Working Group is likely to make the SNC-Lavalin controversy a centerpiece of its Phase Four review.

One media report termed the OCED Working Group process “toothless,” in light of Kos’s acknowledgment that the Phase Four review does not entail the power to sanction Canada.  No signatory nation to the Anti-Bribery Convention, however, wants to be the subject of a critical review by the Working Group in ordinary circumstances, and the circumstances surrounding the SNC-Lavalin scandal are anything but ordinary.

Since March 11, in fact, the risk of a highly critical review for Canada has already increased substantially.  A fourth Trudeau official, Privy Council Clerk Michael Wernick (who allegedly made “veiled threats” to Wilson-Raybould in the matter), has since resigned.  In addition, the Justice Committee – one of the two inquiries that “encouraged” the Working Group — decided to shut down further hearings on the scandal, even as Wilson-Raybould and Philpott have reportedly indicated they have more to say on the matter but reportedly want the Prime Minister’s waiver of Cabinet privilege before they would testify again.  As Prime Minister Trudeau is continuing to face challenging questions from the media over the controversy, it is unlikely that he and his administration can damp down the controversy before the Working Group’s June meeting.

On March 19, the United Kingdom Financial Conduct Authority (FCA) announced that it had fined UBS AG (UBS) £27,599,400 for failings relating to 135.8 million transaction reports over nearly a decade, between November 2007 and May 2017.  The FCA stated that UBS

failed to ensure it provided complete and accurate information in relation to approximately 86.67m reportable transactions. It also erroneously reported 49.1m transactions to the FCA, which were not, in fact, reportable. Altogether, over a period of 9 and a half years, UBS made 135.8m errors in its transaction reporting, breaching FCA rules.

The FCA found that the 135.8 million transactions were the result of 42 errors, for which there were three main root causes (or, in some cases, a combination of those root causes): (1) errors in UBS’s systems, IT logic, and/or reporting processes; (2) weaknesses in change management controls; and (3) weaknesses in controls around the maintenance of static data.  The 135.8 million errors constituted approximately 7.5 percent of the 1.8 billion transaction reports that UBS submitted during the relevant period.

In addition, the FCA found that UBS failed to take reasonable care to organize and control its affairs responsibly and effectively with respect to its transaction reporting. “These failings,” the FCA stated, “related to aspects of UBS’s change management processes, its maintenance of the reference data used in its reporting and how it tested whether all the transactions it reported to the FCA were accurate and complete.”

In its Final Notice, the FSA took into consideration that UBS had recognized the failures within its control framework and either remediated, or had substantially commenced the process of doing so after July 31, 2014.  It also acknowledged that UBS self-identified and notified it of more than 85 percent of the reporting errors described in the Notice, “and has committed significant resources to improving its transaction reporting controls.”

Because UBS agreed to resolve the case, it qualified for a 30 percent discount in the overall penalty. Absent the discount, the FCA stated that it would have imposed a financial penalty of £39,427,795.  In response to the FCA’s action, a UBS spokesperson reportedly said that “there had never been any impact on clients, investors or market users, but the bank had improved its systems and controls.”

Note: A transaction report, according to the FCA, is a data set that a financial firm submits to the FCA relating to “an individual financial market transaction which includes, but is not limited to, details of the product traded, the firm that undertook the trade, the trade counterparty, the client (where applicable) and the trade characteristics, price, quantity and venue.”  The FCA states that it uses the information from transaction reports for four purposes: (1) monitoring for market abuse; (2) firm supervision; (3) market supervision; and (4) sharing with certain external parties, such as the Bank of England.

The basis for the FCA’s rules on transaction reporting are the European Union Markets in Financial Instruments Directive (2004/39/EC) (MiFID), in effect from November 2007 until January 2018, and MiFID II, in effect since January 2018.  MiFID and MiFID II are EU legislation “that regulates firms who provide services to clients linked to ‘financial instruments’ (shares, bonds, units in collective investment schemes and derivatives), and the venues where those instruments are traded.”  MiFID II revised the MiFID requirements in a number of areas, including extending transaction reporting requirements to include additional instruments.

Although the FCA has fined a dozen other financial firms since 2009 for transaction reporting violations, its action against UBS is significant in two respects.  First, the number of transactions associated with UBS’s reporting failures (135.8 million) is by far the highest of any of the 13 FCA MiFID cases.  Second, the amount of the £27.6 million fine is the highest ever imposed for such MiFID violations – more than double the amount of the next highest fine.  United Kingdom financial firms should review the UBS Final Notice with care, and use the FCA’s factual findings therein as a point of reference to check their own systems’ MiFID II compliance.

On March 20, Evaldas Rimasauskas, a Lithuanian national, pleaded guilty to one count of wire fraud in an indictment returned in 2017 in the Southern District of New York, for his conduct of a business e-mail compromise (BEC) scheme that led to defrauding Google and Facebook out of $123 million.

According to the Indictment’s allegations, from 2013 through 2015, Rimasauskas orchestrated a fraudulent BEC scheme designed to deceive Google and Facebook (named in the indictment only as “Victim 1,” “Victim 2,” or “the Victim Companies”) into wiring funds to bank accounts that Rimasauskas controlled.  In particular, Rimasauskas

registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.  Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.

The emails, which purported to be from employees and agents of Company-1,

were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1.  This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After Google and Facebook wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas

caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.  [He] also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Google reportedly sent more than $23 million and Facebook nearly $100 million to bank accounts that Rimasauskas controlled.  Google stated that it has recouped its money, and Facebook stated that it recovered most of its money.

Rimasauskas was arrested in Lithuania in _ 2017 and extradited to the United States in August 2017.  He is scheduled to be sentenced on July 24.

Note:  The Rimasauskas case is a particularly prominent example of how cybercriminals can set up and carry out a BEC scheme with relative ease.  The total gross proceeds it obtained, and the size of the companies that Rimaskauskas defrauded, make it one of the largest BEC schemes conducted in recent years.  By contrast, the FBI’s 2018 Operation WireWire against international BEC schemes resulted in the seizure of nearly $2.4 million and the recovery of approximately $14 million in fraudulent wire transfers.

Chief Information Security Officers, Chef Compliance Officers, and comptrollers in companies of all types and sizes should use this case as an opportunity to compare notes about their companies’ external fraud programs and test whether their business processes would detect the kind of BEC scheme that Rimasauskas conducted in this case.