Dipping Through Geometries

On March 7, Reuters reported that United Kingdom Chancellor of the Exchequer Rishi Sunak is expected to announce next week that the United Kingdom Government will impose an Economic Crime Levy “on banks and other firms regulated for anti-money laundering to raise up to 100 million pounds ($130 million)” for anti-money laundering (AML) measures.

The new Levy – expected to be included in the Chancellor’s first budget on March 11 – would be used “to generate cash for new technology for law enforcement and to hire more financial investigators.”  The United Kingdom Treasury is expected to do a public consultation this spring about which financial institutions would be asked to contribute to the new Levy.  That Levy reportedly would come into force in 2022-23.

Note: The Government’s Economic Crime Plan for 2019-2022 estimated that the scale of money laundering affecting the United Kingdom annually “is likely to be tens of billions of pounds.”  Measures such as the Joint Money Laundering Intelligence Taskforce (JMLIT), which has provided an important vehicle for public-private sector information-sharing, and use of Unexplained Wealth Orders and Account Freezing Orders have improved the Government’s capacity to combat money laundering effectively.

After years of severe funding cutbacks under the Conservatives’ “austerity” budgets, however, law enforcement has needed an infusion of fiscal resources for proper staffing and technological support to deal with, among other issues, the adaptability and sophistication of money laundering organizations.  While the planned levy for that purpose would be welcome, the timeframe for effecting it is far too extended.   As money launderers will not wait another two to three years to refine their methods and techniques, neither should the Government wait to provide critical resources to combat the threat they pose.

On February 24, the APWG (formerly the Anti-Phishing Working Group) released its report for the 4^th quarter of 2019 on phishing activity trends.  Key points in the report include:

• Number of Phishing Sites: The number of unique phishing sites fluctuated substantially during 4Q2019, from 76,804 in October to 39,580 in November to 45,771 in December. (3)
• Number of Brands Targeted: The number of brands targeted by phishing attacks remained highly consistent, averaging 333 per month. (3)
• Phishing Targets: Software-as-a-service (SaaS) and webmail sites remained the most frequent targets of phishing, accounting for 30.8 percent of targeted sectors. “Phishers continue to harvest credentials to those kinds of sites, using them to perpetrate business e-mail compromises (BEC) and to penetrate corporate SaaS accounts.” The next most-targeted sectors were payment (19.8 percent) and financial institutions (19.4 percent). Attacks against the cryptocurrency, logistics/shipping, gaming, insurance, energy, government, and healthcare sectors were negligible during the quarter, as each accounted for less than 1 percent of all phishing attacks detected. (5)
• Business Email Compromise: In business email compromise (BEC) schemes, criminals used gift cards most frequently (62 percent) to cash out, perpetrating Business Email Compromise (BEC) attacks used gift cards to cash out during the holiday shopping season. The report indicated that cybercriminals may have been seeking to launder money by using the cards to buy physical goods that they can then sell.  (6-7)
• SSL Protection: 74 percent of all phishing sites use Transport Layer Security (TLS) or Secure Socket Layer (SSL) protection. This percentage – the highest recorded since the start of 2015 – provides yet another indication that users cannot rely on SSL alone to determine whether a site is safe or not. (11)
• Brazilian Trends: In Brazil, the number of phishing incidents in Brazil increased dramatically, from 3,230 in 1Q2019 to 8,872 in 4Q2019. (9-10)

Note:  This Report, like the other APWG phishing trends reports, demonstrates the ubiquity and adaptability of sophisticated cybercriminals.  Information security officers should disseminate the Report to their teams, and share it with their financial-crimes compliance teams as well.

On February 21, television station WPTV in West Palm Beach, Florida reported that because of a 2019 ransomware attack that locked Stuart (Florida) Police Department officers out of their computers, the local State Attorney’s Office found it necessary to dismiss 11 narcotics cases involving alleged drug dealers because of the loss of evidence.

According to a Stuart Police Department spokesman, the cyberattackers used a “spear phishing” attack to disseminate the Ryuk ransomware, which was in the Stuart Police computers for approximately two months before the attackers sent the Department a ransom note demanding $300,000 in Bitcoin.  When the City of Stuart refused to pay the ransom, the Police Department was unable to recover 1 ½ years of digital evidence that included photographs and videos.

WPTV also reported that losing data (or evidence in the Stuart Police Department’s case) “is highly common when an agency is hit by hackers. In the words of the Stuart Police Department spokesman, “I can’t recall, in speaking to my federal partners, that there has been a case where data has not been lost.”

The report said that the Stuart Police Department “has changed the way they save and store evidence, and city officials are now aggressively training employees to identify phishing emails.”

Note: This report should be of substantial concern to law enforcement officers and prosecutors across the country.  Any ransomware attacks directed at government agencies are cause for concern, but ransomware attacks like the Stuart attack that result in loss of evidence in criminal prosecutions represent a significant threat to the rule of law and the justice system.

Prosecutive, police, and law enforcement agencies cannot depend solely on cybersecurity software to safeguard the evidence they need for criminal prosecutions.  As the Stuart Police ransomware attack demonstrated, even a single individual who negligently clicks on a malicious link can compromise an entire computer network.  For that reason, if they are not already doing so, those agencies need to initiate procedures for frequent backups of potential evidence in their cases to offline repositories, and to be able, if necessary at trial, to prove to courts that those data have not been altered or damaged in any way.  The cost of providing such offline storage will be far less than the cost of admitting publicly that viable prosecutions had to be dismissed because police and prosecutors failed to take simple measures to protect their evidence.

On March 2, the U.S. Department of Justice announced that U.S.-headquartered generic pharma company Sandoz Inc. agreed to enter into a deferred prosecution agreement (DPA) with the Department for conspiring to allocate customers, rig bids, and fix prices for generic drugs.  In connection with the DPA, the Justice Department filed a four-count information in federal court in the Eastern District of Pennsylvania, charging Sandoz (a division of Swiss pharma company Novartis) “with participating in four criminal antitrust conspiracies, each with a competing manufacturer of generic drugs and various individuals.”

Under the terms of the DPA, Sandoz agreed to pay a $195 million criminal penalty and admitted that its sales affected by the charged conspiracies exceeded $500 million.  In that DPA, Sandoz admitted that it participated in the four charged antitrust conspiracies set forth in the information, as follows:

• Count One: This count charged Sandoz “for its role in a conspiracy with a generic drug company based in New York and other individuals.  Sandoz admitted that drugs affected by this conspiracy included clobetasol (cream, emollient cream, gel, ointment, and solution), desonide ointment, and nystatin triamcinolone cream.”
• Count Two: This count charged Sandoz for its role in a conspiracy with Kavod Pharmaceuticals LLC (formerly Rising Pharmaceuticals) “to allocate customers and fix prices of benazepril HCTZ. Rising was charged and entered into a deferred prosecution agreement in December 2019 for its participation in the same conspiracy.”
• Count Three: This count charged Sandoz “for its role in a conspiracy with a generic drug company based in Michigan. Sandoz admitted that drugs affected by this conspiracy included desonide ointment.”
• Count Four: This count charged Sandoz “for its role in a conspiracy with a generic drug company based in Pennsylvania. Sandoz admitted that drugs affected by this conspiracy included tobramycin inhalation solution.”

Note: This case is noteworthy for two reasons.  First, according to the Department, Sandoz’s $195 million criminal penalty is the largest ever paid in a domestic antitrust investigation.  A corporate criminal conviction under section 1 of the Sherman Act carries a maximum penalty of $100 million per count.   An alternative sentencing provision allows that penalty to be increased to not more than twice the gross gain derived from the crime, or twice the gross loss that victims suffered, if either amount is greater than $100 million.

Second, it indicates that the Antitrust Division of the Department is sustaining momentum in its investigation of the generic pharma industry.  Sandoz is the third pharmaceutical company to admit to criminal antitrust charges, and the seventh case to be charged, in that investigation.  In addition, three individuals, including a former Sandoz executive, have pleaded guilty to charges in the investigation, and a fourth individual was indicted last month and is awaiting trial.

For both reasons, compliance counsel in the pharma industry should report on this latest DPA to senior executives in their companies, and promptly incorporate information about the case into corporate briefing and training materials.  Every senior executive, in every industry, needs to understand that the Justice Department regards bid-rigging and price-fixing as core criminal conduct under the Sherman Act and tends to be highly motivated to investigate and prosecute such cases.

On February 20, South Sudanese President Salva Kiir and opposition leader Riek Machar agreed to form a new coalition government.  The new coalition government’s formation reportedly includes Kiir’s remaining as President, Machar’s serving as Kiir’s deputy, and the swearing-in of four more vice presidents (two from the government and two from opposition groups).

Although they missed two previous deadlines to form the coalition government, Kiir and Machar made two key concessions that evidently made the February 20 announcement possible.  In Kiir’s case, it was his decision to reduce the number of South Sudanese states from 32 to 10, which Africa News termed “the main stumbling block” in the negotiations to form the coalition government.  In Machar’s case, it was his willingness to have Kiir assume responsibility for his security.  The transition coalition government is now intended “to lead to elections in three years’ time — the first vote since independence.”

Note: Ordinarily, compliance professionals pay little attention to countries such as South Sudan that rank among the most corrupt countries in the world.  But for some time, South Sudan has had the unhappy distinction not only of being suffused with corruption, but of becoming the locus of terrible violence in its civil war.  Since it wrested its independence from Sudan in 2011, that civil war between the country’s Dinka and Nuer ethnic factions (which Kiir and Machar, respectively, represent) has cost the lives of an estimated 400,000 people and displaced millions more.

Last week’s joint announcement by Kiir and Machar provides some basis for hope, however tentative, that the country can step away from the abyss of violence and move toward fragile but genuine stability.  Whether they conclude that maintaining existing corruption structures is a necessary cost of maintaining that stability remains to be seen.