Geopolitical and Cybersecurity Risk Weekly Brief 16 November 2020

16 november 2020

Executive Summary

Threat actors continue to take advantage of the COVID-19 pandemic. This week, Microsoft has revealed that at least three state-sponsored threat groups, from North Korea and Russia, have targeted seven companies involved in COVID-19 vaccine research. Victims were spread across the globe, and it is expected that these attacks will only intensify as the race for a vaccine becomes more urgent.

Tensions with China continue. Hong Kong’s de facto opposition lawmakers formally resigned from the territory’s Legislative Council (LegCo) in protest over the expulsion of four of their colleagues the previous day by the local administration, widely viewed as acting on instructions from Beijing.

Political unrest continues in several countries. In Peru, protesters have gathered in support of impeached president Martín Vizcarra. In Thailand, police used water cannon in central Bangkok in a bid to disperse thousands of peaceful protesters calling for reforms to the country’s monarchy and the removal of the military-backed government. In Côte d'Ivoire, the president and main opposition leader agreed to dialogue to de-escalate the high risk of violent anti-government protests and deadly inter-communal fighting following the 31 October presidential election.

This week saw developments in various bilateral conflicts. The Armenian prime minister confirmed that he had signed an agreement with the presidents of Azerbaijan and Russia to end the war over the disputed area of Nagorno-Karabakh. The Moroccan army confirmed that a military operation had been launched in Guerguerat, a buffer zone on the southwest coast of the disputed Western Sahara region. Rockets have been fired toward the Eritrean capital Asmara, with blame placed on insurgents from Ethiopia’s northern region of Tigray.

A new study has found that the official Google Play Store is by far the largest distributor of Android malware. This has long been suspected, given how ubiquitous the Google Play Store is. However, this latest study, which assessed over 34 million Android applications, found that between 10 per cent to 24 per cent of apps could be described as malicious, depending on the classification used. Overall, 67 per cent of malicious Android applications identified came from the Google Play Store. Only 10 per cent came from alternative third-party app stores.

Patch Tuesday. Microsoft, Intel, Adobe and others released numerous fixes for vulnerabilities rated Low to Critical this week. All readers should update their systems as soon as possible to mitigate the varying threats posed by these issues.

 

Attacks and cybersecurity news

Microsoft has revealed that at least three state-sponsored threat groups have targeted seven companies involved in COVID-19 vaccine research. The victim companies operate in Canada, France, India, South Korea, and the United States. Two of the APTs, Lazarus and Cerium, are from North Korea, while the third group, Strontium (also known as Fancy Bear) is Russian. Vaccine centres were among the victims, hit by spear-phishing campaigns targeting their employees. This sort of attack will continue as long as the pandemic, recently illustrated by the reporting of several domains linked with Kimsuky campaigns targeting COVID-19 vaccine developers.

The world’s second-largest laptop manufacturer, Compal, has reportedly been hit by DoppelPaymer ransowmare. A screenshot of the ransom note was given to reporters at Yahoo Taiwan. According to Taiwanese media sources the incident took place on 8 November and impacted 30 per cent of the company’s computer fleet. Compal's deputy managing director, Qingxiong Lu, has denied the reports of the attack being ransomware and the company has yet to appear on the DoppelPaymer leaks site. If Compal maintains its public denials of any ransomware issue, however, we expect this to change.

Threat actors stole USD2 million in Dai cryptocurrency in a flash loan attack against the cryptocurrency borrowing and lending service Akropolis. The platform stopped all trading to prevent attackers from stealing further assets. Floash loan attacks see threat actors loan funds from a decentralised finance service, such as Akropolis, before exploiting vulnerabilities in the platform's code to bypass the loan mechanism and steal the funds. Akropolis is coordinating with cryptocurrency exchanges to freeze an Ethereum wallet in which the stolen funds are currently being held.

The Australian government has issued a security alert asking local health organisations to check their cybersecurity defences. Australia's Cyber Security Center (ACSC) has observed an increase in "targeting activity" against the healthcare sector by threat actors using the SDBBot Remote Access Tool (RAT). Further details on who the threat actor is, or what exactly is meant by "targeting activity", have not been provided. The presence of SDBBot in attacks such as these is worrying. It has been used for the exfiltration and theft of data in attacks in the past and this is likely to be the aim here.

 

Data security, fraud, and vulnerabilities

Data Security

President Trump's re-election campaign and the Republican National Committee recently filed a lawsuit in Arizona claiming that the polling officials in Maricopa County had incorrectly rejected in-person votes on Election Day, by misusing a mechanical feature on the voting machines. The campaign set up a website, DontTouchTheGreenButton.com, to collect anecdotal evidence from voters who may have observed this behaviour to validate the lawsuit, claiming that these are 'sworn declarations' from voters. This site was not secured, however, and resulted in voter data being leaked. The API used to retrieve voter information has since been removed from the site. A similar API leak incident also affected the "Vote Joe" official application for the Joe Biden 2020 US presidential campaign in September 2020.

Hotel software provider Prestige Software has exposed the personal data of millions of guests through a misconfigured AWS bucket. This platform is used by many top online travel agent sites, including Agoda, Expedia, Booking.com, and Hotels.com. This bucket contained over 10 million individual log files, dating back to 2013. Researchers have warned that the total number of affected users could be even greater than this, as some of the logs contained personally identifiable information for multiple members of one booking slot. Prestige Software confirmed that the data belonged to it, and that the data had been secured the day after initial disclosure to AWS.

Citizen Lab has disclosed that a Filipino Covid-19 data platform, COVID-KAYA, contained critical vulnerabilities that could have resulted in unauthorised access to thousands of sensitive records. COVID-KAYA is used by frontline healthcare workers in the Philippines to collect and share COVID-19 cases with the Philippines Department of Health. The names and locations of health centres as well as the names of over 30,000 healthcare providers who have signed up to use the app. An attacker could have leveraged the vulnerabilities to reveal sensitive patient data.

A database belonging to Texas-based cloud application hosting provider Cloud Clusters has exposed 63 million records of monitoring and system logs and user data in a non-password protected public database. While the database has now been secured, it is unclear if customers or authorities were notified of the exposure. The exposure of Magento, WordPress accounts and MySql credentials could have allowed an attacker to access these customer accounts and potentially put them at risk of account takeover and further data theft. There was also evidence of a meow attack already having targeted the database, with some of the data having been erased.

Fraud

A new HMRC tax rebate scam is targeting UK residents through text messages. The campaign employs multiple HMRC phishing domains, with new ones added daily as older domains are flagged by spam filters. Links in the text messages direct victims to a site mimicking a legitimate UK government (gov.uk) page, where they are asked to fill out a 'tax refund form' that spans over multiple pages. A host of phishing sites was found that mirrored the real websites of prominent UK high street banks. These included Barclays, Clydesdale, Halifax, NatWest, HSBC UK, Metro Bank, Nationwide, Citi, Lloyd's, TSB, Co-op, Royal Bank of Scotland (RBS), Santander, Tesco Bank, and Yorkshire Bank.

Scammers are impersonating the US Internal Revenue Service (IRS) in emails attempting to trick people with ‘missed’ or ‘late’ payments. Emails have been sent to approximately 70,000 Microsoft Office 365 users and threaten legal action against the target unless they pay the outstanding balance on the account. Recipients are also warned that the emails would be forwarded to their employer, who would deduct the outstanding sum from their wages.

Vulnerabilities

Intel has released 40 security advisories as part of its November 2020 Patch Tuesday release. Tens of vulnerabilities were patched, but only two of those are rated critical. There is currently no indication that the flaws have been exploited in the wild. Users are encouraged to apply patches as soon as possible to avoid potential compromise.

Microsoft has released its November 2020 Patch Tuesday security updates, with 112 vulnerabilities patched in total. 17 are classed as critical. Many of the issues outlined in this month’s Patch Tuesday release have either been exploited in the wild already or would be trivial to exploit. As such, users are urged to apply these updates as soon as possible.

Adobe has released its November 2020 Patch Tuesday security updates for Adobe Connect and Adobe Reader for Android. Only three vulnerabilities have been patched this month, which is much lower than usual. Users should update to Adobe Connect 11.0.5 or Adobe Reader Mobile 20.9.0 to mitigate the chances of exploitation.

WordPress has patched three vulnerabilities in the Ultimate Member plugin to block attacks that could potentially lead to site takeovers. This plugin currently has more than 100,000 active installations and is used to make profile and membership management easier. All three bugs are privilege escalation issues. These vulnerabilities have been patched with the release of Ultimate Member 2.1.12 on 29 October.

CISA has disclosed a new vulnerability in Mitsubishi Electric ICS products. Successful exploitation can trigger a denial of service. Mitsubishi Electric has issued various firmware versions to address this issue.

CISA has disclosed a new vulnerability in Schneider Electric ICS products. Successful exploitation can result in a denial of service condition, which could lead to the failure of the EcoStruxure Control Expert Simulator. Schneider Electric has released Version 15.0 of the EcoStruxure Control Expert software to mitigate this vulnerability. It is available for download on the Schneider Electric website.

CISA has disclosed multiple vulnerabilities in SAP products. Successful exploitation could enable an attacker to take control of an affected system. These include missing authentication check vulnerabilities affecting SAP Solution Manager (JAVA stack). CISA encourages users and administrators to review the SAP Security Notes for November 2020 and apply the necessary updates.

 

APT Activity and Malware Campaigns

APT activity

A new APT group linked to the Algerian government has been disclosed. APT-C-44 (also known as NorthAfricanFox) emerged in October 2017, and mainly targets Windows and Android users in North Africa. The group distributes its malware via social media sites, such as Facebook, that direct users to phishing websites and file hosting services. This is another example of open-source malware being leveraged by state-sponsored groups. Instead of writing its own malware, APT-C-44 has taken the most valuable modules of multiple families and combined them for surveillance and intelligence-gathering operations.

Researchers have uncovered a new cyber-espionage campaign linked to Vietnamese state-sponsored group OceanLotus. The group created multiple fake websites to profile users, redirect them to phishing pages, and deliver malware for Windows and macOS systems. Users from Vietnam, Laos, the Philippines, Malaysia, and Cambodia have been targeted. This campaign shows that APT groups, such as OceanLotus, are expanding their malware distribution methods beyond spear-phishing emails and compromised websites. Subsequently, new malware samples linked to this campaign, were found targeting the Cambodian government. The self-extracting malware was distributed using ASEAN-themed spear-phishing emails, in-line with the APT group's TTPs.

BlackBerry has disclosed a new mercenary APT organisation, dubbed CostaRicto. The group is targeting organisations predominantly located in South Asia, as well as Africa, Europe, and the Americas. This group is part of a growing trend of hack-for-hire shops and illustrates a significant evolution of the threat landscape. Although advanced persistent threat (APT) groups have existed for decades, their capabilities have become more accessible in recent years, just as ransomware-as-a-service operations have spread the availability of file-encrypting malware.

Malware

A new study has found that the official Google Play Store is by far the largest distributor of Android malware. This has long been suspected, given how ubiquitous the Google Play Store is. However, this latest study, which assessed over 34 million Android applications, found that between 10 per cent to 24 per cent of apps could be described as malicious, depending on the classification used. Overall, 67 per cent of malicious Android applications identified came from the Google Play Store. Only 10 per cent came from alternative third-party app stores.

A new Android banking malware family from Latin America, dubbed Ghimob, has been linked to a cybercriminal operation dubbed Operation Tetrade. Ghimob targets financial applications from banks, investors, forex services, and cryptocurrency exchanges. Users from Brazil, Paraguay, Peru, Germany, Angola, and Mozambique are targeted. The researchers highlight that compared to other mobile banking trojan families originating in Brazil, Ghimob is far more advanced and has increased features and better persistence.

The Ragnar Locker ransomware operators are exploiting Facebook advertisements in a new extortion tactic. The ads, shown to more than 7,000 users, were intended to pressure Italian beverage vendor Campari, which was hit on 4 November, into paying for a decryption key. The company has said it cannot guarantee that personal and business data was not stolen. Leveraging Facebook ads to pressure victims into paying is the latest addition to the ransomware operators' toolbox. They are intended to bring unwanted attention to the victim, increasing the reputational risk of the attack and, consequently, the likelihood of payment. If this technique proves successful, other advertising media and platforms could be targeted in future.

Schneider Electric has warned customers that the Drovorub Linux malware can impact its Trio Q Data Radio and Trio J Data Radio devices. A recent NSA and FBI security advisory attributed Drovorub to a division of the Russian General Staff Main Intelligence Directorate (GRU), better known as the headquarters of state-sponsored threat group Fancy Bear. Drovorub presents a serious threat to national security systems and defence industrial base customers that use Linux systems.

A new modular backdoor, dubbed ModPipe, is being deployed against Point-of-Sale (PoS) systems. ModPipe provides access to sensitive information stored on the Oracle Micros Restaurant Enterprise Series (RES) 3700, software that is used in hundreds of thousands of restaurants, hotels, and elsewhere in the hospitality sector. ModPipe is a sophisticated, new threat to organisations in the hospitality sector. By acquiring the database passwords, the attackers gain broad access to sensitive information even though the most sensitive data stored in devices running RES 3700 POS should still be protected by encryption.

Darknet

The operators of the DarkSide ransomware have officially adopted the Ransomware-as-a-Service (RaaS) model and have begun recruiting affiliates. The current terms for affiliates offer between 75-90 per cent of the ransom, depending on how large the pay-out is. In comparison to other RaaS models, these are relatively favourable terms, which underscores the increased leverage affiliates have with smaller ransomware groups. For previous ransomware groups, adopting the RaaS model has led to a temporary spike in attacks, which is likely due to new affiliates gaining access to the malware.

There have also been several notable databases leaked. @ShinyHunters has continued to leak databases on Raid Forums, with their latest offering stolen from HomeChef, a US-based meal kit and food delivery company. Notably, this was one of the databases @ShinyHunters offered on Empire market several months ago. It is currently unclear whether @ShinyHunters attempted to find a buyer elsewhere before leaking this data on Raid Forums.

We have seen multiple other databases for sale this week: the main one was Cit0dayin, a dump of 13 billion records from 23,618 different sources. The data has been posted to multiple forums with varying levels of entirety as some of it is already being repackaged and sold as separate pieces, a common strategy to earn reputations on forums.

Several Initial Access Brokers were observed making Operational Security (OPSEC) mistakes this week. The same user offered access to a Brazilian bank, a list of vulnerable Fortinet SSL VPNs, and a multitude of databases – including those related to a Nigerian police force, a Japanese charity for greenhouse gases –as well as vulnerabilities. Cyjax analysts detected an act of darknet plagiarism, where access was offered for sale on a hacking forum and this was quickly stolen by another user on the forum, and the access was then offered for a cheaper price and with a full DB behind it. The victim in this case was Pakistan International Airlines.


Geopolitical Threats and Impacts

Americas

ARGENTINA – GOVERNMENT SEEKS NEW IMF AGREEMENT, ELEVATING RISK OF UNREST

On 9 November, economy minister Martín Guzmán announced that the government will seek an Extended Fund Facility (EFF) lending programme from the IMF in talks beginning in Buenos Aires on 10 November. The EFF would replace a USD57bn stand-by agreement signed in 2018 under the administration of former President Mauricio Macri. Guzmán said that he aims to reach an agreement on a potential EFF package by April 2021. For decades, Argentina has been beset by economic problems, particularly related to high levels of public debt, inflation, and currency instability. The country has defaulted on its sovereign debt a total of nine times, including twice in the past two decades. Throughout much of this year, the country’s already-serious economic problems have been exacerbated by the coronavirus (COVID-19) pandemic, which has led to the mandated closure of businesses and restrictions on travel and assembly. The government’s request for an EFF, a long-term lending package typically requiring significant economic reforms, seeks to address these economic difficulties by meeting debt obligations and boosting investor confidence. The move, however, elevates the risk of social unrest, with many Argentinians blaming the IMF for previous economic crises and reductions in public spending.

PERU – VIOLENT PROTESTS IN LIMA; NEW PRESIDENT SWORN IN FOLLOWING IMPEACHMENT

On 10 November, dozens of supporters of impeached president Martín Vizcarra engaged in violent confrontations with police near the congress building in Lima, with the latter using tear gas and water cannon to disperse demonstrators. On Tuesday, congress speaker Manuel Merino was sworn in as the country’s interim president and vowed to oversee presidential elections on 11 April 2021. The protests highlight the tense political environment in the world’s second largest copper producer following Vizcarra’s impeachment. In addition to the present political turmoil, Peru is also facing dual public health and economic crises driven largely by the coronavirus (COVID-19) pandemic. Ahead of April’s presidential election, the volatile political and economic climate is likely to increase the prospects for outsider or minority party candidates to channel many voters’ discontent.

BELIZE – CENTRE-LEFT PARTY WINS ELECTION, ENDING 12 YEARS OF CONSERVATIVE RULE

In general elections held on 11 November, the centre-left People's United Party (PUP) won 26 of the 31 seats in the country’s lower house, securing their return to power after 12 years of conservative government under the United Democratic Party (UDP). On 12 November, PUP leader Johnny Briceño was sworn in as prime minister. The main issue in election campaigning was the poor state of the economy. The country’s important tourism industry has been badly affected by the coronavirus (COVID-19) pandemic, exacerbating existing economic difficulties. The IMF forecasts that the economy will contract 16 per cent in 2020, further complicating government efforts to address the country’s high levels of public debt, which are above 90 per cent of GDP. While Briceño highlighted the development of construction and road infrastructure as key election pledges, economic reform efforts are likely to be hampered by high debt levels and the economic impact of the pandemic.

Asia-pacific

NORTH KOREA – ALLEGED HACKS LIKELY REFLECT INTENSIFYING ATTACKS AMID HEIGHTENED INSTABILITY

Microsoft on 13 November said that a Russian hacker group dubbed ‘Fancy Bear’ and North Korean threat actors the software firm calls ‘Zinc’ and ‘Cerium’ were part of recent attempts to breach the networks of seven pharmaceutical businesses and vaccine researchers in Canada, France, India, South Korea, and the United States. Most targets were entities involved in COVID-19 vaccine tests, and most attempted breaches failed, though an unspecified number succeeded. Russia responded by denying the allegations. North Korea has previously denied allegations of conducting cyberattacks. Increased attacks by threat actors are likely to reflect the economic instability in their home countries due to the pandemic and other factors. North Korean leader Kim Jong-un in a meeting of the politburo of the Workers Party ordered the tightening of state-emergency anti-COVID-19 systems over the pandemic, according to North Korean state news agency Korean Central News Agency on Monday (16 November). The North Korean economy is under considerable stress due to the combined effects of the pandemic, damages caused by a recent typhoon and related flooding, as well as long-standing sanctions. Such pressures are likely to cause North Korean threat actors to ramp up cyberattacks for monetary gain and to steal COVID-19 vaccine and treatment-linked intellectual property.

HONG KONG – ALL OPPOSITION LEGISLATORS RESIGN; INITIAL FOREIGN RESPONSE MUTED

Hong Kong’s de facto opposition lawmakers formally resigned from the territory’s Legislative Council (LegCo) on 12 November in protest over the expulsion of four of their colleagues the previous day by the local administration, widely viewed as acting on instructions from Beijing. Foreign countries with traditionally close ties to Hong Kong criticised the removal of the four lawmakers, with US National Security Advisor Robert O’Brien warning the ‘one country, two systems’ formula that served as the basis of post-colonial governance in the territory ‘is now merely a fig leaf covering for the CCP’s [Chinese Communist Party] expanding one-party dictatorship in Hong Kong.’ Foreign pressure to date has had little to no impact on Beijing’s decision to suppress what it views as ‘unpatriotic’ opponents in Hong Kong. A range of options for imposing state-backed formal sanctions on Hong Kong and China exist, but are at present unlikely beyond adding individuals deemed responsible for the removal of the legislators to a previous list linked to the introduction of China’s national security law in the territory.

THAILAND – WATER CANNON USE AT PEACEFUL BANGKOK RALLY SHOWS HARD LINE AGAINST PROTESTS

The Thai police used water cannon on 8 November in central Bangkok in a bid to disperse thousands of peaceful protesters calling for reforms to the country’s monarchy and the removal of the military-backed government. The military admitted that troops wearing yellow shirts, a symbol of support for the royal family, rather than uniform were also deployed to help control the protest. The use of troops wearing pro-monarchist clothing also highlights the role of the military in countering the protests. With no indication that the activists and their supporters are prepared to moderate their demands, notably for reforms to the monarchy, the government and the military can be expected to increase their efforts to control protests through an incremental use of force and deterrence. If such a policy is followed it is highly probable it will result in a confrontation that could result in greater instability and concomitant economic and reputational harm to the country.

Europe and Russia

GERMANY & UNITED STATES – US LAWMAKERS PLANNING EXPANSION OF NORD STREAM 2 SANCTIONS

The US is planning to expand sanctions on the Nord Stream 2 pipeline, which once completed will transport natural gas from Russia to Germany. Negotiations in the two houses of US parliament – the Senate and House of Representatives – culminated in an agreement that new sanctions should target insurers and technical certification firms involved in the project as part of the National Defense Authorization Act. According to a spokesperson for Nord Stream 2, the bill in its current form would directly or indirectly affect around 120 companies from over 12 European countries. The move forms part of a concerted US attempt to disrupt the completion of the pipeline, which it views as a threat to Europe’s energy security by increasing reliance on Russia. Earlier sanctions have already delayed the completion of the project as they discourage firms helping construct the pipeline, including targeting vessels laying undersea pipes or moving rock formations. Despite a strongly polarised political landscape following the 3 November US presidential election, the sanctions enjoy bipartisan support, indicating that a Joe Biden presidency is unlikely to reverse course on Nord Stream 2.

EU & US – BRUSSELS TO MOVE AHEAD WITH TARIFFS ON US GOODS

On 9 November, the European Commission Executive Vice President Valdis Dombrovkis confirmed that the EU will move ahead with plans to introduce up to EUR3.37 billion in tariffs on a range of imported US goods. The move is a retaliation for the US granting unfair state financial support to aircraft manufacturer Boeing. It follows similar US duties levied against EU products over EU aid provided to Europe’s Airbus and forms part of a long-running disagreement. Both the US and EU accuse each other of unfairly supporting the two main airplane manufacturing firms. The WTO found that both parties had granted unfair subsidies, allowing them to levy tariffs as penalties. The US acted first by imposing tariffs on a range of EU products, including wines and cheese. Goods including aircraft, chemicals, and citrus fruit are likely to be targeted as part of the EU retaliation, according to a preliminary list of US products worth USD20 bn. While trade tensions have deteriorated steadily under the presidency of Donald Trump, the election of Joe Biden as US president creates scope for compromise and a likely de-escalation. Importantly, once Biden assumes power in January this will help create a climate of confidence that both sides can rely on constructive talks to resolve differences.

UNITED KINGDOM – GOVERNMENT PUBLISHES LEGISLATION TIGHTENING FOREIGN INVESTMENT RULES

On 11 November, authorities will intervene to block takeovers and corporate transactions that pose a threat to national security. This comes as the government published details of new legislation – the National Security and Investment Bill – that would cover 17 sensitive industries including defence and energy. Government ministers will be able to intervene and enhance scrutiny on ‘malicious’ foreign investment. Companies will require regulatory approval for proposed transactions such as takeovers and intellectual property sales. Deals will be considered void if mandatory requirements are not met.  The government said the most deals would be approved without intervention, adding that investment barriers would be kept low by giving decisions within a 30-day period. Failure to comply could lead to significant fines and executives may face imprisonment. Since 2012, there have been just 12 government interventions due to perceived national security threats on transactions. As the ruling Conservative Party enjoys a majority in the House of Commons – the lower house of parliament – the bill will likely receive parliamentary approval with few changes. Like the Australian and the US, the proposed legislation highlights government efforts to tighten rules for foreign investment; takeovers involving overseas firms that are state-owned or have close links with foreign governments will receive additional scrutiny.

MENA and Central Asia

IRAQ & SAUDI ARABIA – AGREEMENT ON ARAR BORDER OPENING AS BILATERAL TIES STRENGTHEN

Saudi Arabian Crown Prince Mohammed bin Salman (MBS) and Iraqi Prime Minister Mustafa al-Kadhimi announced on 10 November that Jadeedah Arar boarding crossing will open. Pledges were also made to bolster bilateral cooperation in areas such as security, tourism, and construction. Both sides also reaffirmed their commitments to complying with OPEC+ requirements and the stabilising of oil prices in the future. The opening of a new crossing at the Arar border signals a notable progression of strengthening ties between the two states after the original Arar crossing was partially reopened for commercial trade in October 2019 following its closure in 1991. The establishment of Jadeedah Arar will likely facilitate the bolstering of economic and trade ties while improving tourism access. Further potential areas of development that could likely be carried out in the medium-long term outlook include projects related to electricity interconnection and energy. Saudi Arabia’s pledge to invest more into Iraq will likely be a welcome source of support, particularly given the growing levels of economic instability there.

ARMENIA, AZERBAIJAN, AND RUSSIA – FULL CEASEFIRE AGREEMENT, PROTESTS LIKELY IN ARMENIA

On 9 November Armenian prime minister, Nikol Pashinyan, confirmed that he had signed an agreement with the presidents of Azerbaijan and Russia to end the war over the disputed area of Nagorno-Karabakh. The deal stipulates that Azerbaijan will retain areas of Nagorno-Karabakh that it captured during the conflict. It halts fighting between Azerbaijani and ethnic Armenians, which first broke out on 27 September due to an Azerbaijani drive to recapture territory that has been occupied by ethnic Armenians since 1994. Under the truce, Russia will deploy around 2,000 peacekeeping forces to the front line and along the corridor that connects the disputed region with Armenia. The ceasefire notably came several hours after Azerbaijan announced that it had captured the strategically decisive city of Shusha, the second largest town in Karabakh, which signalled a major breakthrough for Azeri forces and effectively opened a viable assault route to enter Stepanakert, the de facto capital of the Republic of Artsak. In reaction to the news, protesters stormed government buildings in the Armenian capital Yerevan and demanded that fighting continue. Meanwhile in Azerbaijan, celebratory gatherings have been reported in the capital Baku and the second city Ganja.

MOROCCO & WESTERN SAHARA – MORROCAN ARMY DEPLOYS TROOPS INTO GUERGUERAT; ELEVATED CONFLICT RISK

In a statement, the Moroccan army confirmed that a military operation had been launched on 13 November in Guerguerat, a buffer zone on the southwest coast of the disputed Western Sahara region. Guerguerat is considered a ‘liberated territory’ under the control of the Sahrawi Arab Democratic Republic (SADR) but has been patrolled by the United Nations Mission for the Referendum in Western Sahara (MINURSO) since 2016. The Moroccan army said that the decision to send troops into the area was due to ‘provocations of the Polisario’ - a Sahrawi rebel national liberation movement aiming to end Moroccan presence. The deployment of troops comes after rising tensions in the region amid reports that Polisario forces had erected roadblocks and prevented 200 Moroccan truck drivers from passing through Guerguerat. According to MINURSO, the Polisario have committed dozens of violations against a freedom of movement agreement and Military Agreement No 1 in recent months, signalling rising opposition against Moroccan control in the region and diminished compliance with the ceasefire. This likely comes following a vote by the UN Security Council to renew the mandate of MINURSO, which was rejected by Polsario in a statement on 30 September. It detailed that this was because the mandate did not include any concrete actions to advance the possibility of a referendum on the self-determination of the Saharawi people. The developments present a serious open conflict risk and could potentially result in the collapse of a fragile UN-brokered ceasefire that has been in place 1991.

Sub-Saharan Africa

SOUTH AFRICA – CORRUPTION CHARGES AGAINST MAGASHULE LIKELY TO FURTHER POLARISE THE ANC

Police on 10 November issued an arrest warrant for Ace Magashule, the secretary-general of the ruling African National Congress (ANC) party. He faces corruption charges relating to a ZAR255 million (USD17 million) audit contract to remove asbestos from homes in disadvantaged communities during his time as premier of Free State province in 2014. The charges against Magashule are significant given his high-ranking role in the ANC. They come after President Cyril Ramaphosa in August pledged to root out corrupt practices from the ruling party, saying that party members convicted of corrupt practices would be forced to resign. The charges against Magashule are likely to further polarise the ANC, specifically between supporters of Ramaphosa and former president Jacob Zuma, which includes Magashule.

CÔTE D'IVOIRE – POLITICAL LEADERS’ MEETING SIGNALS FIRST STEP TOWARDS DE-ESCALATION

President Alassane Dramane Ouattara and Henri Konan Bédié, the leader of the largest opposition party PDCI-RDA, met in Abidjan on 11 November where they agreed to continue their dialogue to de-escalate the high risk of violent anti-government protests and deadly inter-communal fighting following the 31 October presidential election. The meeting is a first step towards de-escalating the post-electoral crisis that was sparked by Ouattara’s re-election bid. Since August, at least 85 people have been killed, 484 have been injured, and several hundred have been arrested and charged for engaging in or inciting violence. The opposition will likely demand the release of detained figures. In response, the government will demand that the opposition drop plans to form a transitional government. Bédié’s presence at the meeting is also important to note, given his party’s large electoral support. However, it is unclear how other opposition parties will respond.

ERITREA & ETHIOPIA: ETHIOPIAN INSURGENCY CONFLICT SPILLING OVER INTO ERITREA WITH ROCKETS FIRED ON ASMARA

Late on 14 November, several rockets were fired on the Eritrean capital Asmara, impacting in the Asmara International Airport and Sembel Residential area. This followed reports of a rocket impacting near the Eritrean Ministry of Information. However, this has not been officially corroborated. There were no immediate reports of any casualties. Immediate blame has been placed on insurgents from Ethiopia’s northern region of Tigray, namely the Tigray People’s Liberation Front (TPLF), who on the evening of 13 November launched multiple rockets on the Ethiopian towns of Bahir Dar and Gondar in Amhara regional state. The TPLF on 15 November claimed responsibility for the latest attack, and had previously issued warnings against the Eritrean government’s support for the Ethiopian military against the TPLF. This latest development marks a significant escalation in hostilities, threatening to pull in Eritrea’s military in greater scope and scale. As this conflict in Ethiopia looks very unlikely to end in the near term and further attacks are likely in this region, including on sovereign Eritrean territory, companies in Asmara are advised to ensure risk mitigation and crisis management plans are fit-for-purpose.