Geopolitical and Cybersecurity Risk Weekly Brief 7 September 2020

7 SEPTEMBER 2020

Executive Summary

The last seven days. The Norwegian region of Hedmark suffered a cyber-incident overnight on 1 September resulting in some 10,000 public sector employees being unable to access their work email. It now transpires that this may have been the work of the Emotet botnet operators, potentially demonstrating a change in targeting away from business. This week Norway’s supreme legislature and parliament, the Storting, had also reported that it suffered a cyberattack in which data was downloaded by threat actors.

The FBI released a security advisory warning of an increased risk of Ransom Denial of Service (RDoS) attacks against businesses. These involve malicious actors threatening to launch DDOS attacks against a target if they fail to pay a Bitcoin ransom within six days. These threats do not appear to be acted upon, however. North America, APAC, and EMEA are at risk.

In unrelated news, over a dozen ISPs across Europe reported DDoS attacks against their DNS infrastructure. It is unclear who is responsible, but they could be linked to a criminal gang that has recently targeted financial institutions worldwide with DDoS extortion attacks.

Several major data breaches were reported this week but one of the most prominent is that of the American Payroll Association (APA) after a web skimmer was implanted on the organisation's website login and store checkout pages. The breach was discovered on 23 July but is thought to have begun on 13 May. The threat actor responsible for this attack has not been identified but is believed to operate under the Magecart umbrella, a skilled threat group which looks to monetise stolen data. APA customers’ information may, therefore, end up on the darknet.

In South Africa, construction company Stafunutti Stocks was hit by a data breach attack. This was the second major company in South Africa, following Experian, to be targeted in a significant cyber incident, demonstrating the rising threat to businesses.

Patching against newly reported vulnerabilities remains one of the key forms of defence for organisations in all sectors. A vulnerability of note affects Slack and could give a successful attacker full remote control over the app and access to private channels, conversations, passwords, tokens, keys, and various other functions. This could also facilitate further exploration of a user's internal network.

In the geopolitical sphere, one of the dominant themes of the past week has been the escalation in diplomatic and trade disputes between China and Western foreign governments. The US imposed new restrictions on Chinese diplomatic staff; Beijing suspended grain imports from Australia; and, as noted in last week’s report, the Czech Republic’s relations China were set back after a senator declared solidarity with Taiwan.

Facebook expunged hundreds of fake accounts, groups and pages in Russia and Pakistan as part of efforts to tackle ‘influence operations’ ahead of the November presidential elections. In Lebanon, new prime minister designate Mustapha Adib will have up to a month to form his new government.

Conflict and civil and labour unrest have been notable this week. In Sudan, Khartoum and militant insurgent groups signed historic peace accords; there is cautious optimism surrounding the sustainability of peace, however, as not all critical stakeholders were in accord with the deal. Greece and Turkey remain in a standoff over the latter’s naval deployments in the eastern Mediterranean, placing NATO in a difficult position. In Guinea, the risk of civil unrest is rising as President Alpha Condé seeks re-election in the October polls.

In the Americas, there is a nationwide truckers’ strike in Chile that is severely disrupting the supply chain. In Jamaica, the ruling Jamaica Labour Party comprehensively won the general election, ensuring policy continuity in addressing the COVID-19 pandemic, ailing economy, and social insecurity. Economic development featured prominently in the Asia-Pacific (APAC) region and around the world: India’s economy contracted by 24 per cent in the second quarter, largely due to the pandemic; in China, surges in the price of corn are elevating food insecurity risks; and Turkey experienced a record decline in GDP in Q2. In Algeria, the government is ramping up port inspections in light of the major chemical explosion in Beirut.

Attacks and cybersecurity news

The Storting, Norway’s supreme legislature and parliament, has recently been targeted in a cyberattack. The Storting has issued a notice on its website stating a “small number” of email accounts of parliamentary representatives have been compromised and data has been downloaded. Representatives of the Storting and employees who have been impacted have been contacted and remediative measures have been implemented.

The Norwegian region of Hedmark suffered a cyber-incident overnight on 1 September resulting in some 10,000 public-sector employees being unable to access their work email or having been compromised. The email system, which is used by seven municipalities in Hedmark, was attacked by "foreign swindlers", according to county officials. This attack came just hours after the Storting had announced an attack on its own systems. That attack, which took place last week, has not been confirmed as connected to the Hedmark incursion, but both attacks were described as “extremely serious” and “refined.”

The Southeast Asia Freedom of Expression Network (SafeNet) recorded six cyberattacks against high-risk groups such as journalists, academics, and activists in Jakarta, Indonesia. Various platforms have been attacked, including Twitter accounts and media outlets. The Indonesian Ministry of Communications and Information, however, claimed that there is no evidence of government involvement in these attacks and urged the public to work with officials to help identify the attackers and stop the defacements and hacks. Concerns about government involvement in the attacks came about because the targets have previously been critical of the Indonesian administration.

Google has removed an Android application, named Nexta Live, from the Play Store. The app was used to collect the personal information of Belarusian citizens attending anti-government protests. To get installs, developers made the app look like the official application for Belarusian news agency Nexta. It was available for nearly three weeks and was downloaded thousands of times before its removal.

A Twitter account for the personal website of Indian Prime Minister Narendra Modi was hijacked. The account, which is the official Twitter handle for Mr Modi's personal website, sent a series of tweets on 2 September asking its more than 2.5 million followers to donate cryptocurrency to the PM National Relief Fund. Twitter has said it was aware of the malicious tweets and had secured the compromised accounts.

A new variant of the Thanos ransomware has been used in attacks targeting state-run organisations in the Middle East and North Africa. The latest variant has been configured to overwrite the master boot record (MBR), which is uncommon in ransomware and considerably more destructive than normal. The threat actors behind the attacks are believed to have had prior access to these organisations, as the samples contain credentials for systems on the victims' networks. Once successfully deployed, the Thanos variant creates a text file that displays a ransom message requesting the victim transfer $20,000 worth of Bitcoin into a specified wallet to restore the files on the system.

Over a dozen internet service providers (ISPs) across Europe reported DDoS attacks against their DNS infrastructure. This includes Belgium's EDP, France's Bouygues Télécom, FDN, K-net, SFR, and the Netherlands' Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl. It is unclear who is responsible for these attacks, but they could be linked to a criminal gang responsible for recent DDoS extortion attacks against financial institutions across the world, such as New Zealand stock exchange, Venmo, and PayPal which subsided as the attacks against the ISPs started. Additionally, sources claim that the same group responsible for the financial service attacks also targeted several ISPs in Southeast Asia just weeks before.

The FBI has warned US organisations that companies worldwide are being threatened with DDoS attacks unless they pay a Bitcoin ransom within six days. Targeted sectors include retail, financial, travel, and e-commerce. The so-called Ransom Denial of Service (RDoS) campaign started on 12 August. The FBI did not say which regions were targeted, but Israeli cybersecurity firm Radware also issued an alert about the attacks, claiming that reports have been received from North America, APAC, and EMEA regions. Organisations hit by this RDoS campaign have reported small ‘demo’ attacks after receiving the ransom notes. When the time on the threats expired, however, these were not followed by actual attacks.

Data breaches, fraud, and vulnerabilities

DATA BREACHES

The American Payroll Association (APA) has disclosed a data breach affecting its members and customers after a web skimmer was implanted on the organisation's website login and store checkout pages. The breach was discovered on 23 July but is thought to have begun on 13 May. The attackers exploited a security vulnerability in the APA's content management system (CMS) to infiltrate the site and online store. This allowed them to collect sensitive information and exfiltrate it to attacker-controlled servers. Data stolen includes login information such as usernames and passwords, and individual payment card information. The threat actor responsible for this attack has not been identified but is believed to operate under the Magecart umbrella.

Bykea, a Pakistani vehicle hire and parcel delivery firm, has been involved in a cyber-related incident during which threat actors infiltrated the organisation’s IT systems and deleted its online database. This attack has not been attributed to any known malware or threat actor. It is, however, reminiscent of the Meow wiper campaign that targets unsecure, exposed databases and destroys the data. The deployment of cryptocurrency miners, however, is not a documented TTP of the attackers behind the Meow wiper.

US mobile operator Assist Wireless has accidentally exposed thousands of personal customer documents on its website. Assist Wireless provides free government-subsidised phones to low-income households. The section of its website where users submit information to verify their eligibility for a free phone and plan was found to have leaked customer data.

An unsecured Amazon Web Services (AWS) server has been discovered that belongs to View Media, an online marketing company based in the US. The AWS bucket contained over 38 million records of US users. Anyone with the bucket URL could have accessed the records, which included full names, email addresses, home addresses, phone numbers, and ZIP codes. Unsecured AWS buckets are relatively easy to find, presenting a high risk of compromise.

RANSOMWARE

The ransomware leaks sites have been populated by just under 50 new victims from across the world this week. This includes Maze, NetWalker, SunCrypt, Conti, REvil, and Pysa, all of them have added new victims with Maze adding close to 15 on its own. Avaddon has also recently experienced an extensive update adding a new multitude of features.

The Smaug ransomware-as-a-service (RaaS) was first advertised in late April 2020 and has since become popular amongst the cybercriminal community. Like many other ransomware strains, Smaug operators charge a 20% service fee to their distributors, but they also ask for a registration fee of 0.2 Bitcoin, which is higher than many other public RaaS offerings.

Smaug is a robust and full-service RaaS but differs slightly from other offerings such as Nemty and Zeppelin. One of the most important differences is Smaug's multi-platform support, and its ability to apply a single encryption key to an entire body of infected hosts, such as a whole company.

This ransomware also has offline capabilities, meaning it does not require an internet connection to execute itself and encrypt a device. It has advanced antivirus evasion processes, and its payloads have been constructed to leave minimal evidence of their presence.

FRAUD

A phishing campaign is targeting financial services across Africa. Emails masquerading as Standard Bank, Absa, and Nedbank continue to spread. The largest of these campaigns targeted Nedbank customers. The attacks are not sophisticated and leverage an older phishing technique that involves attaching HTML files that collect credentials and other sensitive information. The threat actors appear to be attempting to exploit a weakness in at least one of these financial institution's security teams.

ThiefBot, a new Android banking Trojan, is targeting mobile banking users in Turkey. ThiefBot masquerades as a Google Play Store Android Package file (APK) which asks for malicious permissions. This allows the attackers to send and receive SMS messages, remotely access the mobile’s storage, read contacts, activate the camera, and turn on Android accessibility services. The injected overlay pages found in the current version of ThiefBot are targeting Papara Payment Services, Finans Bank, Garanti Bank, IsCep Mobile Bank, Vakif Bank, Ziraat Bank, and AkBank.

A new phishing campaign has been observed targeting Portuguese users and impersonating Novo Banco. The user is sent a phishing URL which redirects to the main landing page - a compromised WordPress site. The victim is asked to enter their accession number to access their banking homepage. They are then told to enter their PIN and phone number.

VULNERALBILITIES

QNAP NAS systems are being targeted by threat actors attempting to exploit an older RCE vulnerability. Researchers reported the vulnerability to the vendor on 13 May and were told that it had been fixed in a previous update. However, there are still many unpatched devices exposed to the internet. The attackers are reportedly sparing in their use of the RCE exploit, to maintain its longevity and viability. QNAP is used for file sharing, virtualisation, storage management, and surveillance applications. These systems are often used for backing up important files and storage for other sensitive data. This makes them high-value targets for cybercriminals, especially if they are unpatched and exposed to the internet.

A vulnerability in the File Manager plugin for WordPress is being actively exploited in the wild. File Manager has more than 700,000 installations. The vulnerability allows attackers to upload files containing webshells hidden inside images. This facilitates remote-code-execution (RCE) in the plugins/wp-file-manager/lib/files/ directory. More than one million WordPress sites were probed and attacked in the seven days following the exposure of this flaw. The attacks started relatively slowly but intensified over the course of the week, with some 1.7 million WordPress sites attacked.

There is a pre-auth remote code execution (RCE) vulnerability in vBulletin (CVE-2020-17496) that is being exploited in the wild to deploy malware. The exploit bypasses a fix of the previous vulnerability CVE-2019-16759. This allows attackers to send a crafted HTTP request with a specified template name and malicious PHP code and leads to remote code execution. Over 100,000 websites are built with vBulletin, many of which are used for forums of major enterprises and organisations. vBulletin released the patch to fix this vulnerability on 10 August 2020.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • A critical vulnerability in Slack could allow remote code execution. Slack desktop apps should be upgraded to at least version 4.4 to avoid potential exploitation.
  • Cisco Talos has disclosed multiple vulnerabilities in OpenSIS. The product is used by schools for student information management for K-12 districts in the US.
  • US CISA has issued a security advisory for a vulnerability present in multiple Mitsubishi Electric ICS products.
  • Two vulnerabilities, tracked as CVE-2020-5777 and CVE-2020-5776, have been disclosed in the Magento Mass Import (Magmi) plugin which could allow for remote code execution attacks. A patch has been issued for CVE-2020-5777, which should be applied as soon as possible. There is still no patch available for CVE-2020-5776, but the flaw can be mitigated by disabling or uninstalling the plugin altogether until a patch is available.
  • Tencent issued a security advisory over multiple high-risk vulnerabilities disclosed in plugins for the Jenkins automation software.
  • Cisco addressed a critical remote code execution vulnerability affecting multiple versions of Cisco Jabber for Windows (CVE-2020-3495).

APT ACTIVITY AND MALWARE CAMPAIGNS

APT ACTIVITY

New activity has been linked to APT29. Several ELF binaries of the WellMess malware were uploaded to VirusTotal by a user in China. The samples are reportedly UPX-packed and share similarities with the ELF version of the WellMail malware. In July, the UK NCSC and US NSA released a joint public security advisory stating that a Russian state-sponsored group, tracked as APT29, had infiltrated organisations involved in coronavirus vaccine development. The malware involved in these attacks included WellMess, WellMail, and SoreFang. WellMess is Golang malware that has been used by APT29 since at least 2018. It is designed to execute arbitrary shell commands and can upload and download files.

JPCERT/CC has issued a security advisory for a malware campaign orchestrated by the Lazarus group that is targeting Japanese organisations. In this campaign, the North Korean threat actors are reportedly pushing different types of malware during and after the initial intrusion. The malware used is a downloader Trojan that delivers additional payloads and executes them. The malware is obfuscated using VMProtect, demonstrating that North Korean threat actors are still open to working with other cybercriminals, previously evidenced with their use of the TrickBot banking Trojan.

The North Korean threat group Thallium (also known as Kimsuky or SmokeScreen) has launched multiple new spear-phishing campaigns across the Asia Pacific region. Tailored spear-phishing emails with Google Drive links have malicious DOC HWP document files that contain embedded macros. If these are enabled, an encrypted payload is downloaded that connects the victim’s device to the attacker’s C&C server. Businesses, journalists, and a media organisation, are all at risk, with the lures focussing on North Korean ‘defectors’ and a ‘nuclear test site’.

MALWARE

VISA Payment Fraud Disruption (PFD) has reported on a previously undisclosed JavaScript e-commerce skimmer, dubbed Baka. The skimmer was discovered while analysing a Magecart group’s C&C server and had already infected several merchant websites across multiple geographies. The Baka JS skimmer contains many features that can be found in other common skimmers. However, its advanced design indicates it was developed by a skilled malware author. Researchers recently uncovered another new Magecart skimmer leveraging Telegram to exfiltrate stolen credit cards. This is not the first skimmer to abuse third-party services, however: skimmers were found leveraging Google Analytics in June.

The operators of the Shlayer macOS malware successfully bypassed Apple's automated notarising process, a procedure that has been in place since February 2020, and requires all macOS software distributed outside the official App Store to be notarised by Apple before it can run on macOS Catalina and above. Apple mistakenly notarised macOS software containing the Shlayer malware, which was being distributed through a malicious website. The installers can be executed on any Apple computer without being automatically blocked on launch - allowing the threat actors to deliver the payloads to systems where the installers would previously have been blocked. Upon discovering the malware, Apple quickly revoked the initial sample's certificates. The campaign, however, continued to serve new payloads and is still active today.

A new malicious spam campaign, dubbed Operation Epic Manchego, is distributing macro-enabled documents that deliver infostealers. These harvest passwords from browsers, email clients and other information repositories. Targets were primarily located in the UK and US, Spain, Turkey, Korea, and China.

Six applications on the Google Play Store have been found to contain the Joker Trojan. These apps pose as legitimate services and currently have over 200,000 combined downloads: Convenient Scanner 2; Separate Doc Scanner; Safety AppLock; Push Message-Texting&SMS; Emoji Wallpaper; Fingertip GameBox. The apps loaded and executed external code only once they had been published on the Play Store, keeping their malicious nature hidden from moderators. Once installed, Joker simulates clicks and intercepts SMS messages to subscribe the victim to unwanted premium services.

A new cryptomining malware with information-stealing capabilities, dubbed KryptoCibule, hijacks a computer’s resources to mine cryptocurrency; it can also detect and replace cryptocurrency wallet addresses in the clipboard and replace them with its own. The TOR network and the BitTorrent protocol is also used extensively in its communication infrastructure. The name KryptoCibule derives from the Czech and Slovak words for “crypto” and “onion”. The malware can be traced back to December 2018. It mainly targets users in the Czech Republic and Slovakia. It is spread via malicious torrents that were mainly available on ‘uloz.to’ - a popular Eastern European file-sharing site.

DARKNET

After the fall of Empire market last week, the drug marketplace landscape has been thrown into chaos. Numerous new markets have appeared to coax users away from bigger markets as users increasingly believe these more established concerns will exit scam at some point soon. This rapid increase in market numbers has happened after the fall of every big market in the past.

Distrust on the forums is rife with petty squabbles becoming site-wide fights and big names becoming the focus of user’s ire. Discussions of solutions to the exit scam question have led many users to put their faith in multi-signature markets that do not use escrow. This is intended to make it almost impossible for market owners to exit scam. The markets up next appear to be the privacy centric ones in White House Market and Monopoly Market, with some classic escrow ran markets making a show of accepting users from Empire, like Icarus.


Geopolitical Threats and Impacts

Americas

CHILE – Truck Drivers’ Strike Ends as Government Pledges to Improve Security

On Wednesday (2 September), the CNTC truck drivers’ union announced the end of a week-long nationwide after it reached an agreement with the government on measures to improve security. Authorities have pledged to boost security for drivers and their vehicles in the central Araucanía region, where truckers have been targeted in violent attacks as part of a long-running conflict between Mapuche people, who demand greater autonomy and the return of ancestral lands, and the Chilean state.

The strike had caused widespread disruption to supply chains, particularly for fresh fruit and salmon, prompting warnings from industry bodies on to exports. Its lifting, therefore, de-escalates the risk of supply-chain disruption, although there is a moderate-to-high likelihood of some residual delays to exports scheduled to depart Chilean sea and airports this week.

JAMAICA – Ruling JLP Secures Landscape Victory in General Election

The ruling Jamaica Labour Party (JLP) of Prime Minister Andrew Holness won a landslide victory in the country’s general held on Thursday (3 September). The centre-right JLP won 49 of the 63 seats in the lower house, while the opposition centre-left People's National Party secured the remaining 14 seats.

The election result grants the conservative JLP a sizeable majority in the lower house for the five-year parliamentary term. In the immediate aftermath of the election, political and public attention is likely to remain on topics which dominated the electoral campaign. Most notably, these are the COVID-19 pandemic, efforts to support the national economy, and addressing violent crime and insecurity. While Holness’ administration was successful in tightly limiting the virus’s spread in the first months of the pandemic, new cases have accelerated rapidly in the past three weeks. Constraining the virus’s spread will be key for the country's important tourism sector, which has been hit hard by travel restrictions and a global downtown in commercial aviation.

US & CHINA – US Imposes New Restrictions on Chinese Diplomats, Including University Visits

On Wednesday (2 September), Secretary of State Mike Pompeo announced new restrictions on Chinese diplomatic personnel in the US, amid growing concern in Washington over Chinese influence operations and espionage, and demands for reciprocal treatment for both countries’ diplomats. Senior Chinese diplomats must now receive State Department approval to visit US university campuses or hold events with more than 50 people outside of their diplomatic mission. Responding to the announcement, the Chinese embassy in Washington, DC, described the move as a ‘mistake’ and ‘unjustified’, while Chinese foreign ministry spokeswoman Hua Chunying said that Beijing would make ‘legitimate responses’ to the restrictions.

The latest measures respond to long-standing US concerns over Chinese influence campaigns, particularly targeting US and their research agendas. Practically, the measures will potentially hamper collaboration between US universities and Chinese authorities in the medium-to-long terms. More immediately, the measures mark a new worsening of already-poor bilateral relations. There is a high likelihood that Beijing will retaliate by imposing new restrictions on US interests in China, potentially further restricting the movements or activities of US diplomats or media personnel.

Asia-Pacific

AUSTRALIA & CHINA – Chinese Customs Suspend Grain Imports from Key Australian Shipper

China’s customs officials have suspended barley imports from Australia’s largest grain exporter after it claimed a recent shipment contained ‘harmful weeds.’ On Tuesday (2 September) Western Australia-based CBH Grain Pty, which accounts for around 30 per cent of Australia’s total grain production, said its barley exports had met all China’s stringent import requirements and that there was no evidence to support the allegation.

China’s decision to suspend barley shipments is widely viewed as a further effort by Beijing to apply pressure on Canberra over policies China views as hostile. To date almost all efforts by China to signal its opposition to Australia’s actions, notably regarding calling for an investigation into the origins of the coronavirus pandemic, have targeted agricultural products rather than mineral imports such as iron ore, coal, crude oil and natural gas. Any major reduction in demand for these key sectors would mark a significant deterioration in ties between the two countries that could further impact Australian commercial interests in China.

CHINA – Spikes in Corn Prices Fuel Concerns Around Food Security

On Sunday (30 August) corn prices in northeast China’s Jilin province reached RMB2,250-2,260 (USD323-324) per ton, while prices in east China’s Shandong province exceeded RMB2,600 per ton last week, according to local media. Surging corn prices are further fuelling concerns over potential food shortages, as food inflation has risen to its highest point in more than a decade.

The developments add to mounting concerns around food security in the country. Corn has been the subject of focus recently, as a storehouse unit of the China Grain Reserves Cooperative (Sinograin) last week imposed a ban on all photographic equipment from its granaries: a video of what appeared to be spoiled corn in a Sinograin warehouse had circulated on Weibo in mid-July, prompting questions about the quality of corn reserves. Food security concerns are being driven by several coinciding threats, including a further insect plague. The presence of crop-ravaging armyworm in Liaoning province in the country’s northeastern corn belt – which produces half of the country’s corn – has recently been recorded for the first time. Food insecurity could seriously undermine confidence in the ruling Communist Party and translate into social and political unrest in the medium-to-long term.

INDIA – Economy Contracted by Almost 24 per cent in Second Quarter

Data released by the Indian government on Monday (1 September) showed the country’s economy had contracted by at least 23.9 per cent in the second quarter of 2020 after coronavirus lockdown restrictions affected employment and business activity. The contraction, one of the highest recorded in the world, is even greater if India’s huge but hard to quantify informal economy is included. The country’s construction, manufacturing and transport sectors are among those most severely affected by the lockdown’s impact on economic activity that created India’s deepest recession since 1996.

In addition to the impact on individuals and businesses the loss of such a huge volume of economic activity, particularly among the millions of the country’s poorest citizens who rely on steady by small amounts of money to survive each day, is certain to increase political and social instability.

Europe

GREECE & TURKEY – Athens Denies NATO Statement on Deal to De-Escalate Security Tension

On Thursday (3 September), Greek officials denied a NATO statement that Greece and Turkey had agreed to ‘technical talks’ in a bid to de-escalate the tense situation in the Eastern Mediterranean. Athens affirmed its stance that tensions would ease only ‘with the immediate withdrawal of all Turkish ships from the Greek continental shelf’.

The latest development signals the challenges NATO has when trying to create a platform for discussion among its members. Relations have steadily worsened in recent months, while France has sent its Charles de Gaulle aircraft carrier to the Eastern Mediterranean, a strong sign of support for Greece that also serves as a deterrent to Ankara. At present, neither side is willing to back down or appear to compromise, especially since tensions relate to the sensitive issue of territorial integrity. While overt and conventional conflict remains unlikely, the prospects for accidental clashes remains heightened amid a strong presence of military assets in the region.

RUSSIA, PAKISTAN & US – Facebook Confirms Crackdown on Fake Accounts

US-based technology firm Facebook has removed three networks of fake accounts last month located in Russia, Pakistan, and the US as part of an effort to tackle ‘influence operations’ on the platform. On 1 September, the firm confirmed deleting a ‘small network’ based in Russia consisting of 13 Facebook accounts and two pages linked to individuals associated with the Internet Research Agency (IRA), widely referred to as the ‘troll farm’ that sought to interfere with the 2016 US presidential election. In Pakistan, another network comprised of 453 user accounts, 103 pages, and 78 groups was removed, and a related 107 Instagram accounts were deleted.

Facebook said the networks it took down had established pages to ostensibly resemble news agencies, making the content appear more legitimate. By publicly confirming actions it has taken to crackdown on disinformation and fake news, Facebook is seeking to regain the confidence of US government officials and lawmakers, who have consistently criticised the firm for failing to decisively respond despite repeated warnings. Importantly, it indicates that malicious actors are intent on launching elaborate disinformation campaigns aimed at influencing the election result.

MENA and Central Asia

ALGERIA – Ramped Up Port Inspections Amid Movement of Unsecured Chemical Stockpile

The news outlet Algerie360 reported on Wednesday (2 September) that 40 containers holding a total of 1 million litres of a highly flammable kerosene derivative substance have been held since 17 March 2020 at the port of Skikda, located in the northeastern Skikda city. The chemical was scheduled for export to Mauritiana. However, port authorities blocked the shipment and accused the exporters of ‘false declaration of goods’ after carrying out sample tests that indicated the cargo containers held pure kerosene, which in this form can be used as fuel.

The interior ministry responded to reports on Thursday (3 September) that large quantities of a highly flammable chemical were being kept at Skikda port, stating that the load had been moved to a ‘safe and supervised’ place on 18 August and no longer constituted a danger. The movement of the substance comes following the recent explosions at the port of Beirut on 4 August, which killed over 200 people and injured a further 6,000. On 11 August, the Algerian Port Service Group, Serport ordered port company managers across the country to increase the number of inspections and evaluations when processing damaged or waiting products at ports.

TURKEY – Historic GDP Contraction of 11 per cent in Second Quarter

According to data published by the Turkish Statistical Institute on 31 August, the economy shrank by 9.9 per cent in the second financial quarter, marking the largest downturn on record. Gross domestic product contracted by 11 per cent between April and June, a significant downturn from the 4.4 per cent growth in the first financial quarter. This growth was likely brought about by an accelerated credit stimulus implemented by the government in early March in an effort to curb the economic blow of COVID-19, further bolstered by a booming construction sector that grew significantly in the final quarter of 2019.

Despite these stimulus measures, the newly released data is a strong indication that the economy has been detrimentally impacted, bolstering predictions that the economy will contract in 2020. Particular pressure has been placed on the manufacturing and servicing sectors, which contracted by 18 per cent and 25 per cent respectively across the second quarter due to the near standstill to all commercial activity brought about by lockdown. Since 1 June, nationwide lockdown restrictions have relaxed, raising the likelihood that economic activity will rebound in the third quarter. However, Turkey has burned through billions of dollars in reserves in an effort to retain the currency’s peg. It is likely that this expenditure will have a lasting impact on the lira’s stability in the medium-term outlook, especially with the currency slumping to a record low against the Euro in late July. In reaction to this, interest rates are at risk of being inflated by the central bank in the coming months, which would likely have a negative impact on the economic recovery process in 2020.

SUB-SAHARAN AFRICA

GUINEA – President’s Re-Election Bid Raises Violent Protest Risk Ahead of 18 October

Ruling party RPG-Arc en ciel on Monday (31 August) announced that President Alpha Condé would seek re-election on 18 October. The announcement also confirmed that the CDCC coalition, which was announced in May, was also backing Condé’s bid. The opposition and civil society coalition, FNDC, on Tuesday (1 September) said the move was unsurprising and called for a broad-based mobilisation of opposition forces to stage imminent protests against his third-term bid.

The FNDC and many opposition groups consider the president’s re-election plan as unconstitutional, due to a two-term limit on presidents. The anti-government coalition remains a powerful political force and will likely mobilise thousands of protesters onto the streets of Conakry and other cities in the one-month outlook. A flashpoint date for protests is likely to be 8 September, the deadline for presidential candidate applications.

SOUTH AFRICA – Stefanutti Stocks Holdings Construction Company Affected by Data Breach

Construction and infrastructure company Stefanutti Stocks Holdings on Tuesday (1 September) confirmed its ICT infrastructure had been affected by a data breach the previous day and that it would report the incident to the relevant authorities, according to media reports on 2 September. In a related development, Ireland-headquartered business and credit-information company Experian admitted on Tuesday (1 September) that information obtained in a major data breach confirmed on 19 August was available online.

Some interruption and delay of services is probable and may also impact some of its subsidiary operations across Southern and West Africa as well as in the United Arab Emirates. The availability of Experian data online confirms our warning on 25 August. More broadly, both incidents underscore escalating cyber-security risks, which may have an operational impact as well as legal and financial implications to companies.

SUDAN – Government and Non-State Armed Groups Sign ‘Historic’ Peace Deal

The transitional government and five non-state armed groups – four of which are based in the western Darfur region and one in South Kordofan – on Monday (31 August) signed a peace agreement during a ceremony in the South Sudanese capital, Juba. The broad-based agreement includes important agreements relating to the disarmament, demobilisation, and reintegration (DDR) of NSAG fighters into the Sudanese security forces. Nevertheless, Sudan Liberation Movement (SLM) splinter group led by Abdelwahid el-Nur and a branch of the Sudan People’s Liberation Movement-North (SPLM-N) headed by Abdelaziz al-Hilu have refused to sign the deal.

The signature and wide support from Western and Gulf-based partners signals a de-escalation in the country’s overall stability risk. However, the refusal by two armed groups to sign the agreement suggests some underlying issues, including with regards to land ownership and DDR, are outstanding.  Repeated delays to reform plans announced last year by the Sovereign Council indicates that implementation setbacks for the peace agreement are also probable in the one-year outlook.