Geopolitical and Cybersecurity Risk Weekly Brief - 18 January 2021

18 january 2021

Executive Summary

There is a considerable amount of attention on the imminent inauguration of President-elect Joe Biden in the US. His administration is going to usher in significant changes in foreign and domestic policies, which will have important implications on geopolitics and cybersecurity this year. In the immediate-term, however, there is an intense focus on the events and developments revolving around the exit of President Donald Trump and his most hardcore political and grassroots supporters. . In the run-up to the 20 January inauguration in Washington DC, there are credible threats of violent unrest and terrorist attacks in the national capital and major urban centres across the country. From a policy perspective, the Biden administration is expected to introduce a USD1.9 trillion economic rescue package, including a major cash injection to rein in the COVID-19 pandemic.

Meanwhile in the APAC region, European businesses could start to significantly feel the impact from the US-China trade war and China’s push towards technological self-sufficiency, according to a EU-Mercator Institute report, which concludes that business confidence and sentiment is lowering. Japan imposes state of emergency to control coronavirus spread, which is likely to further impact an already depressed economy.

European companies involved in the NORD Stream 2 pipeline project are under threat of US sanctions, and this may be enforced under Biden administration. In the UK, businesses are under threat of fines under Modern Slavery Act if imported goods from China are connected to forced-labour in Xinjiang province. Regulatory challenges from Brexit forced DB Schenker to halt shipments from the EU to UK, adding to a number of foreign trading companies experiencing similar issues. 

In the MENA and Sub-Saharan Africa regions, the Iranian government banned COVID-19 vaccines made in the UK and US, underscoring how political risks impact foreign trade. In Kuwait, political instability rises as prime minister tenders resignation. East African regional stability is under threat as Ethiopia and Sudan intensify border hostilities. In South Africa, Santam insurance company has lowered the terms of coronavirus related business interruption claims, elevating the threat of closures of SMEs across the country.

Threat actors have been using COVID-19 vaccine-themed lures in multiple large-scale social engineering attacks which have led to malware, credential phishing, and BEC attacks. Organisations and brands with name recognition, such as World Health Organization (WHO), DHL, and vaccine manufacturers, have been abused in these campaigns.

A domain, “solarleaks[.]”, which was registered on 12 January 2021, is allegedly offering information connected to the SolarWinds supply chain attack. The website creators are offering what they claim is the source code for Microsoft, Cisco, and SolarWinds products, as well as the FireEye Red Team tools. It appears this may be directly connected to the groups responsible for the attack.

The past week saw all major software companies roll out the first Patch Tuesday releases of 2021. This includes Microsoft, Cisco, SAP, and Adobe. All patches should be applied as soon as possible.

 

Attacks and cybersecurity news

British Foreign Office systems were breached during a cyberattack that targeted the Wilton Park Government outpost, a 16th century mansion located in West Sussex. Wilton Park hosts high-level discussions about global security and was reportedly breached in December 2020. Government officials have claimed that there is no evidence of data having been stolen. Officials have also said that the breach on Foreign Office systems is not connected to the SolarWinds supply chain attack.

Researchers have connected two email addresses exploiting the name of a prominent bulletproof hosting provider, Media Land, to create new Magecart infrastructure. The emails were used to register over 1,000 domains for skimming, phishing, and other malicious activities. The domains used in these campaigns have been linked to several different skimmers used by Magecart in the past. It is unclear, however, if the emails are directly controlled by the threat actors or are part of a third-party service. These domains imitate a variety of different organisations, including financial institutions, and technology companies such as Facebook, Google, Microsoft, and Apple, several of which host various card skimming malware, including Meyhod, Grelos, and Inter skimmers. The campaign does, however, show how interconnected the Magecart family is: it is unlikely that one group is hosting all of these different skimmers on the domains, suggesting that multiple groups may be working together.

Google Project Zero (GP0) has published a six-part series detailing a sophisticated attack campaign that leveraged multiple exploits for 0day vulnerabilities in Chrome, Windows, and Android. The campaign was first discovered in Q1 2020 and was orchestrated by an unspecified threat group. As noted by GP0, the exploit developers designed attacks for efficiency and flexibility by making them modular. The use of exploits for multiple 0day vulnerabilities, mature logging, calculated post-exploitation techniques, and high volumes of anti-analysis and target checks demonstrate the attacker’s advanced nature. GP0 believes that only experts could have designed and developed these exploit chains.

In an advisory released on 13 January, the Reserve Bank of New Zealand has revealed that attackers gained access to its systems by breaching the Accellion FTA file sharing service. The system has now been taken offline and secured while an investigation takes place. A statement from Accellion adds that it was made aware of a 'Po vulnerability' is its FTA software in mid-December 2020 when a patch was deployed to all affected customers. Researchers claim that "the timeframe behind the released patch and when the attack on RBNZ occurred was too short to apply the patch effectively." This is because the patch was released on 24 December 2020, and the bank was attacked on 25 December 2020, indicating that the attack is likely to have occurred around the same time or before the patch was implemented.

A new malware campaign, dubbed Operation Spalax, is reportedly exclusively targeting Colombian entities. The campaign is still ongoing and targets the government and private organisations, with a focus on the energy and metallurgical sectors. the attacks have scaled up from a handful of C&C servers to a sprawling infrastructure network of infected devices and their masters. This targeted malware campaign has evolved since it was first disclosed in February 2019. QiAnXin researchers track the APT behind these attacks as APT-C-36 or BlindEagle. Once the group has established a foothold in target systems, it moves laterally to compromise additional systems. The primary objective appears to be the theft of strategic intelligence, business intelligence, or intellectual property.

Investigation into the SolarWinds attack continues. CrowdStrike released details of a third malware family that was used in the intrusion. Dubbed SUNSPOT, this implant was deployed into the SolarWinds build environment to inject the SUNBURST backdoor into the update server of the Orion platform. And Mimecast has disclosed a breach in which a threat actor compromised one of the certificates that the company issues for customers to connect Microsoft 365 Exchange to their services. This incident may be connected to the recent SolarWinds supply chain attack; the company has neither confirmed nor denied this.

 

Data security, fraud, and darknet

Data Security

Cyjax analysts uncovered a domain, “solarleaks[.]”, which was registered on 12 January 2021 and is allegedly offering information connected to the SolarWinds supply chain attack. The website creators are offering what they claim is the source code for Microsoft, Cisco, and SolarWinds products, as well as the FireEye Red Team tools. We are unable to confirm if this website belongs to the APT group that orchestrated the SolarWinds supply chain attack. However, a note in the source suggests there may be a connection: “We are putting data found during our recent adventure for sale” [sic].

The sale of the data allegedly stolen during the SolarWinds supply-chain attack is interesting for several reasons. If this is genuinely found to be the source code of the products listed above, additional vulnerabilities could be discovered and weaponised for future attack campaigns. The same goes for the Cisco internal bug tracker - which essentially would reveal all the unpatched bugs (or 0day vulnerabilities) in various Cisco products. The SolarWinds customer portal would be valuable for adversaries given the company’s clients. The Red Team tools that were stolen from FireEye have basically been neutered due to the US cybersecurity firm releasing YARA rules for each one. However, a number of proof-of-concept (PoC) exploits could be available for vulnerabilities that are still present in many internet-facing appliances.

Dutch energy supplier Eneco has warned clients and business partners to change their passwords due to a recent data breach. The company stated that threat actors used "email addresses and passwords from previous thefts at other websites" to gain access to around 1,700 My Eneco accounts. The affected users may have had their data viewed and stolen or possibly changed by the threat actors. Approximately 47,000 other customers are also being informed about the incident “as a precaution” but there is apparently no evidence that their accounts have been compromised.

Fraud

Threat actors are hijacking verified Twitter accounts and using them to distribute a cryptocurrency scam under Elon Musk's name. The accounts reply to tweets to promote the scam, stating that Musk is giving away cryptocurrency. A fake landing page asks visitors to send Bitcoin to the listed address, claiming that they will receive back double the amount sent. Some of the tweets use Tyler Winklevoss’s (one of the founders of Facebook) name. Most of the accounts hijacked have been inactive for at least a few weeks. This has been a highly successful campaign, with the threat actors earning USD587,000 in Bitcoin and an additional USD2,700 in Ethereum.

Threat actors have been using COVID-19 vaccine-themed lures in multiple large-scale social engineering attacks which have led to malware, credential phishing, and BEC attacks. Organisations and brands with name recognition, such as World Health Organization (WHO), DHL, and vaccine manufacturers, have been abused in these campaigns. Users in the US, Canada, Austria, and Germany have been targeted. One such campaign pretended to be from a company executive, asking the recipient to cooperate in a confidential project that arose from the release of the vaccine. A malware campaign was also found targeting various industries in the US and impersonating the WHO. The messages asked the recipient of the phishing email to download the new COVID-19 vaccine safety report. Coronavirus phishing has been a prominent threat since the start of the pandemic, with all types of threat actors using the virus as a lure. It was expected, therefore, that attackers would increase their attack attempts exploiting the vaccine when it was released, as using lures about current events makes the attacks more likely to be successful. These attacks are likely to continue as distribution of the vaccine expands worldwide.

DARKNET

The darknet market DarkMarket has been taken offline by law enforcement. German authorities reportedly arrested a 34-year-old Australian national alleged to be the market’s operator. Servers in Moldova and Ukraine used to host the market were also seized. No information has been released concerning how law enforcement identified the market operator, although there are reports the market servers were leaking IP addresses. As with previous law enforcement operations targeting darknet markets, arrests will likely be made based on evidence obtained from DarkMarket’s servers.

The public representative of the REvil (also known as Sodinokibi) ransomware group has announced several updates to their malware. This comes after the same public representative was previously observed attempting to recruit developers to work on multiple tasks, including those connected to the recently announced updates. The public representative also announced an increase in available spaces in their affiliate program, enabling more individuals to join and conduct attacks using their malware.

There has also been an increase in fake advertisements for fake merchant sites that are aimed to steal card details. The scam relies on Classiscam, an underground service, that uses Telegram bots to create fake advertisements and create phishing pages. Usually, this service has only operated in Russian markets but with this observation has moved to target European e-commerce.

Access to a French telecommunications company has been offered for sale on a Russian hacking forum. The unnamed company apparently has a revenue of 10 billion euros, apart from this, only the beginning of an IP range was given by the threat actor.

Finally, the owner of the notorious stolen credit card market, Joker’s Stash, has retired. The news comes after a post to the forum where Joker hangs out saying that after a good run they are now retiring.

 

APT activity, malware campaigns, and vulnerabilities

APT activity

A malicious state-sponsored campaign has been analysed that targeted several organisations in Russia and Hong Kong. The intrusions first appeared to be launched by the Higaisa group. However, detailed analysis eventually led the researchers to attribute the attacks to a Chinese APT group tracked as Winnti (also known as APT41). Over time, Winnti shifted its focus from Hong Kong-based organisations to Russian computer games developers. The group reportedly works on behalf of the Chinese government, focusing on intelligence gathering and intellectual property theft. In September, the US Department of Justice indicted five Chinese nationals who it believes were responsible for intrusions at hundreds of organisations. The individuals are thought to have been members of APT41. Notably, APT41 did not restrict itself solely to espionage, but in some instances also deployed crypto-mining malware or ransomware - such as ColdLock.

A phishing campaign is being conducted by Iranian state-sponsored threat group CharmingKitten. This operation started over Christmas, when most companies were either closer or operating with a skeleton staff, meaning that IT and technical support teams were less equipped to handle a sudden cybersecurity incident. Targets included members of think tanks, political research centres, university professors, journalists, and environmental activists in countries around the Persian Gulf, Europe, and the US. The campaign was complex and used emails and SMS messages as an initial infection vector, which is relatively uncommon for a state-sponsored and advanced threat actor. It is possible that this tactic was an attempt to reach a greater number of potential victims.

An espionage campaign targeting Israeli organisations throughout September 2020 has been attributed to the MuddyWater APT. The group was also previously exposed as a contractor that works with the Islamic Revolutionary Guard Corps (IRGC) of Iran. In this campaign, MuddyWater pushed a variant of the PowGoop malware, disguised as fake Google update DLL files. PowGoop is a DLL loader used to deliver a variant of the Thanos ransomware that has destructive capabilities. This includes wiping the Master Boot Record (MBR) of infected devices. MuddyWater typically targets organisations and governments around the Middle East deemed to be in opposition to Iran’s administration, using spear-phishing for intelligence-gathering operations. Other Iranian APTs, such as APT33, have also been known to launch destructive attacks with MBR wipers: one of the archetypal examples is the Shamoon incident in 2012 against Saudi Aramco.

Malware

Google has removed 164 Android applications from the official Play Store for delivering large amounts of unsolicited out-of-context or out-of-app advertisements to users. The apps remained undetected by either security researchers or Google for over two years. They mimicked popular applications, copying both their name and functionality to appear more legitimate and get more downloads. The apps were downloaded more than 10 million times before being discovered and reported to Google. These types of ads have been banned on the Play Store since February 2020, because they make it impossible for users to establish which app an ad originates from. While Google has removed these applications from the Play Store, users that have downloaded them must still manually remove them from their devices.

Security researchers have shared new samples of a Cobalt Strike shellcode Loader that has been dubbed the EvilCorp Loader. This custom version of Cobalt Strike stands out as it contains a check for the presence of the CrowdStrike endpoint protection and response (EDR) product. The EvilCorp Loader was first disclosed in June 2020 and is believed to be a precursor to a WastedLocker ransomware attack. It is unclear why EvilCorp checks for the presence of CrowdStrike EDR software. Some security researchers have suggested that the attackers may have a bypass or exploit for a 0day in the EDR but no evidence of this has surfaced. Others believe that the attackers may be purposely avoiding CrowdStrike protected systems as they may be after softer targets.

A phishing campaign has been identified spreading a new variant of the Ursnif (Gozi) Trojan in an attached Microsoft Word document. This campaign has been continuously targeting Italy. Currently, it is missing its malicious banking module because its C&C server was shut down, causing it to fail to start the second stage of its attack. The Ursnif malware family is one of the most active on the threat landscape, and variants of it have been used to target Italy, almost exclusively, for at least the past year. Most recently, the malware operators began using fake DocuSign documents to push their payloads to Italian users; they also blocked recipients from other countries downloading Ursnif. The malware also impersonated various Italian brands such as Enel.

Vulnerabilities

The past week saw all major software companies roll out the first Patch Tuesday releases of 2021. This includes Microsoft, Cisco, SAP, and Adobe. All patches should be applied as soon as possible.

Apple has removed a macOS feature that allowed certain applications to bypass content filters, VPNs and firewalls. The 'ContentFilterExclusionList' was first uncovered in November 2020 in the beta release of the macOS Big Sur feature. It comprised a list of around 50 Apple applications, including Maps, Music, FaceTime, and the App Store. As the apps were not controlled by the 'NEFilterDataProvider' network content filter, threat actors could exploit them to bypass firewalls and gain access to the system. The 'ContentFilterExclusionList' feature was removed in macOS Big Sur version 11.2.

 

Geopolitical Threats and Impacts

Americas

UNITED STATES – TRUMP IMPEACHED FOR SECOND TIME AS PRESIDENCY DRAWS TO A CLOSE

On Wednesday (13 January), lawmakers in the US House of Representatives voted by 232 votes to 197 to impeach President Donald Trump for ‘incitement of insurrection’ over his role in last week’s deadly mob assault on the US Capitol building. Ten Republican lawmakers joined their Democratic Party counterparts to vote for the president’s impeachment, including the GOP’s third-ranking legislator, Representative Liz Cheney. Proceedings now move to a trial in the US Senate, however Republican majority leader Mitch McConnell has confirmed that this will not begin until after President-elect Joe Biden’s inauguration on 20 January. Trump has become the first president in US history to be impeached twice. While the measure has few practical implications at this stage, his potential conviction in the US Senate could lead him to being barred from running from office in the future. Trump has hinted at his possible presidential aspirations in 2024, however a vote to bar him from public office would end any prospect of a second Trump term. Significantly, the impeachment trial is likely to dominate US politics in the first weeks of Biden’s presidency, potentially distracting lawmakers from immediate health and economic crises linked to the COVID-19 pandemic and confirmations of Biden’s cabinet and judicial nominees. In the longer term, the tumultuous ending to Trump’s presidency raises questions about the future direction of the Republican Party and Trump’s long-term role as its figurehead. Organisations with interests in the US economy should monitor updates related to the impeachment and Biden’s inauguration, particularly amid a heightened risk of violent unrest in the immediate outlook, and adjust security and operational planning accordingly.

UNITED STATES – BIDEN ANNOUNCES USD1.9TN ECONOMIC RESCUE PACKAGE

On Thursday (14 January), President-elect Joe Biden announced details of a USD1.9tn economic stimulus package that will be sent to Congress after he takes office on 20 January. The package includes direct payments of USD1,400 to US citizens, USD415bn to tackle COVID-19, and USD440bn in small business support. Biden’s proposals also call on Congress to double the federal minimum wage to USD15 per hour. The package also proposes a USD100 increase in supplemental jobless benefits and an extension of the national moratorium on evictions and home repossessions until 30 September. The package is likely to receive approval in the US Congress, particularly given the economic and public health crises, as well as Democrats being on the verge of retaking control of both chambers, pending the swearing-in of their victorious Senate candidates in Georgia. Democrats will hope that the measures, in combination with future economic stimulus, work to stabilise the economy prior to the mass rollout of COVID-19 vaccines in the coming weeks and months. Efforts to raise the federal minimum wage to USD15 per hour, however, may ultimately come in increments, particularly as a one-off rise to USD15 would mark a doubling of labour costs in dozens of states. Organisations with interests in the US economy should review the package and assess its impact on operations, strategy and financial plans.

CUBA & US – WASHINGTON PLACES CUBA BACK ON TERRORISM SPONSOR LIST

On Monday (11 January), US Secretary of State Mike Pompeo announced that Cuba has been re-designated as a state sponsor of terrorism. In a statement, Pompeo said that Havana ’repeatedly’ provides support for acts of terrorism and safe harbour for terrorists, citing examples of Colombia’s National Liberation Army (ELN) leaders living in Havana. Responding to the designation, Cuban foreign minister Bruno Rodríguez labelled the move ’cynical and hypocritical’. The measure returns Cuba to a list from which it was removed by President Barack Obama’s administration in 2015 amid a rapprochement between the two countries. In practical terms, the designation will further hinder trade and travel between the US and Cuba, which are already subject to significant restrictions imposed under President Donald Trump. For instance, insurers could impose higher fees for covering transactions or travel to the island, exports of certain technology and software to Cuba may be restricted, while organisations may limit their operations or interests in Cuba to avoid potential legal or financial penalties, or reputational damage. The designation, however, may only remain in place for several months as President-elect Joe Biden has pledged to improve ties with Havana, likely including the removal of restrictions on travel and remittances. Organisations with interests in Cuba should assess how the US designation impacts operations, strategy, and financial matters, and adjust planning accordingly.

Asia-Pacific

CHINA & EU – CHAMBER REPORT SHOWS DAMPENED SENTIMENT OVER US-CHINA DECOUPLING

The European Union Chamber of Commerce in China in a joint report with European think-tank Mercator Institute for China Studies on Thursday (14 January) said that the business outlook of European companies in China is being dented by the likely worsening of the decoupling between the US and China. The prioritising of national security concerns over trade and business, as well as increasingly negative views of China in Europe, are stoking uncertainty and dampening sentiment, according to the report, which drew on surveys of around 120 chamber members and was carried out in late 2020. European firms anticipate the need to establish firewalls between their US and Chinese supply chains and operations due to technological decoupling. The downwards trajectory is forecast despite the recent signing of a European Union (EU)-China investment deal expanding EU companies’ access to the Chinese market and possible improvements in US-China ties under the incoming US administration of President-elect Joe Biden. Beijing’s drive for technological self-sufficiency, combined with a recent order enabling Chinese entities to retaliate against countries and businesses that impede their market access through adherence to foreign legislation such as US bans, illustrate the business impact of the elevation of national security concerns against commercial interests. The conflict between these two elements is set to increasingly define trade relations with China over the long-term. Businesses with interests in China should factor protracted complications in bilateral trade into their strategic and investment planning.

JAPAN – DECISION TO PRIORITISE ECONOMY LIKELY TO ERODE IMPACT OF CORONAVIRUS EMERGENCY

Media on Wednesday (13 January) reported that the state of emergency ordered in some regions of Japan in a bid to counter a wave of new coronavirus (COVID-19) cases are unlikely to have a serious impact on much of the country’s economy in the short term. Prime Minister Yoshihide Suga ordered a state of emergency last week in Tokyo, Saitama, Chiba and Kanagawa until at least 7 February, with local media reporting that seven more prefectures, including Osaka, may be added soon. Restrictions have mainly targeted restaurants and bars in the areas under the state of emergency, with operating hours curtailed rather than the venues being closed. Commuting to work has been reduced, reportedly by up to 70 per cent, although schools remain open. Japan has recorded more than 298,000 confirmed infections and at least 4,192 deaths since the start of the pandemic. The government’s reluctance, and in some cases legal inability, to impose more severe restrictions on economic activity is likely to fail to bring the virus under control without the widespread use of vaccines. As a result it is probable that the government will be compelled to impose a more stringent national ‘lockdown’ restricting a far wider range of economic activity in the coming months, a reversal that is also set to increase political instability and place the 2021 Tokyo Olympics in doubt. Foreign companies operating in the country or engaged in the Olympics should assess their vulnerability to the government’s decision-making on their commercial interests over the six-month outlook and beyond.

Europe and Russia

EU & US – STATE DEPARTMENT WARNING RAISES BUSINESS RISKS FOR EUROPEAN COMPANIES INVOLVED IN NORD STREAM 2

This month, the US State Department warned European companies it suspects are helping to complete the pipeline, which will transport natural gas from Russia to Germany, that they could face the risk of sanctions, according to an exclusive Reuters report. This comes as the outgoing Trump administration is expected to announce a final round of punitive measure ahead of Joe Biden’s inauguration on 20 January. A State Department report is set to be issued on Thursday or Friday (14 or 15 January) where companies helping to lay out the undersea pipeline or verify construction equipment will be named. US sanctions in December 2019 delayed the completion of Nord Stream 2 by a year, with work just recently resuming to lay a 100km stretch of pipes in Danish waters. US President-elect Biden opposed the project during his tenure as vice president, and there is speculation that he will maintain a hard line on the pipeline. While Biden will seek to repair damaged ties with US allies in Europe, he views Russia as an adversary. According to Washington, Nord Stream 2 imperils European security and will only serve to increase EU reliance on Russian energy imports. Firms directly involved or providing services to Nord Stream 2 partners should factor the impact of potential US sanctions on operational and strategic planning.

UK & CHINA – BRITISH FOREIGN MINISTER UNVEILS PROPOSALS AMID CONCERNS OVER FORCED LABOUR IN XINJIANG

UK foreign minister Dominic Raab released proposals last week that aim to address concerns over the complicity of UK-based firms in the use of forced labour in China’s Xinjiang province. Companies could face fines if they fail to meet commitments to conducting robust due diligence on supply chains. The proposals will likely translate into more requirements for companies sourcing goods from Xinjiang, while sanctions against officials found responsible for human rights abuses may also be introduced. In particular, ministers are expected to extend the number of firms subject to reporting under the Modern Slavery Act (MSA) 2015 – which aims to tackle modern slavery and human trafficking – and introduce binding requirements on the content, timing, and publication of MSA-related statements. A single enforcement body to oversee MSA compliance will also be announced. China has sustained growing criticism over its treatment of Muslim minority groups in Xinjiang, with large numbers allegedly being held in internment camps. Companies with operations in China or that have commercial relationships with firms sourcing products from Xinjiang should factor the new rules into corporate responsibility programs. Failure to comply may result in reputational damage and significant fines.

GERMANY & UK – DB SCHENKER BECOMES LATEST LOGISTICS FIRM TO SUSPEND SHIPMENTS DUE TO BREXIT

Germany-based logistics company DB Schenker said on Wednesday (13 January) that it was suspending deliveries from the EU to the UK due to the ‘enormous bureaucratic regulations’ required after Brexit. The suspension will continue until the company deploys more staff to support with the properly filling out the necessary documentation. The company becomes the latest major logistics operator to suspend cross-border delivery services due to new bureaucratic hurdles and customs paperwork that forms part of the EU-UK Trade and Cooperation Agreement. Last week, France-based DPDgroup suspended delivery services from the UK to the EU after saying that 20 per cent of parcels had incorrect information attached; DPD said there were ‘challenges’ with the UK government’s Computerised Transit System (NCTS) since 1 January. This comes amid reports that the UK government is proposing to fast-track empty supermarket food trucks returning to Europe for re-stocking as concerns that Brexit-related disruption may cause supply shortages to retailers. Of particular importance is the Dover-Calais supply route, through which approximately 10 per cent of food consumed in the UK passes. Relatedly, executives from the UK’s leading supermarket chains issued a joint letter to Cabinet Office Minister Michael Gove calling for a simplification of border checks as stores in Northern Ireland are facing shortages due to new import processes. Logistics operators should consider allocating additional resources and enhance staff training to ensure appropriate documentation for UK-EU cross-border operations is being properly filled.

MENA and Central Asia

IRAN – BRITISH, US-MADE COVID-19 VACCINES BANNED, LATEST SIGN OF DETERIORATING RELATIONS

On Friday (8 January) Supreme Leader Ayatollah Ali Khamenei said in a live TV broadcast that he had instructed the government to ban the imports of British- and US-made COVID-19 vaccines as they were ‘completely untrustworthy’. The ban will impact American firm Pfizer, which has co-produced the BioNTech vaccine. It will also impact the US-produced Moderna vaccine and the British produced AstraZeneca vaccine. The bans come amid heightened tensions between Iran and the US, which have most recently been exacerbated via Iran’s seizure of a South Korean oil tanker on 4 January. The move was likely aimed at exerting pressure on Seoul to release Iranian funds which have been frozen due to US sanctions. Local media widely reported that one million doses of the BioNTech/Pfizer vaccine were set to be distributed across Iran before the ban. Prohibiting American and British vaccines will inevitably stall Tehran’s efforts in curbing the spread of COVID-19. While daily case numbers have fallen since early December, they have remained at over 5,000. Iran commenced the first phase of a clinical vaccine trial on 29 December, meaning the mass distribution of an Iranian-made COVID-19 vaccine is still months away. The country is likely in the process of securing a vaccine from India, China or Russia, however, a definitive roll-out plan for the short-term outlook remains unconfirmed. Given the continued high numbers of COVID-19 across Iran, the public health infrastructure is at increasing risk of becoming overwhelmed, meaning COVID deaths are likely to rise in the coming months.

KUWAIT – PM SUBMITS GOVERNMENT’S RESIGNATION SIGNALLING GROWING POLITICAL INSTABILITY

On Wednesday (13 January) Prime Minister Sabah al-Khalid al-Sabah formally submitted his government’s resignation to the emir, Sheikh Nawaf al-Ahmed al-Sabah. The move comes soon after the formation of a new government in December 2020 under which opposition figures increased their representation from 16 to 24 seats in parliament. It follows the mass resignation of around 30 lawmakers on Tuesday (12 January) amid growing demands for the PM to be questioned on his choice of cabinet. Opponents of al-Sabah have argued that his cabinet does not reflect the recent poll results. They also accuse him of ‘interference’ in the selection of parliamentary committee members and the speaker of the national assembly. Demands for the PM’s questioning were submitted by 3 MPs in a motion on 5 January during the first regular session of the new assembly. The challenge against al-Sabah has likely been fuelled by the stronger presence of opposition figures in parliament, underlining the notable shift in the dynamics of the political arena following the results of the 5 December elections. In recent years, frequent bouts of political infighting and deadlocks between cabinet and parliament have resulted in successive reshuffles and dissolutions. Al-Sabah’s resignation further underscores the elevated risk of political instability in Kuwait. It is worth noting that this latest period of instability will likely work to compound worsening economic conditions amid COVID-19 and low oil prices, due to likely delays in enacting crucial reforms, including a debt law, needed to improve the financial situation and tackle the growing deficit.

Sub-Saharan Africa

ETHIOPIA & SUDAN – INTENSIFYING BORDER HOSTILITIES THREATENS REGIONAL STABILITY

At least six civilians were killed and two more are reportedly missing after armed hostilities on Monday (11 January) some kilometres from the so-called Fasqa triangle, a long-disputed and poorly demarcated area on the border between the two countries. Sudan’s foreign ministry has blamed Ethiopian armed gangs (commonly referred to as shiftas) for the killings.

The incident follows weeks of growing tensions between the two countries’ governments, with both sides accusing the other of initiating the violence. Ethiopia’s foreign ministry said in a news briefing this week that ‘[diplomacy] has limits’, while Sudanese government officials said they would respond to any aggression on its territory.

Fashqa is strategically important to both countries. It is a fertile land mass of about 25,000 hectares near the border of Ethiopia’s Amhara and Tigray regional states on the border with Sudan’s El Gedaref state. Since the Ethiopian government launched  military operations against the Tigray People’s Liberation Front (TPLF) rebel group and political organisation in Tigray on 4 November, Ethiopian security forces have redeployed to that part of the country, leaving a security vacuum in Fashqa, which Sudanese forces appear to have taken advantage of almost from the outset. The growing animosity underscores concerns that the conflict between Addis Ababa and the TPLF would inflame regional tensions, and the countries in the region have a precedent of instrumentalising internal conflicts in their neighbouring countries for political gains. In addition, the growing hostilities risk derailing  fragile trilateral talks between Egypt, Ethiopia, and Sudan over the filling of the Grand Ethiopian Renaissance Dam (GERD). Companies with interests in Ethiopia and Sudan should increase their monitoring of the conflict to assess the impact on regional stability and security outlooks.

SOUTH AFRICA – MAJOR INSURER LIMITS BUSINESS INTERRUPTION CLAIMS TO THREE MONTHS ONLY

Cape Town-headquartered insurer Santam this month began reviewing business interruption claims by policyholders in hospitality and tourism as a result of closures caused by COVID-19-related restrictions. However, Santam is limiting settlement offers to three months, even though many clients have policies of 12 or 18 months and despite  a November 2020 court ruling against it, ordering Santam to settle losses claimed over an 18-month period. Santam is due to appeal that ruling at the Supreme Court of Appeal in February. Insurance claim specialist Insurance Claims Africa, which represents many small- and medium-sized enterprises (SMEs) claiming business interruption settlements, has characterised the move as ‘unconscionable’.

The limited settlement period is likely to be insufficient and increase financial strain for many SMEs within the sector, who may not have sufficient resources to launch lengthy and costly legal battles against the country’s largest short-term insurer. In turn, this is likely to increase the risk of business closures over the coming year, particularly since South Africa is currently battling a second wave of infections, driven by a local mutation of SARS-CoV2. Companies exposed to South Africa’s hospitality and tourism sector should monitor legal cases about settlement claims and assess how these impact operations and partnerships in the country.