Geopolitical and Cybersecurity Risk Weekly Brief 1 June 2020

1 june 2020

COVID-19 Cybersecurity Update

The UK's fraud and cybercrime reporting site, Actionfraud, has released figures stating that so far 2,057 victims have lost a combined total of over £4.6 million to coronavirus-related scams. Different types of scams have been used to steal money from users, including, courier fraud, online shopping and auction fraud, computer software service fraud, lender loan fraud, pension liberation fraud, investment fraud, mandate fraud, and phishing.

Throughout the coronavirus pandemic, threat actors have continuously impersonated the World Health Organization (WHO). Abnormal Security has found yet another of these campaigns attempting to steal Microsoft O365 credentials. The WHO-impersonating phishing email contains a link to a webpage imitating the organisations' homepage. A login pop-up asks for visitors' email address and password, and phone number. The victim is then redirected to the real WHO website. IOCs for this threat have been attached.

Google's Threat Analysis Group (TAG) has released a report on government-backed attacks, including phishing, threats, and disinformation campaigns. The team is currently tracking 270 threat groups form over 50 countries. Coronavirus has dominated the threat landscape in 2020, with threat actors around the world using it for lures in different types of attacks, from ransomware to phishing, and more. TAG observed over a dozen groups using COVID-19 as a lure. One of these is Iranian state-sponsored threat group, CharmingKitten (also known as APT35, Newscaster, and Phosphorus), which has target medical and healthcare professionals during the pandemic, including employees of the World Health Organization (WHO). Lazarus is another group that has launched several campaigns during the coronavirus lockdown period, as has Gamaredon in attacks against Ukraine, and SideWinder when targeting the Pakistani military.

A new phishing campaign has been using COVID-19-themed phishing emails to target the Italian National Institute for Social Security (INPS). The emails claim to provide new information about the pandemic, and link to a fake INPS website where users are asked to download the INPS app. The malware is a banking Trojan which can monitor the actions performed by the user and extract banking or credit card information from the victim's smartphone.

Various malware have been found this week using the coronavirus in some way as a lure or as part of their infection technique. A new ransomware called FushenKingdee is targeting enterprises in China and when it encrypts a file it will append the ‘.Cov19’ file extension. Covidworldcry, another new ransomware, appends files with the ‘.corona-lock’ file extension. And another ransomware, ‘IMMUNI.exe’, leverages the COVID-19 map from Johns Hopkins that encrypts files and appends the ‘.fuckunicornhtrhrtjrjy’ file extension.

A new ransomware, dubbed [F]Unicorn, has been targeting Italian users by tricking them into downloading a fake COVID-19 contact tracing app. This campaign has targeted pharmacies, universities, doctors, and other entities fighting the coronavirus pandemic.

A security vulnerability in Qatar's mandatory coronavirus contact tracing app has exposed the sensitive information of over one million users. The flaw was observed by Amnesty International and fixed the day after disclosure. This app was already controversial. Qatar has made it mandatory for users to download and use it, with the threat of imprisonment if they do not comply. Additionally, the app has been criticised for the multiple permissions needed to use it, which include access to files on Android devices, GPS tracking, and allowing the software to make unprompted phone calls.

 

Attacks and cybersecurity news

An academic study has found a new way of abusing HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). This denial of service (DoS) technique has been dubbed RangeAmp. The researchers tested the attack against 13 CDN providers and found that all of them were vulnerable to the SBR attacks, with six also being vulnerable to OBR attacks. OBR attacks are considered the more dangerous of the two because they can bring down large parts of a CDN's network, making thousands of websites inaccessible at any one time. Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud have either released or plan to release updates for these vulnerabilities.

A cyber-espionage campaign has been targeting the supply chain of the Italian automotive industry. The group behind this campaign was first spotted in 2018 in attacks against technology, retail, manufacturing, and local government industries in the US, Europe, and Asia. Unit42 and others believe these are linked to the GorgonGroup which is thought to be state-sponsored.

Researchers recently disrupted the botnet operations connected to the DoubleGuns malware (known as ShuangQiang in Chinese). This campaign was geofenced to Chinese-speaking users, behind the ‘Great Firewall of China’ (also known as the Golden Shield Project). DoubleGuns has reportedly been targeting Windows devices across China for the last three years and has steadily grown in scale.

Threat actor @NamaTikure claimed responsibility for a distributed denial of service (DDoS) attack on the official website of the city of Minneapolis (ci[.]minneapolis[.]mn[.]us) in support for #JusticeForGeorgeFloyd. Others have also joined in with these attacks in support of #GeorgeFloyd, #JusticeForGeorgeFloyd, #BlackLivesMatter, and #ICantBreathe. This is in retaliation to the killing of unarmed black man George Floyd by Minneapolis police officers. The cyber-activist group, Anonymous, also recently announced that it was starting an operation to target companies in support of the demonstrations in the US.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

Netwalker ransomware has been by far the most active in the last seven days. The operators of the malware have claimed responsibility for attacking and stealing data from eight organisations from around the world, including a French transport company, Italian sports retailer, the Michigan State University. 

The operators of the Sodinokibi (REvil) ransomware claimed responsibility for attacking and leaking data from three companies: a US law firm, a US cloud services company, and Titan Entertainment Group. The group also hit a Cypriot marketing company and reposted its claim of attacking Fraser, Wheeler and Courtney.

Several other major ransomware made claims of having hit companies around the world, continuing the trend of stealing data from victims and then leaking it to apply pressure for payment of the ransom. Ragnar, Maze, and Nefilim, continue to be major threats to all sectors.

Security researcher Bob Diachenko (@MayhemDayOne) revealed that a fast-growing cryptocurrency, Ecoin, had exposed its entire userbase online. Ecoin managed to acquire over two million users in the space of 30 days.

A real estate app developed by software company, Tellus, exposed confidential user chat logs on an unsecured Amazon Simple Storage Service bucket. The bucket contained 6,729 CSV files related to the Tellus app, 16,861 records contained user information, with 3,194 verified property owner records, and 1,294 verified tenant records.

International multi-level marketing (MLM) company Arbonne International has exposed the personal information and credentials of thousands of users after a breach by an unauthorised third party.

Fortune 500 company, Nippon Telegraph & Telephone (NTT), has disclosed a data breach. Threat actors gained access to the company's internal network and stole information on 621 customers from its communications subsidiary in Japan, NTT Communications.

Amtrak (the US National Railroad Passenger Corporation) has disclosed a data breach which has led to the theft of the PII of some Guest Rewards members. The company has reassured customers that no financial data, credit card information, or Social Security numbers were compromised in this attack.

Fraud

Abuse.ch has identified a new Remcos remote access tool (RAT) sample that was delivered in a fake JPMorgan Chase customer payment notification-themed phishing email. Malicious XLS documents are attached to the emails. Inside the file are embedded macros that, if enabled, download Remcos RAT.

A new phishing campaign impersonates an IRS tax form, filed by many US residents during the tax season. The document claims to be a 1040 tax form in PDF format and was uploaded to Google Drive or OneDrive. Legitimate services such as this are often used to mislead victims and make them think the phish is less suspicious because it is coming from a legitimate service. This type of phishing attack is very common; specifically, the key dates of the US tax year are always used by scammers.

Vulnerabilities

AusCERT has issued a security advisory for the May 2020 Apple security updates. Successful exploitation of such issues can lead to root compromise, remote code execution, privilege escalation, unauthorised access, information disclosure, cross-site scripting, denial of service, and reduced security. The German federal cybersecurity agency is urging iOS users to immediately install these iOS and iPadOS security updates. The advisory centres around two zero-click security vulnerabilities impacting the default email app, CVE-2020-9819 and CVE-2020-9818, that are being actively exploited.

Cisco has announced that some of its Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) backend servers were breached by an unauthorised third party. The attacker exploited two vulnerabilities - critical SaltStack authentication bypass vulnerability CVE-2020-11651 and directory traversal flaw CVE-2020-11652 - to gain entry to the systems. These flaws received patches over a month ago, and users were urged to install updates to their systems because these vulnerabilities were being actively exploited. It is unclear why Cisco has not patched these servers: it may be that updates would cause downtime on their servers.

A new malware attack is using a local privilege escalation (LPE) vulnerability in SMBv3, tracked as CVE-2020-0796 - also known as SMBGhost. The malware code is signed with a certificate, ‘GO ONLINE’, from Sectigo, the Russian organisation also used by Maze ransomware and Taurus building kits. The malware’s creation date was 26 January 2019, suggesting that the attackers potentially knew about the vulnerability in SMBv3 before Microsoft and had already developed valuable 0day exploits for it. Microsoft accidentally leaked information surrounding the SMBGhost vulnerability last Patch Tuesday. It has since been patched, but many organisations are still exposed, according to the security firm KryptosLogic.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule: 

  • 26 new vulnerabilities in the USB driver stack used by operating systems such as Linux, macOS, Windows, and FreeBSD have been discovered. These flaws were found with a newly created fuzzer tool, named USBFuzz. The majority of the most severe bugs were found in Linux OS:
  • US CISA has issued a security advisory over a remotely exploitable vulnerability in Inductive Automation ICS products. Organisations in the manufacturing, energy, and information technology sectors are affected.
  • KrCERT has issued a security advisory over a vulnerability disclosed in Apache Tomcat. Successful exploitation can lead to remote code execution (RCE) if all conditions on an affected server are met.
  • A critical Android vulnerability, dubbed StrandHogg 2.0 and tracked as CVE-2020-0096, can allow malicious apps to impersonate legitimate ones and steal sensitive information from users. This bug affects Android versions 9.0 and earlier; Android 10 is not impacted.
  • AusCERT has issued a security advisory regarding security issues disclosed in OpenSSL for Ubuntu Linux distributions. If successfully exploited, it can lead to unauthorised access and can allow an attacker to provide misleading information.
  • GitLab has released versions 13.0.1, 12.10.7, 12.9.8 for GitLab Community Edition and Enterprise Edition. These latest versions patch several high-risk vulnerabilities, and so updating is strongly recommended.
  • Two high-severity vulnerabilities have been found in the PageLayer plugin which can allow attackers to wipe the contents of or take over WordPress sites using vulnerable plugin versions.

 

APT Activity and Malware Campaigns

APT activity

Numerous spear-phishing documents have been linked to North Korean state-sponsored APTs, Lazarus and Kimsuky. The threat actors targeted a South Korean investment and security firm (truefriend.com), and the University of Washington (UoW) and installing a backdoor on its website (depts.washington.edu). Both Lazarus and Kimsuky have targeted the defence sector of the UK, the US, South Korea and several other countries recently.

A new Turla campaign is leveraging the group’s ComRAT malware that now innovatively uses Gmail for command and control (C&C) over infected devices. ComRAT was first released in 2017 and imitates previous Turla backdoors, such as Snake, resulting in a complex malware that is generally deployed for cyber-espionage. Since the beginning of 2020, ComRAT v4 has used Gmail’s web UI to receive commands and exfiltrate data. This way, it can bypass common endpoint security controls as no malicious domains are involved.

Researchers have disclosed a new cyber-espionage campaign linked to Konni, a North Korean APT. The group has been observed impersonating CISAC, an academic research foundation dealing with nuclear issues, in phishing lures. The targets of the attacks are unknown, but all begin with a malicious document that appears to have come from CISAC. @Konni perpetrates cyber-espionage on behalf of the North Korean government.

Malware

A new cryptocurrency mining Trojan, dubbed SoulemanMiner, is spreading via the EternalBlue vulnerability. The attacks began in January 2020 and its estimated earnings total 270,000 RMB (about $38,000). Malware that still targets EternalBlue can generally be regarded as a low-risk threat for modern corporate enterprises which have patched the vulnerability. However, there are many parts of the world, such as China, where many organisations will have failed to update older Windows systems, leaving themselves vulnerable to these sorts of attacks.

Over 30,000 Cerberus Android package files (APK) have been downloaded in Turkey. The APKs are hosted in the threat actor’s BitBucket account (@sikermarka) and downloaded when the victim visits a malicious domain. The distribution method includes phishing emails and malvertising on Twitter and other social media sites.

Threat researchers have reported on a new Android banking Trojan targeting users in Poland. Infected devices will transmit information such as GPS location, phone calls, messages, contact lists, and WiFi settings. The phone’s microphone, camera, and external storage are also made available to the attackers. The new attacks may be exploiting the current coronavirus pandemic whereby micro-loans in Eastern Europe are popular with unemployment rising.

Cyjax analysts have uncovered a .NET remote access tool, dubbed OZH RAT. It appears to be a traditional .NET infostealer that collects the information entered into forms and logs keystrokes.

Since it emerged, the Grandoreiro banking Trojan has targeted various Latin American countries, including Brazil, Mexico, and Peru: it has also targeted Spain in the past. The malware appears now to be targeting Portugal in its newest campaign throughout April and May 2020.

New TrickBot modules have been uncovered that improve the malware's propagation ability from infected Windows clients to vulnerable Domain Controllers (DC). The module for this, known as “mworm”, has been upgraded and is now called “nworm”.

Darknet

The main development from the darknet this week concerned HugBunter, the admin of Dread, the darknet equivalent of Reddit. HugBunter is the main engineer behind the entire project and is also responsible for creating several private vendor shops. As a result of this extensive experience, the Dread admin is a key figure in the darknet community. Earlier this week, all vendor shops created by HugBunter were taken offline. Some have since returned, but many vendors are still reporting inconsistent uptime.

Furthermore, Dread users have now noticed that HugBunter’s canary has not been updated for several weeks. A canary is a signed and dated PGP message which is meant to be updated every 14 days to confirm the signatory is in control of their account. The message normally includes a recent Bitcoin block hash to verify the message has been signed on the date claimed. However, HugBunter’s canary has not been updated for over 14 days now.

This, combined with the issues surrounding vendor shops, has led to concerns that HugBunter has been compromised. This is not the first time @HugBunter has disappeared for extended periods of time, so it is still possible he will resurface. However, were Dread to be compromised, this would cause significant short-term disruption to darknet vendors.

 

COVID-19 Geopolitical Threats and Impacts

Americas

Thousands of protesters took to the streets of numerous US cities for the sixth night on Sunday (31 May) in demonstrations linked to the death of African American George Floyd during a police arrest in Minneapolis on 25 May.  So far there have been disturbances in at least 75 US cities and other communities since the unrest began last week. The protests have also become an expression of primarily African American anger against what they view as the racist behaviour of many police officers across the country, as well as a reaction to wider economic and social disparities that affect their community.

Minneapolis has been the main focal point of unrest involving thousands of people, with widespread clashes reported tonight with further reports of looting and property damage during the protests in the city and elsewhere across the country. National Guard units have been mobilised in Minnesota and California to support the police in seeking to control and counter the anticipated unrest, and unless the situation is brought under control within the next 24-36 hours more military formations may deployed. Efforts to quell the protests through curfews, large police deployments and mobilised National Guard units have failed to restore order, and there is no obvious timeframe as to when the unrest may subside.

On Thursday (28 May), President Donald Trump signed an executive order targeting the legal protections afforded to social media companies, two days after Twitter added fact-check links to two of his tweets for the first time. The executive order seeks to reinterpret and modify Section 230 of the Communications Decency Act, a provision which generally exempts platforms from being held responsible for the content published by their users. Responding to the order, Twitter described it as a ‘reactionary and politicized approach to a landmark law’, while YouTube’s owner Google said it would damage the US economy. Within hours of the signing of the executive order, Twitter hid one of Trump’s tweets – related to the government’s response to civil unrest in Minneapolis – for the first time for breaking the platform’s rules on glorifying violence. Substantial change to legal protections afforded to social media platforms may take months or years to emerge. In the immediate term, however, Trump’s order has more of a symbolic purpose through increasing pressure on social media platforms to avoid moderating political content. Social media websites and other online platforms, including publishers, should monitor developments related to Section 230 and the legal implications for operations.

Aerospace giant Boeing announced this week that it will cut 12,000 jobs in the US amid efforts to reduce costs during the coronavirus (COVID-19) pandemic, which has almost eliminated orders for new aircraft. American Airlines announced a 30 per cent reduction in management and support staff due to the pandemic. The announcements highlight the acute impact of the pandemic on the US’s aviation sector. Companies operating in or partnering with the US aviation sector should follow updates on company restructurings, anticipate a protracted decline in commercial passenger travel, and assess the impact on operations, strategic and planned investments.

On Tuesday (26 May), LATAM Airlines – the largest carrier in Latin America – announced that it has filed for Chapter 11 bankruptcy protection in the US amid large debts and major operational disruption due to the coronavirus (COVID-19) pandemic. The company’s affiliates in Chile, Colombia, Ecuador, Peru and the US have also filed for Chapter 11 bankruptcy. The airline has said it will continue to fly while it is in bankruptcy protection. LATAM is now the second major Latin American airline to file for Chapter 11 bankruptcy during the pandemic, following Colombia-based Avianca’s filing on 10 May. In the short-to-medium terms, the continued spread of COVID-19 throughout Latin America is likely to maintain depressed demand and availability of commercial passenger flights. Companies with interests in the region’s aviation sector should assess the impact of reduced flight availability on operations and strategy.

A judge at British Columbia’s Supreme Court ruled that the standard of double criminality had been met in the case of detained Huawei CFO Meng Wanzhou, thereby allowing for the continuation of Meng’s US extradition proceedings. The ruling found that the charges against Meng in the US – that a Huawei-owned company violated US sanctions on Iran – would also be crimes in Canada. The ruling increases the likelihood of retaliation from Beijing, which insists Meng is innocent and accuses Canada of being an accomplice to the US in alleged efforts to damage Huawei and other Chinese high-tech companies. A possible act of retaliation would be additional trade barriers on Canadian exporters to China. Companies with interests in Sino-Canadian trade should monitor updates on the case and the impact on bilateral trading relations.

In Columbia, the attorney general’s office announced that it will issue arrest warrants for 10 mayors over alleged corruption during the coronavirus (COVID-19) pandemic. Authorities have reported multiple irregularities among local government responses to the pandemic, including inflated costs for the procurement of food and medical supplies, as well as contracts being awarded to companies lacking relevant experience or with political connections.

APAC

China’s Ministry of Public Security (MPS) on Thursday (28 May) announced it would ‘guide and support the Hong Kong police to stop violence and restore order’ following at least 300 arrests during renewed protests on 27 May. The MPS is China’s main intelligence agency and, at present, has no formal or enforcement role in Hong Kong. The ministry issued its statement hours after the National People’s Congress (NPC), China’s legislature, approved imposing the country’s security laws on notionally semi-autonomous Hong Kong. The Hong Kong administration also warned Washington not to interfere in the territory’s internal affairs after the US government said it would review the special privileges it receives based on its relative autonomy from China following Beijing’s intervention. US Secretary of State Mike Pompeo said on 27 May that the territory could no longer be considered autonomous from China.

The combination of renewed protests and Pompeo’s threat has shocked many local and foreign companies in Hong Kong. Any indication the MPS or other Chinese state security or police agencies will have a formal role in Hong Kong will add to the already high degree of uncertainty over the territory’s future. Measures that erode the Common Law-based legal system risk forcing many foreign companies to reassess their ability to remain in Hong Kong in their present role and structure. The withdrawal of US preferential treatment, which has remained a profitable ‘interference’ in the territory’s internal affairs for many years, will compound such concerns.

A US government report released on Thursday (21 May) outlined a new strategy based on competing directly with what it identifies as Beijing’s attempts to impose its authoritarian system of governance globally, while compelling China ‘to cease or reduce actions harmful to the United States' vital national interests.’ The new policy replaces Washington’s two-decade-old ‘engagement’ strategy, which the report says failed to achieve any fundamental economic or political change in China. The new policy was released the day before China’s de facto if largely symbolic parliament began its annual session on Friday (22 May), presumably in a move intended to undermine the carefully choreographed event. It also indicates the full ascendency of the ‘confront China’ faction within the US government, suggesting further measures may soon be adopted in a bid to counter Beijing’s influence, if not alter its conduct.

Europe

Major carmakers have announced plans to reduce jobs as part of restructuring plans. France-based manufacturer Renault said it would cut 15,000 jobs, including 4,600 in France, globally as part of a EUR2 billion cost-reduction program. Renault will also reduce global output from 4 million vehicles to around 3.3 million, with some production facilities in France either being shut or restructured. The firm is currently in talks with the French government, which holds a 15 per cent stake in Renault, for a EUR5 billion loan to cope with the coronavirus (COVID-19) pandemic. Meanwhile, Nissan – a Japanese automaker which has a strategic partnership with Renault – said it would shut a factory it operates in Barcelona employing 3,000 people. Trade unions have criticised the move, saying that around 22,000 jobs indirectly depended on the site.   

The announcements indicate the gravity of COVID-19 on the European car industry. Declining sales amid changing consumer patterns have severely impacted the sector, which accounts for around 10 per cent of Spain’s GDP. Highly restrictive lockdowns have disrupted operations at manufacturing facilities, while car dealership and retail stores have also been shut. Localised unrest outside manufacturing plants and corporate offices of companies announcing such plans is highly likely. More broadly, declining output at manufacturing sites will also adversely impact partner firms across the supply chain. Firms supplying car components should assess how the plans will impact operations and adjust strategic planning accordingly. 

The UK government has indicated that it could give more rights to people holding a special passport issued for some Hong Kong residents if China implements a proposed national security law. People born before 1997, when the UK returned Hong Kong to China, can apply for a British National (Overseas) passport, referred to as a BNO. The UK’s move would mark a significant shift, reflecting a hardened approach to China’s move to impose greater control over Hong Kong. The impact of a status change may be limited, however, and will not apply to the city’s young residents, the driving force behind the pro-democracy protests. Deepening tensions in the UK-China relationship, which has assumed greater importance in recent years, will likely damage the prospects of a successful post-Brexit trade deal.

UK Prime Minister Boris Johnson is facing increasing pressure from cabinet members after voicing support for Dominic Cummings, a senior adviser who resisted calls to resign following revelations that he violated a UK-wide lockdown amid the coronavirus (COVID-19) pandemic. The revelations are threatening to add further political and public pressure on the government. Growing tensions over Cummings will likely spill over into other areas of disagreement, including the government’s stance on Huawei. For the opposition Labour Party, simmering divisions in the ruling Conservatives will be an opportunity to further intensify pressure.

German interior minister, Horst Seehofer, announced on 27 May that the country had experienced an increase in far-right and far-left crimes in 2019. Over 41,000 incidents of politically motivated crime were recorded, a 14.2 per cent rise year-on-year. The data confirms the growing threat posed by far-right groups and rising prevalence of social intolerance. The risk of violence has also grown; three murders in 2019, including one targeting a pro-immigration politician last June, were attributed to far right or nationalist supporters. Places of religious worship, cultural centres and areas with a strong minority population are higher risk targets. Security managers responsible for client sites located near or in the vicinity of such locations should regularly review security measures considering the growing risk.

Monitors from the Strategic Communications Division, part of the European External Action Service (EEAS) – the EU’s diplomatic service – said that they have seen ‘at least a temporary decrease’ in disinformation campaigns linked to the coronavirus pandemic. However, it noted that pro-Russia sources were still active in spreading fake news relating to COVID-19, including conspiracy theories linking the virus to 5G technology and casting doubt on the origins of the pandemic. During earlier assessments in March and April, the division identified a ‘trilateral convergence of disinformation narratives’ promoted by actors in China, Iran, and Russia aimed at eroding public trust. While the decrease in the spread of disinformation is a positive indicator, there still remains a high risk of more fake content being disseminated via social networks. Social media firms will continue to face heightened political pressure to crackdown on disinformation and respond promptly to government concerns.

Relations between Bosnia & Herzegovina (BiH), Serbia and Montenegro worsened on Monday (26 May) after the Montenegrin government announced the opening of borders with neighbouring countries except those two. BiH and Serbia said the decision to exclude them was politically motivated. The Serbia-Montenegro relationship has been increasingly fraught in recent weeks after Montenegrin authorities detained eight members of the Serbian Orthodox clergy for violating COVID-19 restrictions, sparking violent demonstrations in Nikšić, the country’s second-largest city, and the town of Pljevlja. The political tensions may lead to acts of discrimination against Serbian nationals and their vehicles, identifiable by national number plates, in Montenegro. Similar incidents against Montenegrin visitors in Serbia are also possible.

MENA and Central Asia

US officials claim to have halted scheduled Iranian fuel deliveries to Venezuela on 27 May. Two Liberian-flagged, Greek-owned ships turned around after Washington contacted the Liberian government and threatened it with sanctions. The two Greek firms that own the ships were also threatened with US sanctions and legal action. The ships were intended as the final delivery in a previously planned five-oil-tanker shipment to Venezuela. Three other tankers carrying Iranian fuel docked in Venezuela between 25 and 26 May. The incident will serve to ratchet up tensions between US and Iran, likely to manifest in increased hostile rhetoric, minor incidents of maritime harassment in the Gulf, and cyberattacks. Direct military confrontation remains unlikely as this is not in the interest of either side, particularly amid the COVID-19 pandemic.

Protesters demanding jobs rallied in various Tunisian cities on 28 May, with some larger demonstrations having hundreds of attendees. Sit-ins also took place at state-run Gafsa Phosphate (CPG), the country’s sole phosphate producer, located in the central Gafsa province. The protests put more pressure on the new government of Prime Minister Elyes Fakhfkah and highlight the economic fallout from the coronavirus pandemic. Security managers should anticipate additional protests taking place in the coming three to six weeks and monitor the situation for any indication of growing anti-government sentiment that could result in larger-scale rallies occurring in the capital Tunis.

US Secretary of State Mike Pompeo said on 27 May that the US is ending the sanctions waivers on Iran allowing Russian, European and Chinese companies to continue to work on Iran’s civilian nuclear facilities without drawing American penalties. Pompeo announced that the waivers will end following a 60-day wind-down period intended to allow businesses to cease operations. The waiver for Iran's Bushehr nuclear power station, which receives international support, will remain in place, with an extension of 90 days. Pompeo also said that the US will impose sanctions on two officials with Iran's atomic energy organisation who are involved in the development and production of centrifuges used to enrich uranium. The announcement is an apparent tightening of the administration of US President Donald Trump’s ‘maximum pressure’ campaign against Tehran that began when Washington pulled out of the Joint Comprehensive Plan of Action (JCPOA, or Iran nuclear deal) in May 2018. It will eliminate most remaining elements of sanctions relief for Iran. It appears to be a message by the Trump administration that pressure will increase over the summer and may be an attempt for Trump to gain leverage amid a stated intention to negotiate what he calls a ‘better deal’ with Iran.

Three Saudi Arabian civilians were injured when a rocket launched by the Yemen-based Houthi rebels landed in the southern Jizan province on 26 May. The exact location of the incident was not revealed, although media reports say the village where the missile hit was located near the Yemeni border. A private residence was also damaged in the attack. While the Iran-backed Houthis stage periodic rocket attacks into Saudi Arabia, these incidents are notable because they follow a lull in cross-border attacks in recent months. The last confirmed attack took place on 28 March. Nonetheless, these are unlikely to cause significant disruption to the wider security environment, particularly as the Houthis are generally unable to consistently and accurately hit intended targets.

Reports and satellite imagery on Thursday (21 May) showed the suspected deployment of at least eight Russian-made fighter jets to Libya in support of Field Marshall Khalifa Haftar. If confirmed, the arrival of new Russian fighter jets would represent a significant escalation in the conflict between the GNA and Haftar’s Libyan National Army (LNA), suggesting that the Kremlin is stepping up its support for the self-declared leader. This could risk direct conflict with Turkey, who backs the GNA. The news comes as Turkey has been more active in Libya’s civil conflict, supplying the GNA with armoured vehicles and heavy weapons. In the coming one- to two-month period, there is an elevated risk of conflict escalation.

Prime Minister Mohammad Shtayyeh of the Palestinian Authority (PA) reconfirmed his government’s decision to end security co-ordination with Israel in a speech in Ramallah on 25 May. He also reportedly met with the head of the PA security services and asked him to stop all forms of security co-ordination with Israel. The move comes after PA President Mahmoud Abbas said on 19 May all security cooperation with Israel and the United States would end. The move comes amid Israel's intention to annex parts of the West Bank including the Jordan Valley and all Israeli settlements, reportedly set to begin on 1 July, and is likely aimed at preventing this from occurring. Specific information about how the PA intends to function without relying on agreements that support its existence is not clear.

Sub-Saharan Africa

Canada-headquartered luxury hotel group Fairmont Hotels and Resorts has said it will close two iconic hotels in Kenya due to the depleted demand caused by travel restrictions globally in response to the COVID-19 pandemic. The Norfolk in Nairobi and Fairmont Mara Safari Club will close and all employment contracts will be terminated by 5 June, the company said in a statement.

Fairmont adds to a growing list of high-end hospitality providers in Nairobi, including the Tribe Hotel and DusitD2 Nairobi, which have been forced to close due to the business impact of the pandemic; most hotels have reported lower than 10 per cent occupancy, according to local media. The struggles of the hospitality sector are unlikely to significantly ease over the coming two months, as the daily rate of new confirmations have continued to accelerate throughout May. Over the six-month outlook, corporate travel to Kenya is likely to remain problematic due to a lack of availability of flights and accommodation. This means rotating staff in and out of country will become more costly and time-consuming, as personnel will also need to factor likely continued mandatory quarantines upon arrival in Kenya, or other host countries during the timeframe. In turn, this is likely to delay a prompt resumption of some business operations requiring staff movements in and out of the country.    

On 20 May, France’s council of ministers approved a new bill that will put an end to the regional currency, the West African CFA franc, as we know it. The proposed bill will need to be approved by the French Senate. Specifically: the currency will change name to ‘eco’, the West African central banking institution, BCEAO, will no longer need to deposit half of the reserves in the French central bank, and French government institutions will no longer be represented at eco governance bodies. Anglophone countries Ghana and Nigeria will also adopt the new currency. The new currency will continue to be pegged against the euro, but this is likely to change after the currency is implemented. The new currency will become legal tender in the following eight countries: Benin, Burkina Faso, Guinea-Bissau, Côte d’Ivoire, Mali, Niger, Senegal, and Togo. It is unclear when the new currency will be introduced. Despite the rebranding many still deem it as a painful remnant of colonisation. However, it is probable that the COVID-19 pandemic will delay its launch, again, after being repeatedly delayed over the past few years. Companies with operations in or trade with the affected countries should continue to monitor announcements by the French government, the BCEAO, and the member states’ respective central banks to assess the impact on their operations in the one-year outlook.

A Niger government audit into 177 contracts for supply of arms and military equipment between 2017 and 2019 indicates financial losses of up to 40 per cent due to inflated costs and undelivered material, according to a report by Reuters news wire on 28 May. This amounts to XOF71.8 billion (USD120million) in total losses. The audit was reportedly submitted in April to the prosecutor-general, and the justice department launched a formal investigation on 8 April into the allegations of misappropriation which had been multiplying since February when they first emerged.

The latest audit is likely to prompt further investigations into the award of the contracts both in Niger and overseas, specifically in France which is Niger’s most important security partner. Furthermore, companies based in France in particular could be targeted in protest activity by activists who oppose the country’s continued role as a major arms provider to Sub-Saharan Africa. The allegations also pose increased security and stability risks in Niger ahead of planned general elections in December 2020 and February 2021, as several of the high-ranking ministers in office when the crimes were committed are members of the ruling Parti Nigerien pour la Democratie et le Socialisme (PNDS)-Tarayya party of President Mahamdou Issoufou.

Companies that have supplied arms or military equipment, including dual-use material, should conduct internal reviews into any contracts signed during the stated timeframe and ascertain that compliance with international and national weapons regulations have been assured. In the contrary case, they should self-report to the authorities and co-operate with investigators which could minimise any potential legal fines and other related costs in the medium term.