Geopolitical and Cybersecurity Risk Weekly Brief 13 July 2020

14 july 2020

COVID-19 Cybersecurity Update

Microsoft obtained a court order to take control of six domains used in an Office 365 phishing campaign leveraging coronavirus-themed lures. The attacks began in December 2019 using business-related themes, but quickly switched to coronavirus-themed documents as COVID-19 developed. This campaign was unique because the emails prompted the user to download a fake Office 365 application which gave the attackers extensive permissions. As a result, the attackers did not have to steal user passwords, because they were receiving the account authentication tokens instead.

Cybercriminals are capitalising on the pandemic in Brazil with malicious emails, SMS, and WhatsApp messages. In total, 693 malicious COVID-19 domains have been created in Brazil since March 2020. Cybercriminals have also leveraged the financial assistance programmes implemented by the Brazilian government to push malware and harvest credentials. Some of these attacks also involve Trojanised applications that require the user to forward a malicious link to all their contacts to receive government assistance. If a user clicks on one of these links, Brazilian-focused banking malware is downloaded.

A coronavirus-themed phishing attack impersonated the US Department of Revenue with the subject: CARES Relief Certificate. The message body references the 2019 185 CARES Relief Act, outlining details of the tax provisions available from it. The message informs the recipient that they have missed the deadline to apply for financial aid and to click the link for more information. The link takes them to a fake Microsoft Office 365 login page.

TrickBot continues to target the UK with COVID-19 themed malspam arriving from Orange France maliservers. The payloads remain geofenced to this locale. The email subject is ‘Blanche coronavirus Covid-19 infected’ with an attachment called ‘Tips_Covid-19.xls’.

Later in the week, the banking Trojan was also detected in Internal Revenue Service (IRS) and Black Lives Matter- themed (BLM) malicious spam emails delivered to the US. Weaponised XLS documents containing malicious macros download TrickBot. The subject of the IRS emails is ‘The IRS form improvements along with probable fee alert’, the attached XLS document is called ‘IRS_Form’. The body of the email aims to convince the user that a form they sent was ‘done improperly’ and they are required to resend another document or face a penalty fee.


Attacks and cybersecurity news

The US intelligence services have issued a security alert to the American private sector and government organisations, warning of an increase in attacks targeting managed service providers (MSPs). There has been an increase in incidents where threat actors breached MSP solutions and used them to compromise the internal network of said MSP's customers. The subsequent attacks have included ransomware, business email compromise, and attacks against point-of-sale systems.

Credit card skimming attacks are targeting websites hosted on Microsoft IIS servers running the ASP.NET web application framework. Over a dozen websites, including sports organisations, health, and community associations, as well as a credit union, were targeted. The malicious web skimming code used in these attacks was injected into the websites' existing JavaScript libraries.

An issue has been revealed in the way that Hotels.com codes are generated, which could impact UK Tesco Clubcard members. Using the bug, threat actors were able to purchase fraudulent vouchers which provided discounts on bookings via Hotels.com. The website generated codes were available to Clubcard members as a reward for their in-store spending, allowing them to receive up to GBP750 off hotel rooms. Threat actors were able to guess the last four digits of the codes, as the other nine characters followed the same pattern each time. These codes were sold on the darknet for GBP200-750.

ANS (American Network Solutions) UL40 mobile devices running Android OS 7.1.1 are infected with pre-installed malware. This specific device is provided by the Lifeline Assistance program via Assurance Wireless by Virgin Mobile and comes with both an infected Setting and Wireless Update application. A link was found between this ANS device and the Assurance Wireless UMX U686CL Android phones in January 2020. The digital certificate used to sign the ANS settings app was the same used to sign the malicious component of the UMX device. Both devices are also provided by Assurance Wireless.

Mozilla has been forced to suspend Firefox Send as the company investigates malware attacks leveraging the file-sharing service. Firefox Send was designed to provide secure file hosting and sharing capabilities for Firefox users. Malware operators quickly realised its potential for distribution due to Firefox Send encrypting contents stored on the system; this makes it harder for Firefox Send to analyse and block malicious content. Malware leveraging this tactic would be trusted by most protection systems by default as it arrives from Firefox URLs.

A threat group, dubbed Keeper, is responsible for security breaches at over 570 e-commerce portals over the last three years. The group breaks into website backends, alters their source code, and inserts malicious scripts which steal payment card details. Keeper has been active since at least April 2017. The group uses the same backend control panel in each of its attacks. This collects payment card details and allowed researchers to track their activity. Around 85 per cent of the 570 compromised stores ran on the Magento e-commerce platform.

A suspected ransomware attack on 7 July resulted in the temporary closure of Chilton County, Alabama's computer network. The incident resulted in disruption to the county's computer records system and affected multiple departments - including the tag office and probate court. Residents are being asked to check with clerks in certain departments before coming to the courthouse to make sure that the required records are accessible.


Data breaches, fraud, and vulnerabilities

Data Breaches

FreddieMac, the US Federal Home Loan Mortgage Corporation, has disclosed a data breach. The Attorney General of California (oag.ca.gov) breach notification states that a vendor hired by FreddieMac to perform due diligence services on its loans experienced a ransomware attack.

The incident reportedly left the vendor’s system inaccessible, so a clear picture of the incident or the information affected is not yet possible. There is currently no indication that personal information has been accessed or used. Information on the vendor’s systems included names, addresses, SSN, date of birth, credit and bank account information.

Two unsecured databases exposed millions of records from two companies based in China. One database belongs to Xiaosintong, an application developer aimed at elderly care; the other was connected to Shanghai Yanhua Smartech tools, a smart building service provider. The databases were both exposed for an unknown amount of time. It is unclear whether any threat actors accessed the data. Both databases are now secured.

Around 150,000 database entries from a Fujifilm Medical Japan System database have been offered for sale on Raid Forums by KelvinSecTeam. The database contains information from Fujifilm’s customer records. This includes personally identifiable information (PII), such as employment status and history, and contact details.

A security breach at Canadian insurance firm, Heartland Farm Mutual, may have exposed the personal information of various clients. A threat actor gained access to an employee's email inbox. The firm claims that a small number of personal records may have been accessed by the unauthorised party during the breach.

Security researcher Bob Diachenko reported two exposed databases this week. The first exposed the personally identifiable information of Indian citizens: almost 2 million records in the dataset included Aadhar/PAN numbers, email addresses, names, addresses, and phone numbers.

The other database belonged to Taiwanese data networking products company, Edimax, and exposed the company's cloud repository, to which network cameras upload clips and snapshots are sent. The researcher claims that direct links with short-term tokens were also exposed.

A large collection of records related to home loan leads have been exposed by Texan home loan provider Southwest Funding. 695,636 records were at risk because the database had no password protection. Exposed information in this dataset included customer data such as names, email addresses, residential addresses, loan account numbers, and results of credit or loan applications.

In the world of ransomware, threat actors continue to steal data, for extra leverage over their victims, prior to encrypting infected servers. This week saw a significant increase in activity from the Netwalker group. Two New York-based law firms - Cowan, Liebowitz & Latman and Slater, Sgarlato & Cappello – and two other companies were announced on the ransomware’s leaks blog. Cowan, Liebowitz & Latman was later removed from the blog, suggesting that the company had paid the ransom.

The operators of the Maze ransomware were also particularly active this week. A number of companies in the UK and USA were attacked and saw snippets of their data posted on the group’s leaks site. The Maze group also included a press release in which they elaborated on their expectations for the negotiation process. The threat actors now require victims to contact them within three days of an attack or their data will be published in tranches. The Maze operators also stated that they will notify victims' partner organisations and customers when they begin publishing the data.

Fraud

A new phishing campaign is targeting UK users by tricking them into disclosing their HSBC bank login credentials and sensitive personal and account details. This scam begins with a text message claiming to be from HSBC and stating that a payment has been made through the HSBC app on the recipient's mobile device. It goes on to say that if this payment was not made by them, they should visit the link provided to validate their account. The link directs the recipient to a phishing page asking for their username and password. This is followed by a series of extra verification steps, requesting account details and other personal data from the target.

MalwareHunterTeam has uncovered a new Trojanised Android package file (APK) masquerading as the Santander mobile banking application. Lucas Stefanko identified that the malware concealed in the app is from the Basbanke banking Trojan family. The app leverages a Google Play Store typosquatted domain and fake site to distribute the app to Banco Santander customers in Brazil.

A series of phishing attacks with similar characteristics have been uncovered. One of these campaigns - previously outlined by Perception-Point - impersonated the World Health Organization (WHO); others impersonated DHL, Outlook, and EMS; some were generic. The threat actors leverage the IBM cloud platform to spread the phishing emails. This allows the emails to exploit the good reputation associated with ‘appddomain.cloud’, which belongs to IBM cloud. Blocking or blacklisting this domain would cause disruption for end-users; as a result, the domain is seldom restricted. The same threat actor also used an Amazon S3 URL to make the phish appear legitimate.

Various Microsoft Outlook and Office 365-themed phishing campaigns were detected this week. One purports to be an ‘upgrade’ notification for Outlook; another requires the recipient to download a malicious Office 365 OAuth app; a third impersonates a notification from Zoom with the aim of stealing Microsoft Office 365 credentials.

Three similar phishing attacks are being distributed to targets in Portugal to steal credit card information. These impersonate media content and services provider SAPO, telecommunications company MEO, and Santander bank. The landing pages ask the user to enter their login credentials and full credit card details to 'verify' themselves. This information is exfiltrated to the attackers.

Vulnerabilities

Exploits for the critical vulnerability in F5 Network’s BIG-IP application delivery controller (ADC) have been added to the Metasploit penetration testing framework. Additional exploits for the vulnerability, designated CVE-2020-5902, are also publicly available on GitHub. Attackers could use these to acquire credentials and license keys, perform traffic interception and modification, pivot into the internal network, and acquire the private keys to any SSL/TLS certificates on the device. These developments elevate the severity of the threat. Those with affected systems should patch immediately. A total of 3,012 systems are exposed worldwide, mainly located in the US and China.

A recent study by Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) looked at 127 router models and found tens of unpatched and severe security flaws. The study examined 127 consumer-grade routers from ASUS, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel: nearly all were at risk of cyberattacks. It was found that even if the routers received updates, many known vulnerabilities had still been left unpatched by vendors. These issues are exacerbated by a severe lack of exploit mitigation protections across the industry.

The Purple Fox exploit kit (EK) has improved its arsenal by adding exploits for two more vulnerabilities. These target:

  • CVE-2020-0674 - a scripting engine memory corruption flaw in Internet Explorer. This was fixed as part of Microsoft's February 2020 Patch Tuesday.
  • CVE-2019-1458 - a local privilege escalation vulnerability. This was fixed as part of Microsoft's December 2019 Patch Tuesday.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule: 

  • Citrix has patched 11 vulnerabilities in its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products.
  • Multiple vulnerabilities in the Citrix Hypervisor. Successful exploitation can lead to increased privileges, denial of service, and providing misleading information via an existing account.
  • A critical remote code execution vulnerability in the Adning Advertising plugin for WordPress has been patched.
  • A reflected cross-site scripting (XSS) vulnerability, designated CVE-2020-15299, affecting the KingComposer WordPress plugin has been patched. Over 100,000 websites currently use KingComposer, a drag-and-drop page builder for WordPress-based domains.
  • High-risk vulnerability in the Samba Windows interoperability suite of programs for Linux and Unix. Successful exploitation can lead to denial of service.
  • Google has patched five critical remote code execution (RCE) vulnerabilities in Android with the release of its July 2020 security patches.
  • NVIDIA has patched a vulnerability, tracked as CVE-2020-5964, in the Windows NVIDIA GeForce Experience (GFE) software. This can allow local attackers to cause a variety of problems on unpatched systems.
  • Palo Alto Networks (PAN) has addressed a high-severity vulnerability, tracked as CVE-2020-2034, in its PAN-OS GlobalProtect portal. Threat actors with network access could exploit it without user interaction.
  • US CISA has issued a security advisory for two vulnerabilities in Grundfos water management products. Successful exploitation can lead to unauthorised access remotely via cleartext credential data.
  • US CISA has issued a security advisory regarding multiple vulnerabilities in Mitsubishi Electric ICS products. Successful exploitation can lead to denial of service (DoS) or remote code execution (RCE).
  • US CISA has issued a security advisory regarding multiple vulnerabilities in Phoenix Contact Automation and Rockwell Automation ICS products. Successful exploitation of Phoenix Contact gear can lead to executing arbitrary code under the privileges of the application.
  • Juniper Networks has published a list of security advisories to inform its customers of several high-severity vulnerabilities in its products.
  • Tencent has issued an alert over a security vulnerability recently disclosed in Kubernetes, the open-source container orchestration system. Successful exploitation can lead to allowing neighbouring hosts to bypass local host boundaries.


APT Activity and Malware Campaigns

APT activity

A new threat group, dubbed CosmicLynx, is targeting large companies around the globe. Researchers believe that the attackers have been active for at least a year. This group is based in Russia conducting business email compromise (BEC) scams. It is thought to be the first major Russian scam group of its kind. This campaign has targeted users in 46 countries, deploying lures relating to ongoing and current events, such as the coronavirus pandemic.

SanSec linked the mid-June Magecart attack on Claire's to North Korean threat group Lazarus. The group is believed to have been targeting retailers in the US and Europe since at least May 2019. These attacks were attributed to Lazarus through domains that had also served malware in spear-phishing attacks previously linked to the group. To obfuscate the attacks, Lazarus compromised the websites of legitimate businesses to dump the stolen card information, including an Italian model agency, a bookstore in New Jersey, and a music store in Tehran. Victims of this campaign – other than Claire's – include Wongs Jewellers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armour, Microbattery, and Realchems.

A financially motivated APT group, tracked as Evilnum, has been linked to a series of EVILNUM malware attacks. The group has been active since 2018 and targets financial technology companies worldwide. To date, little had been published about the group and how it operates. Evilnum has significantly improved its tools, techniques, and infrastructure since its first appearance. It uses a mix of malware built from scratch and those purchased from the Golden Chickens Malware-as-a-Service (MaaS) platform. Golden Chickens is known to provide services to other financially motivated APTs, such as FIN6 and Cobalt group. The APT’s targets are exclusively financial technology firms.

A new operation, dubbed Operation Honey Trap, is being carried out by Pakistani threat group APT36 (also known as TransparentTribe). The group is targeting defence and government organisations in India using honey trapping techniques such as fake profiles of attractive women to lure targets into opening emails or chatting on messaging platforms. Other email themes include CVs and job applications. Following a successful interaction, Crimson RAT is downloaded. TransparentTribe is believed to be a state-sponsored cyber-espionage group, known for several campaigns all of which have used Crimson RAT. The group has launched various attacks targeting the Indian military, air force academy, and most recently, some financial institutions.

Malware

This week has seen several detections of major campaigns distributing the Cerberus banking Trojan. In one, the malware targeted Android users in Spain by disguising itself as a legitimate application on the Google Play Store. The Trojan masqueraded as a Spanish currency converter called ‘Calculadora de Moneda’; the app stayed dormant on the device for several weeks to avoid raising suspicions. Users in Poland were also targeted with fake Facebook security updates, claiming that the recipient’s account had been compromised. The attack leverages a typosquatted domain and a convincing fake website that tries to reassure users by highlighting the importance of security. Cerberus is used to steal victims’ banking information.

Cyjax analysts uncovered a new AveMaria RAT campaign delivered in parcel delivery and invoice-themed malicious spam. The emails purport to be a message from TNT customer service regarding delivery and a Bill of Lading. Courier services, such as TNT and DHL, are often impersonated to deliver malware. Cyjax analysts also recently uncovered a similar AgentTesla campaign using parcel delivery notifications and Discord to host its .LZH payloads.

A new variant of the Joker Dropper and Premium Dialer spyware is being delivered in Trojanised apps on the Google Play Store. The updated Trojan now downloads additional malware to the device; users are then subscribed to premium services without their knowledge or consent. The malware uses a method of loading additional, encrypted, and obfuscated, payloads from the C&C – a tactic borrowed from traditional PC-based malware. This enables the Joker Trojan to be uploaded in seemingly harmless applications to the Play Store as the malware is dropped afterward.

Researchers have revealed a new Mirai variant that exploits nine vulnerabilities in routers and Internet of Things (IoT) devices that have not been observed in previous Mirai samples. The nine vulnerabilities used in this campaign affect specific versions of IP cameras, smart TVs, and routers. The most notable of these is CVE-2020-10173 in Comtrend VR-3033 routers. If exploited successfully it can lead to the compromise of the network managed by the router. The proof-of-concept exploit for CVE-2020-10173 is also publicly available.

There has been an uptick in activity from Gafgyt botnets infecting Linux devices to launch DDoS attacks. While Gafgyt has existed for some time, the researchers continue to see new variants with different TTPs. The Gafgyt botnets have an updated method of communication between the command and control (C&C) server and infected devices. New exploits and attack methods have also been observed. Interestingly, these new Gafgyt botnets are usually short-lived as the C&C servers go offline regularly. One variant was active between mid-April and mid-June. In total, 31 campaigns were launched, from which 572 samples were captured. These were from 19 different botnets.

Threat researchers have uncovered a new Android banking Trojan targeting financial apps, some located in Brazil. It abuses Android Accessibility features to collect credentials from other mobile banking applications. The apps targeted by this new Android Trojan include PayPal, Santander Business, and Banco Bradesco. The latter two apps are both Brazilian financial applications.

Darknet

New markets continue to spring up. This week, Neptune market was launched and whilst it has received little attention so far, its admins are attempting to rectify this by integrating both Jabber and Telegram notifications into the market. Other relatively new markets, such as ASEAN and Vice City, are also attempting to boost their popularity through vendor discounts.

It is not clear what is driving this frequent creation of new markets and it is also unlikely that all of them will last a significant amount of time. It is clear, however, that darknet market dynamics are slowly shifting. Monopoly, a relative stalwart of 2020, is rapidly declining in terms of popularity, while both DeepSea and Dark0de are slowly growing. However, both markets have some way to go before they are competitive with either White House or Empire.

Versus Market, a marketplace run by notorious ex-Dread moderators, has been attacked over the weekend. On 10 July 2020, the market administrator posted to Dread providing details of the attack and stating that their escrow funds had been stolen. Although it is common practice for darknet marketplace admins to use an attack as cover for an exit scam, many users believe this to be a genuine admission of an attack. As a result, some darknet users expect Versus to bounce back quickly.

The operators behind the LockBit ransomware have now ended their recruitment of new affiliates. This has coincided with the end of the competitions they were sponsoring. It is unknown whether these latest affiliates were drawn from the winners of this competition. LockBit is still relatively inactive in comparison to their ransomware peers, but this may change as recruiting more affiliates will increase available resources for targeting victims.


Geopolitical Threats and Impacts

Americas

The US Treasury Department imposed sanctions on three senior Chinese officials over alleged human rights abuses against ethnic minorities in Xinjiang. The US-based assets of the officials, all of whom are or have been intimately involved in the administration of the Xinjiang region, will be frozen and they will be denied US visas. A fourth individual’s assets were also frozen, but he will not be denied a visa to enter the US. The Treasury Department also imposed sanctions on the security bureau as an entity. These sanctions follow US President Donald Trump’s signing of the Uighur Human Rights Policy Act of 2020 into law on 17 June. That measure calls for US sanctions on Chinese officials over alleged repression of Uighurs. US firms with interests in China should assess how strategy and operations may be impacted by a further deterioration of bilateral relations, potentially eliciting diplomatic or commercial reprisals from Beijing.

On 9 July, the Supreme Court issued a 7-2 decision on a subpoena which will release President Donald Trump’s tax returns and business records to the grand jury in New York. A further subpoena submitted by three committees in the Democratic-controlled House of Representatives, on whether they can view the financial information, was sent back down to lower courts for further evaluation on the separation of powers issue. The verdict signals a defeat for Trump who has consistently refused to reveal his tax returns since entering office. However, despite a ruling that allows prosecution services in New York to see them, this information will legally remain confidential. There is a possibility that in order to divert attention from the verdict, the Trump administration could ramp up ongoing anti-Chinese rhetoric amid recent allegations of coercion and cyber-espionage. This could also be reflected in the coming weeks via a firmer stance on the Mexican border with possible deployment of troops.

According to a statement by Secretary of State Mike Pompeo on 6 July, the US is ‘looking at’ banning China-based social media applications, including short-form mobile video service TikTok. While TiKTok – which is owned by Beijing-based start-up ByteDance – has a strong presence in the US it has repeatedly come under criticism by US lawmakers who accuse the app of posing a security threat due to alleged ties with the Chinese government. TikTok has denied the claims, saying that it operates as a separate entity from ByteDance and stores US user data within the country with a backup in Singapore. Banning the company would signal yet another escalatory action in heightened US-China tensions. Companies that have commercial partnerships with Chinese social media firms, including for advertising purposes, should factor the impact a potential ban could have on existing marketing and outreach initiatives.

On 7 July, the director of the FBI, Christopher Wray, stated in a speech made at the Hudson Institute in Washington, that China is conducting a campaign against their diaspora known as Operation Fox Hunt. The programme targets Chinese-born citizens living in the US who are critical of the regime and aims to force them back to the country via methods of coercion. Wray appealed in his speech for potential Fox-Hunt victims to contact the FBI. Wray’s speech will likely further elevate tensions between US and China. While China has not responded to the FBI’s details of Fox Hunt, it is likely they will deny the operation’s targeting of Chinese people in the US and reference the programme's official use as a means of locating corrupt government and business officials.

A delegation of mayors from northern Chile has requested a halt to mining operations amid a rapid increase in coronavirus (COVID-19) cases in recent weeks. This comes as state-owned mining company Codelco suspended work on projects across the Antofagasta region and reduced operations at the Chuquicamata open pit copper mine due to COVID-19. Trade unions representing mining workers have also called for stoppages to mining in a bid to protect workers. According to an estimate by state copper agency Cochilco, COVID-19 would lead to a loss of 200,000 tonnes in copper production, though the actual figure will likely be much higher. Businesses with commercial interests in Chile should contact local partners and stakeholders to assess the impact a potential halt in operations will have on supply chains.

Asia-Pacific

In Singapore, the ruling People’s Action Party (PAP) won the general election on 10 July, but its share of the popular vote fell to near record lows as an opposition party won the most parliamentary seats since the country’s independence in 1965. The PAP secured 83 of parliament’s 93 seats while the opposition Workers’ Party (WP) took the remaining 10. Singapore’s economic success has long been attributed to the impact of the PAP’s often authoritarian governance on political and social stability. The 2020 election was called during the coronavirus (COVID-19) pandemic at a time when the country had registered around 40,000 cases, mainly among its huge migrant worker population, presumably in the expectation the government’s response to the crisis would ensure it received the maximum amount of support ahead of a period of economic hardship form many Singaporeans. While the PAP’s position in constitutional term remains unassailable, the unprecedented success of the WP is certain to lead the government to reassess some its policies – notably regarding immigration, foreign labour and the wealth gap – that appear to have created such a high level of voter dissatisfaction.

At least two major international European and US banks in Hong Kong are carrying out emergency audits of their clients to screen for Chinese and Hong Kong officials and businesses that could be subject to US sanctions over the new national security law, according to the Financial Times. US President Donald Trump is expected to sign the Hong Kong Autonomy Act into law as soon as next week, which would give Washington the ability to impose sanctions on officials alleged to have infringed on Hong Kong’s semi-autonomous status, as well as state entities and banks that conduct business with them. The audits underscore the adverse commercial implications of Hong Kong’s new national security law, which prohibits compliance with US sanctions against China and Hong Kong. US sanctions imposed under the autonomy act could compel financial institutions to decide between conducting business with China or the US. Financial institutions – including insurers and fund managers – should review their client base for exposure to sanctions and assess the impact of sanctions on strategy and operations. Monitor the US sanctions list for updates and ensure compliance.

As noted above, the Hong Kong administration last week published details of the new security law imposed by the Chinese government criminalising secession, subversion, terrorism and foreign interference. Under the new rules, the police now have the power to conduct searches without warrants and control the dissemination of information online, while government officials can order the assets of those suspected of breaching the law to be frozen. Another feature of the law is its claim to apply beyond Hong Kong or China in other legal jurisdictions. While this is clearly intended to restore what the local and central governments assess to represent stability in Hong Kong, it has already created friction with many other countries that can only further complicate the territory’s and China’s international diplomatic and commercial relations.

Facebook, for example, on Monday said it would not process Hong Kong government requests for user data until it assessed the law’s impact on human rights considerations, a position likely to result in retaliation by Beijing. Many foreign companies in Hong Kong are also certain to experience conflicting pressures from their home governments and the local and Chinese authorities that could compromise their ability to operate effectively in the territory and in the mainland. Some foreign staff may also be subject to increased administrative controls reflecting their nationality and the conduct and attitude of their respective governments towards Hong Kong and Beijing. These factors should be assessed as a matter of urgency in order to identify vulnerabilities and any means to mediate threats to operational or employment practises.

A prominent critic of Xi Jinping and Tsinghua University professor, Xu Zhangrun, was detained in Beijing on 6 July, according to media reports. The detention comes after Xu published an essay in February accusing the Chinese Communist Party (CCP) of mishandling the COVID-19 pandemic. Authorities placed Xu under house arrest earlier this year after the professor publicly criticised Chinese leadership several times, severing his internet connection and banning him from social media. The legal scholar is the fourth prominent Xi and CCP-critic to be detained since the unfolding of the COVID-19 pandemic. Since Xi became the leader of China in 2012, there has been a severe restriction of civil society, including universities and media organisations. Xu’s detention is likely to draw criticism from Western institutions and add pressure to Western universities co-operating with Chinese universities. Such pressure contrasts with Western universities’ considerable reliance on Chinese students for their income. The European Parliament in 2018 voiced concern over threats to academic freedom and called for measures to protect academic values in external relations.

Europe

According to a report by La Repubblica, the Italian government is considering excluding Chinese telecoms firm Huawei from developing 5G networks. The newspaper said that members of the 5 Star Movement, which is part of the ruling coalition and initially supported Huawei, were changing their approach. Foreign minister Luigi Di Maio reportedly met with the US ambassador in Rome last week for discussions that also covered the Huawei issue. This comes as a growing number of European countries are finalising their stance on Huawei or reviewing earlier decisions amid sustained US pressure to ban the company. Washington claims Huawei can be used to spy on allied countries, which the company has repeatedly rejected. The new impetus to re-evaluate the risks posed by allowing Huawei involvement in 5G networks illustrates an understanding that even if Democratic Party candidate Joe Biden wins the presidential election in November, the US approach vis-a-vis China is unlikely to significantly change. Telecommunications firms with operations in Italy should anticipate a government announcement on Huawei in the coming months and adjust strategic planning accordingly.

Liu Xiaoming, the Chinese ambassador to the UK, warned on 6 July that Britain will ‘bear the consequences’ if it reversed an earlier decision allowing telecommunications firm Huawei a limited role in 5G networks. The envoy added that a ban on Huawei would send ‘a very bad message to other Chinese businesses’ and damage the UK’s commitment to free trade. This comes as security officials warned that the UK may be unable to allow Huawei a role after the US announced new sanctions in May. A final decision is expected before parliament enters summer recess on 22 July. This illustrates the political tightrope Prime Minister Boris Johnson is walking. On the one hand, the UK wants to placate US national security concerns, while on the other London is seeking to strengthen trading relationships with foreign countries as part of a broader post-Brexit strategy. A decision banning Huawei would fuel already worsening China-UK relations over Hong Kong after the introduction of a divisive security law last week. Given that a sizable part of Chinese foreign direct investment is made by state-controlled firms, any shift that would damage Huawei’s commercial interests in the UK would likely trigger a counter-response. In practice, this will probably mean a rollback of planned UK investments by key Chinese firms, while UK-based firms seeking to establish or expand their presence in China may also face new regulatory and political barriers.

Guillaume Poupard, the head of France’s cybersecurity agency ANSSI, has said that while there would not be a total ban on using equipment manufactured by Huawei, the agency was encouraging firms to avoid relying on the Chinese technology firm. In an interview with the Les Echos newspaper, Poupard said companies already using Huawei would be given authorisations for durations between three and eight years. In a separate but related development, UK Prime Minister Boris Johnson and fellow officials are drawing up proposals for companies to stop installing equipment in domestic 5G networks as early as this year. According to The Daily Telegraph, this would also speed up the removal of existing technology amid new concerns raised by intelligence agency GCHQ. By refraining from imposing a blanket ban, France joins a number of European countries taking a moderate stance on Huawei despite US pressure on allies to block the company altogether. Both developments are indications of renewed scrutiny on Huawei as countries seek to bolster economic recovery after the coronavirus (COVID-19) pandemic. The use of technology with revolutionary potential, including 5G, is seen as pivotal in this respect. Overall, a decreased role by Huawei means that European telecommunications firms will face higher development costs for 5G due to decreased vendor availability.

On 6 July, the UK government announced economic sanctions targeting a total of 49 individuals and entities in Russia, Saudi Arabia, Myanmar, and North Korea under the country’s new sanction regime. UK Foreign Secretary Dominic Raab said the sanctions, which are effective immediately, were imposed against those responsible for ‘some of the notorious human rights violations in recent years. The sanctions will worsen already strained UK-Russia relations, which have been essentially frozen after the 2018 poisoning of former Russian spy Sergei Skripal. Notably, the new measures threaten to imperil relations with key economic partner and ally Saudi Arabia. The decision may affect UK arms exports to Saudi Arabia, a crucial export market. UK companies should factor the new sanctions into existing compliance programmes and ensure full adherence with any restrictive measures.

Middle East, North Africa and Central Asia

An explosion was reported in western Tehran on 10 July, with social media posts claiming to have heard the blast from nearby cities including Garmdareh and Qods. Electricity was temporarily cut in suburban areas surrounding the suspected blast site. Meanwhile on 7 July, an explosion took place at an industrial site in Baqershahr, 23km south of Tehran. The factory reportedly belongs to the Iranian automotive manufacturer SAIPA and cooperates with the Iranian Ministry of Defense and the Iranian Revolutionary Guards Corps. The incidents are the latest in a string of mysterious fires and explosions to have occurred in Iran since 26 July, many of which have hit sensitive sites. Security managers should monitor the situation for updates. Iran will almost certainly respond if authorities determine a cyberattack or other acts of sabotage caused the explosions.

On 8 July, Chief prosecutor, Muhammad Jamal Sultan of Bahrain’s High Criminal Court announced that five financial officials at Future Bank (BSC) had been convicted of money laundering. The court also charged three Iranian banks, including Bank Melli and Bank Sederat, in connection with the money laundering charges. The verdict comes after an investigation was held into money transfers involving Iranian entities with terrorist links or subject to international sanctions. Officials in BSC facilitated international transactions into Iranian banks that circumvented normal financial regulations by deliberately omitting basic details. BSC was established as part of a joint venture with the Iranian banks Melli and Sederat, which also control operations there. The case underlines the existence of well-established, illicit financial networks linked to Iran in the region, allowing the country to bypass international sanctions. This is the second time since June that the court has pursued money laundering charges against officials at BSC for their illegal links to Iranian banks, indicating that the country is moving to take a firmer stance on the issue. Investigations into the BSC’s practices are ongoing with further charges likely; there is a good chance that measures requiring a suspension of activity could be taken in the medium-term outlook. Businesses with any relations to these banks are advised to carry out due diligence procedures due to the heightened risk that association could implicate them and result in sanctions.

Libyan National Oil Corporation (NOC) Chairman Mustafa Sanallah said on 5 July that foreign forces entered the Sidra Oil Port, located between Benghazi and Sirte in the east, and that they are attempting to make it a military centre. The nationalities of the forces and exact date of their entry is not known. Sanallah also confirmed that foreign fighters from Russia’s paramilitary organisation the Wagner Group have occupied El Sharara oil field from 10 June. He called for the Wagner Group mercenaries to leave the country. The entry of more foreign forces into the Sidra Oil port highlights the increasing presence of foreign fighters in the country as Russia and Turkey have augmented their military footprints to support rival sides in the conflict. A heightened security presence is expected in the area over the coming three to six-week period, and clashes between rival forces are highly probable.

Sub-Saharan Africa

Tanzanian authorities suspended domestic media outlet Kwanza Media Broadcasting group after it republished a US advisory, relayed by the American embassy in Dar es Salaam on 1 July, warning about the elevated risks of contracting COVID-19 in the country. The suspension will be effective for 11 months, but the media group has pledged to appeal the decision. This is the second suspension of the outlet over the past year. This reflects Tanzania’s draconian media laws and the government’s crackdown on dissent under President John Magufuli, who took office in 2015. Tanzanian authorities have not published aggregate data on COVID-19 infections in the country since 29 April; President Magufuli claimed in early June that Tanzania was free of the disease. Treatment centres are also being closed. It is probable that other media networks conducting work in the country contradictory to the government’s approach could be targeted by similar moves in the three-month outlook, particularly as there are strong indications the outbreak is spreading rapidly in the country. Moves by the authorities could include revocations of or refusals to issue visas, and arrests. This risk should be factored into overall security threat assessments and travel plans.

The Special Investigation Unit (SIU) of the South African police has confirmed it has been tasked to investigate allegations of corruption, including embezzlement, of the country’s ZAR500 billion (USD29.6 billion) relief fund to combat the outbreak of COVID-19. The SIU’s main mandate is to investigate ‘serious malpractice and maladministration’ of state funds, including in state-owned enterprises. The investigation, which will still need to be signed off by President Cyril Ramaphosa, comes after at least 20 complaints of serious fraud have been lodged for malpractices, including in Gauteng and Eastern Province, over the past two months. The relief package is provided by international financial institutions, who are likely to increase their scrutiny of future disbursements. Companies that sub-contract on behalf of the government are likely to face an increased compliance burden during the timeframe.

The Mouvement du 5 juin-Rassemblement des forces patriotiques (M5-RFP) – a coalition of opposition groups led by influential Islamic cleric Mahmoud Dicko – has rejected Malian President Ibrahim Boubacar Keïta’s (IBK) attempt at holding talks to de-escalate growing animosity with the government and called for new mass protests on 10 July. This follows a meeting on 5 July between M5-RFP cadres and IBK at the presidential palace. The continued and apparently growing anger with the government is in line with our warnings following the poll, that the low turnout would fuel civil unrest. The collapse in talks is likely to galvanise M5-RFP supporters, indicating that mass protests will become increasingly well attended and regular over the coming two months in the absence of any constructive dialogue. Operations managers in the country should continue to monitor announcements by the government and the opposition closely during this timeframe, and instruct staff to minimise non-essential movements and avoid gatherings on the days of protests, which commonly occur on Fridays.

The Portuguese government has announced the nationalisation by decree of 72 per cent of the capital stock in power and engineering group EFACEC Power Solutions, which were indirectly held by Isabel dos Santos – the daughter of Angola’s former president Jose Eduardo dos Santos – through Malta-based company Winterfell 2. The government said the decision was intended to protect the company and about 2,500 jobs, as dos Santos has reportedly been struggling to honour some of her debt due to other asset seizures, which are part of investigations into allegations that she siphoned off more than USD1 billion from the Angola state-owned oil company SONANGOL. Dos Santos has denied wrongdoing and claims the allegations are politically motivated. Further seizures of assets owned or controlled by dos Santos are likely in the six-month outlook as she has interests in companies across the world; in January, Portuguese prosecutors seized her assets in telecommunications company NOS, following a similar move by Portuguese banks in January. The multiplying asset seizures present a growing political risk to companies that own shares in entities where dos Santos-linked organisations also have a stake. Investors and asset managers should continue to monitor further announcements and assess the likely impact on their holdings.