Geopolitical and Cybersecurity Risk Weekly Brief 15 June

15 June 2020

COVID-19 CYBERSECURITY UPDATE

The FBI has reported on the most common types of fraud during the pandemic. The Internet Crime Complaint Center (IC3) received nearly as many complaints in the first half of 2020 (about 320,000) as in the entirety of 2019 (about 400,000). Criminals continue to peddle counterfeit personal protective equipment (PPE) and fraudulent unemployment insurance claims. Other cybercriminals have targeted children continuing their education online from home.

The Guardian reported this week that Brussels had accused China of running disinformation campaigns against European Union states. There have reportedly been “huge waves” of coronavirus misinformation and false facts about the pandemic. In one case, an unnamed Chinese diplomat claimed 80 French lawmakers had used a racist slur against the head of the World Health Organization, Tedros Adhanom Ghebreyesus. The EU denied this. In the same week, the Chinese administration asked the international community to end disinformation surrounding COVID-19, particularly lies and rumours against China. Academics from the Australia Institute found that more than 5,000 Twitter accounts retweeted nearly 7,000 items of coronavirus-related information in a coordinated manner, promoting the conspiracy theory that China had created the virus as a bioweapon.

Twitter has removed a large volume of pro-China bot accounts that have been spreading misinformation about the coronavirus. 170,000 accounts were banned from the platform comprising “a core network” of 23,750 highly active accounts, supported by 150,000 “amplifier accounts”. This misinformation campaign was spreading a narrative favourable to the Communist Party of China while also spreading lies about the political dynamics in Hong Kong. Twitter also revealed it had shut down more than a thousand Russia-based misinformation accounts.

Several coronavirus-related scams have been circulating in the UK this week. In one of these. businesses received phishing messages about Small Business Grants Fund (SGF) relief payments from the UK government. Using automated Dropbox Transfer notifications, the emails are sent from a legitimate Dropbox email and evade Secure Email Gateway protections.

Fraudsters have been applying for Paycheck Protection Program (PPP) loans and targeted PPP funds after they have been disbursed. Nearly 100 investigations have been initiated since the inception of PPP, with over USD42 million in potential fraud identified. Other types of COVID-19-related fraud identified by the FBI promised free care and free COVID-19 testing to patients. These scams target personal and health insurance information, including victims’ dates of birth, Social Security numbers, and financial data.

Fake Android applications posing as government COVID-19 contact tracing apps are being distributed through third-party app stores. 12 malware-infected apps have been discovered at the time of reporting, targeting Armenia, Brazil, Colombia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia, and Singapore. Elsewhere, various coronavirus-themed malware and spam campaigns have targeted Spain, Brazil, South Africa, and the US. Lures have generally focused on relief payments of some sort for coronavirus, but all delivered malware.

Websites impersonating the government of Spain and the country's Ministry of Health have begun distributing the Ginp Android banking Trojan. After installation, it requests Android Accessibility services to be activated and sends information about all launched apps to its C&C server.

A Google TAG analysis of millions of COVID-19-related cyber threats targeting India, Brazil, and the UK revealed that 18 million malware and phishing emails are being sent each day, and more than 240 million spam emails have been seen specifically using COVID-19 as a lure. In India, much of the spam references the Aarogya Setu contact tracing app and virus symptom tracing forms to push malware; in the UK, phishing emails offer government help with the COVID-19 crisis; Brazilians are receiving streaming service-themed phishing emails.

IBM X-Force recently uncovered a COVID-19 phishing campaign targeting a German multinational corporation, associated with a German government-private sector task force to procure PPE (Task Force Schutzausrüstung). The actors behind this campaign targeted more than 100 high ranking executives in management and procurement roles within that organisation and 40 others. CERT BUND has been notified and is assisting those targeted.

An SMS-based phishing (SMiShing) scam is targeting the personal and financial data of self-employed workers using the Self-Employment Income Support Scheme (SEISS) in the UK. The text messages offer a 'rebate from HMRC' and redirect recipients to a convincing copy of the HMRC website. Any data entered into the form is then stolen. According to Griffin Law, which uncovered the scam, some 100 self-employed workers have reported receiving these messages.

 

ATTACKS AND CYBERSECURITY NEWS

OTHER ATTACKS AND CYBERSECURITY NEWS

The FBI has warned users of mobile banking apps of an increase in attacks to steal credentials. Studies indicate that the use of mobile banking has doubled since the beginning of 2020. The increased use of these apps is believed to be a result of the coronavirus pandemic, and the FBI states that it could lead to increased exploitation attempts by attackers. These could come in various forms: from fake banking apps to banking Trojans. 

A new phishing campaign is delivering the Trickbot Trojan using the Black Lives Matter movement as a lure. The email purports to be from "Country administration" and asks people to leave a confidential "review" about Black Lives Matter. Recipients are asked to fill out a form, which requires them to "enable content", activating malicious macros. Trickbot is subsequently downloaded onto the compromised device.

Security researchers from the Massachusetts Institute of Technology (MIT) and the University of Michigan have identified multiple vulnerabilities in the OmniBallot online voting platform used in several US states. The US is currently preparing for the November 2020 Presidential Election cycle. Three states, New Jersey, Virginia, and Delaware have already announced that they plan to use OmniBallot for online voting, specifically for voters who are self-quarantining, disabled and overseas.

Both Florence, Alabama, and Knoxville, Tennessee, were hit by ransomware attacks. Knoxville’s systems were significantly impacted: court sessions were cancelled, and the website was offline at the time of reporting. The Florence council, however, decided to pay the ransom of USD300,000 in Bitcoin to preserve the information of city workers and customers, and to restore operations promptly. 

Australian beverages company, Lion, was hit by a cyberattack on 9 June which disrupted manufacturing and knocked out its internal IT systems. Staff lost remote access to Lion's internal network. Currently, Lion has had to stop beer manufacturing and its dairy production has also been impacted. It is now producing these items at a limited capacity.

The EKANS (sometimes known as Snake) ransomware operators have reportedly attacked car manufacturer Honda, disrupting its European operations. Honda confirmed an ongoing investigation into an issue with its IT network. It was also claimed that Italian multinational energy company, Enel, may have fallen victim to the malware.

Several days later, Honda confirmed that it had experienced a cyberattack but sought to reassure customers that "there is no information breach at this point in time." Edesur, one of the companies belonging to Enel Argentina which provides energy distribution in Buenos Aires, also confirmed a ransomware attack that was subsequently attributed to EKANS. In both cases, a Citrix NetScaler VPN server, vulnerable to CVE-2019-19781, exposed to the internet, is believed to have been the infiltration point. This vulnerability is often exploited by ransomware operators.

VPNs are being consistently targeted by cybercriminals as an initial breach vector. Scans for exposed Citrix and Pulse Secure virtual private network (VPN) gateways have increased. Organisations should patch Citrix NetScaler and Pulse Secure VPN vulnerabilities as soon as possible, including new installations. A steady stream of organisations has been reported as setting up new VPNs for employees to work remotely which are subsequently exposed to these attacks.

The operators of the Black Kingdom ransomware have been observed targeting organisations with unpatched Pulse Secure VPN software. These attacks are exploiting CVE-2019-11510, a critical arbitrary file read vulnerability in Pulse Connect Secure which could allow an unauthenticated remote attacker to access company data.

Austria’s largest telecommunications group, A1 Telekom, has been breached. The company's central PCs and servers were severely compromised. The attackers reportedly maintained backdoor access for over six months. In December 2019, A1-CERT detected malware beaconing from A1's systems and coordinated with the company to remove it. The CERT claimed that no data was deleted or encrypted, as would be the case in a typical ransomware attack. Instead, the type of behaviour exhibited by the attackers appears to indicate an advanced persistent threat (APT) actor.

Cyjax analysts have uncovered multiple fake Android package files (APK) masquerading as various postal services that contain malware. The attacks deliver fake courier notifications that require targets to download the APK to receive information about their post. The fake Post apps set permissions to enable the attackers to gather information from an infected device. In total, six apps masquerading as Swiss Post were uncovered, along with four hiding as La Poste (in France), and two as the Finnish Posti courier service. 

Over 100,000 indoor security cameras across the UK which use the CamHi application may contain critical flaws which leave them vulnerable to compromise, spying and data theft. 47 different brands worldwide have a critical flaw in their design and software. These include cameras from popular brands such as Accfly, ieGeek and SV3C. More than 3.5m cameras have been identified as being at risk of exploitation because they are associated with the CamHi app.

A novel phishing campaign is abusing a tool called StackBlitz to host credential harvesting pages. Some of the services targeted include Microsoft Office 365, OneDrive, Outlook Web App (OWA), Aol.com, GSuite, Yahoo, and Rackspace. The Australia-based Kirrae Health Service was also targeted. StackBlitz is an online integrated development environment (IDE) with which anyone can create Angular JavaScript and React TypeScript projects that are immediately posted online. 

So-called ‘search hijackers’ are now using an installer which changes a Google Chrome policy, informing device owners that the browser cannot be removed because it is managed externally. The extensions in question are CapitaSearch Space, and Mazy, which gave threat actors remote administrative privileges in the browser on which they are installed. It is currently unclear how these malicious extensions are being distributed.

  

DATA BREACHES, FRAUD, AND VULNERABILITIES

DATA BREACHES

As in previous weeks, there were tens of ransomware attacks that resulted in data theft. This is a serious issue and can be combatted, in part, with cybersecurity and phishing awareness training for employees. The Maze ransomware operators – the pioneers of this tactic of data removal prior to victim system encryption – hit 14 organisations in the US, Brazil, and the UAE. Data was leaked from each victim on the group’s darknet leaks blog to force them into paying the ransom. The operators of the Netwalker ransomware also claimed responsibility for attacking and stealing information from four companies, one of which was a US care home provider.

One of the more interesting developments came from the Sodinokibi group. The ransomware has been prolific in 2020, and this week saw a further eight businesses fall victim. However, the operators of the threat have added a new ‘Auction’ feature to their leaks site, where other people can bid on data within a certain time frame. They have also included a "blitz price" which allows users to buy the dataset outright without having to bid. The attackers want payment in Monero (XMR) and have provided links to sites where users can obtain the cryptocurrency.

Live event and experience solutions provider, TAIT, disclosed a data breach which led to the exposure of personal and financial information. Clients of the firm include NASA, Disney, Universal, Nike, Metallica, U2, Microsoft, MTV, The Olympics, Eurovision, The Rolling Stones, and AC/DC.

Fortune 500 insurance holding company, Genworth Financial, has disclosed a data breach in which an unauthorised third-party gained access to agents' online accounts using compromised credentials. Names, addresses, ages, genders, dates of birth, Social Security numbers, signatures, and financial information were all exposed. The type of financial data exposed has not been specified.

GP video consultation app manufactured by Babylon Health for use in the UK, has exposed confidential patient information to other users. The exposure was discovered after one of the app's users found they had access to video recordings of other patients' consultations. According to the Guardian, "Babylon later said a small number of UK users could see each other’s sessions and that the problem was a limited software error and not a “malicious attack”."

The Greenworks hardware tools website has been injected with a Magecart web skimmer that is stealing payment card data from customers. This malicious script is sophisticated, with self-cloaking capabilities and anti-tampering protection. This script is still active at the time of reporting.

Elsewhere, Magecart groups have been using misconfigured Amazon S3 Buckets to insert malicious code into websites and steal users' payment card details. RiskIQ observed Magecart code on three websites, each of which was related to the other, hosting content and chat forums for firefighters, police officers, and security professionals. The websites are as follows: officer[.]com, firehouse[.]com, and securityinfowatch[.]com.

FRAUD

Scammers have hijacked three YouTube channels to display Bitcoin scams, using imagery from the SpaceX channel. These scams have made the threat actors around USD150,000 in Bitcoin since 8 June. Three channels previously known as ‘Juice TV’, ‘Right Human,’ and ‘MaximSakulevich’ have been hijacked and renamed either to SpaceX Live or SpaceX. 

DarkBasin is a hack-for-hire group that has reportedly targeted thousands of individuals and hundreds of institutions. The targets include advocacy groups, journalists, and senior government officials, as well as hedge funds and other organisations in multiple sectors. This group appears to be low-skilled but with significant resources. It is used to gain an advantage in legal battles or to quell movements against customer's clients.

The HiddenShadow cryptocurrency mining gang based in China is distributing a cryptomining Trojan that spreads via the EternalBlue vulnerability (MS17-010) targeting end-of-life (EoL) systems, which are no longer being supported with updates from their manufacturers. Users should be aware that unpatched systems leave their business open to exploitation.

VULNERABILITIES

A recently released research paper has revealed a new attack, dubbed SGAxe, to which Intel processors are vulnerable. SGAxe specifically targets the Intel Software Guard eXtensions (SGX) enclaves and, by breaching their security guarantees, leaks data from the affected processors. 

While investigating SMBGhost, researchers discovered another vulnerability, tracked as CVE-2020-1206 (also known as SMBleed). SMBleed also permits pre-authentication, arbitrary code execution and remote kernel memory read. SMBGhost is one of the main threats on the landscape currently. New versions of an EternalBlue downloader Trojan have appeared in China that also check for the vulnerability (CVE-2020-0796). In a campaign dubbed Operation BlackBall, malware is scanning for unpatched SMBv3.1.1 signatures and attempting SSH brute-forcing against Redis Linux-based servers. Compromised systems are infected with Trojans and cryptominers. Nearly one-third of systems have still not applied the patch for CVE-2020-0796.

Patch Tuesday for June saw several major updates and a record number of vulnerabilities addressed by Microsoft:

  •  Intel released patches for 25 vulnerabilities. Only two of these are rated critical, with the rest rated between high and low.
  • Adobe released security updates for Adobe Flash Player, Adobe Experience Manager, and Adobe Framemaker. This is a small release in comparison to the company's previous Patch Tuesday outlays, with only 10 vulnerabilities patched across three products. Four of these are considered critical, the other six are classed as important.
  • Microsoft released security updates for 129 vulnerabilities. 11 were classed as critical, 109 as important, seven as moderate, and two as low. This is the largest Patch Tuesday update released by Microsoft to date.

A vulnerability, dubbed CallStranger and tracked as CVE-2020-12695, can allow an attacker to exfiltrate data, turn devices into bots, and scan internal networks. The bug is found in the Universal Plug and Play protocol (UPnP) used by millions of devices and affects all versions of Windows 10, as well as routers, access points, printers, gaming consoles, door phones, media applications and devices, cameras, and television sets.

The Indian government has addressed a critical vulnerability in its secure document wallet service Digilocker. The flaw could have allowed attackers to bypass a mobile's one-time password (OTP) and sign in as another user. DigiLocker has over 38 million registered users, and acts as a storage space and digital platform for online document processing.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule. 

  • 0day local privilege escalation (LPE) vulnerability in Apple macOS. All versions of macOS are affected.
  • Vulnerabilities disclosed in Advantech and Mitsubishi ICS products. Successful exploitation can lead to remote code execution, resource exhaustion, and denial of service. These products are used in manufacturing, energy, and water management systems.
  • Multiple vulnerabilities in Siemens ICS products with varying risk levels. These products are used in chemical, energy, food and agriculture, and water management industrial control systems. The products affected include: Siemens SIMATIC, SINAMICS, SINEC, SINEMA, SINUMERIK, LOGO!
  • IBM has patched two critical remote code execution (RCE) vulnerabilities in its WebSphere Application Server product.
  • Vulnerabilities in Medtronic healthcare equipment. Successful exploitation can lead to improper access control and cleartext transmission of sensitive information due to issues in the Conexus telemetry protocol.
  • Local privilege escalation (LPE) vulnerability has been publicly disclosed in VMware Horizon products.
  • D-Link has released a firmware update for the DIR-865L wireless router model to fix three security vulnerabilities, one of which is rated critical.

 

APT ACTIVITY AND MALWARE CAMPAIGNS

APT ACTIVITY

A recent COVID-19-themed lure has been linked to a South Korean APT known as Higaisa. The decoy document, an LNK file disguised as a PDF, contains a World Health Organization (WHO) situation report regarding the spread of COVID-19. Higaisa's main targets have been government, public, and trade organisations in North Korea; however, it has also carried out attacks in China, Japan, Russia, Poland, and other nations.

Further investigation revealed that many of the attacks targeted the Zeplin platform. Zeplin is a software that is used to connect teams for effective collaboration on projects: it has over three million users. Some of the decoy documents were disguised as Trojanised Zeplin files and contained a variant of Gh0st RAT that is operated by Higaisa. The group likely targeted Zeplin because of the current pandemic situation which has forced many to work from home. Some of Zeplin's most prominent customers include Starbucks, AirBnB, Slack, Dropbox, Pinterest, Shopify, Feedly, and MailChimp.

A new threat actor, dubbed TA410, has been identified as responsible for various spear-phishing attacks delivering the LookBack RAT to US energy providers in 2019. During research into the LookBack campaigns, another malware, dubbed FlowCloud, was also found being distributed to US utilities. LookBack and FlowCloud share attachment macros, malware installation techniques, and delivery infrastructure that allowed both to be attributed to the same threat group, TA410.

Similarities have also been found between TA410 and TA429 (also known as APT10 and StonePanda), a Chinese APT specialising in cyber-espionage, network reconnaissance, and data exfiltration.

An industrial espionage campaign against organisations in Italy is leveraging the advanced NetWire data-stealing malware. Weaponised Microsoft Office documents were detected targeting Italian manufacturing firms. The NetWire dropper was delivered after a complex infection chain involving embedded macros inside Word and Excel documents attached to phishing emails. 

A new variant of Lazarus malware, known as NukeSPED, has been updated for cross-platform compatibility for both Windows and macOS systems. Notably, both malware samples contact the same C&C server. The targeting of both Windows and macOS enables Lazarus to infiltrate almost any organisation globally. Cyjax analysis of the contacted IP addresses and C&C domains revealed seven more NukeSPED samples from the macOS variant of the malware.

New tools attributed to the Russian state-sponsored APT, Gamaredon, enable the attackers to spread malware to all contacts on a user’s Microsoft Outlook account. Malware spread in this way has included Gamaredon’s custom Pterodo backdoor and Pterodo downloader. The infection chain begins with a malicious document with macros that, if opened, forwards and distributes the malware to each email address on the user’s contact list. Compromising one email account, therefore, enables the threat actor to pivot through an entire organisation. This is a method that has not been publicly documented before: it is the first case of an attack group using an OTM file and Outlook macro in this way. 

A previously undocumented Android spyware, dubbed ActionSpy has been linked to a group called EarthEmpura (also known a @POISONCARP or @EvilEye). The group has targeted users in TibetTurkey, and Taiwan throughout Q1 2020. EarthEmpura’s attacks are focused on the Uyghur ethnic and religious minority and aim to compromise their Android and iOS devices. These campaigns are effective because there is a wide attack surface and many users run unpatched mobile devices. According to Apple’s own statistics, 43 per cent of iPads and 30 per cent of iPhones use iOS 12 or earlier. From Google’s own data, up to 42.1 per cent of Android users worldwide are on version 6.0 of its operating system or below. The latest versions are 13.5.1 for iOS and 10.0 for Android, respectively.

MALWARE

A new Qbot (QakBot) banking Trojan campaign has been targeting customers of 36 different banks in the US. Target institutions include JP Morgan, Citi Bank, US Bank, Bank of America, Capital One, Compass Bank, Wells Fargo, and PNC Bank. Customers of two banks in Canada and the Netherlands were also targeted, as well as seven financial institutions from other countries that were not named by the researchers. This campaign uses browser hijack, or redirection, as the main attack method when the machine is infected. Qbot then monitors the user's web traffic looking for specific financial institutions to harvest credentials from.

A new sample of the Anubis Android banking Trojan is reportedly leveraging Twitter accounts for C&C communication. Interestingly, the samples contact a Japanese user’s Twitter account (@qweqweqwe) that was last active in 2015.

Abuse.ch has shared new samples of the NanoCore RAT being delivered in malspam masquerading as the National Bank of Greece. The subject of the spam emails is ‘Data Transfer’ (Metafora Stoicheion) and the attachment contains a malicious executable file (EXE). If this is run by the user, NanoCore RAT is downloaded.

New research has revealed that the KingMiner cryptomining botnet operation can now gain root control over the underlying Windows server on which MSSQL databases are running.

Researchers have identified and helped remove from the Google Play Store 38 Android apps that were engaging in ad fraud. Collectively, the apps had more than 20 million downloads. Most were disguised as selfie apps or claimed to provide filters for enhancing the user's photos. Once downloaded, they displayed intrusive ads and were extremely difficult to remove.

Phorpiex attacks have recently targeted Chinese organisations. The researchers also found a connection between Phorpiex and Avaddon ransomware. The Phorpiex botnet has reportedly been scanning for vulnerable devices, compromising them, and opening backdoors for further post-exploitation activities.

The SANS Institute and others have shared more information regarding an ongoing ZLoader malspam campaign. The attacks are targeting Poland with job application-themed malicious spam emails pushing the malware.

APK Lab has disclosed two apps containing the Joker Dropper malware that were uploaded to the Google Play Store. The apps were called ‘Speed Message’ and ‘Botmatic Messages’, and currently have over 11,000 installs combined. Once downloaded and installed, the malware contacts the attacker’s C&C server and receives the malicious payload. ThaiCERT subsequently issued a security advisory regarding malicious Android apps appearing on the Google Play Store: the apps contain the Joker Trojan (also known as the Bread Trojan) that secretly charges users who download the fake apps. Joker is now spreading as an app called 'Free Doc Converter' which had over 1,000 installs before being removed from the Play Store.

Japan CERT has released new information regarding the evolution of the LODEINFO malware. It has received various upgrades, demonstrating new TTPs, and is being used against Japanese organisations in an ongoing campaign orchestrated by an APT group. LODEINFO is frequently updated with additional modules and functions. It is sent in phishing emails that use the coronavirus as a subject. Lures include forged Japanese and Russian diplomatic material, as well as fake resumes and job applications.

TroyStealer, a new malware, has been discovered targeting Portuguese users. Phishing emails claiming that there is a problem with a payment being sent to the recipient's bank account are used as a lure to spread this information stealer. TroyStealer has various functionalities but is mainly used for keylogging and to collect credentials from browsers and emails.

DARKNET

Envoy is the second most popular forum on the darknet. Its main goals are harm reduction and darknet market news. It also maintains a “New Markets” section that is a lot more relaxed than Dread’s d/DNM section. The forum itself has been under DDoS attack for well over a month and has experienced extended downtime as a result. The admins are also thought to have caught COVID-19, meaning maintenance was impossible.

The market has now reappeared after more than a month of downtime. It has a new CAPTCHA system to prevent fraud and new anti-DDoS capabilities. The site is not fully operational at this point but appears to be trying to set a new standard for darknet forums.

The darknet market, BitBazaar, has had two different controversies in the last seven days: both involving rumours of exit scamming. On 12 June, a number of posts appeared claiming that BitBazaar admins were in the process of an exit scam. The market had stopped accepting withdrawals, which is often a sign of nefarious behaviour. This was accompanied by rumours of the market having been hacked, however, with some in the community blaming the withdrawal issues on the attack rather than an exit scam. BitBazaar then promptly went offline for several hours before reappearing again, citing technical difficulties.

Subsequently, on 14 June, new posts were made on Dread forums, which claimed that withdrawals and market wallets on BitBazaar had been locked once again. As with most issues affecting darknet marketplaces, there is likely to be no transparency in the communications from the BitBazaar admins, nor is it likely to be clear what has happened until an exit scam is confirmed or the market starts running again.

 

GEOPOLITICAL THREATS AND IMPACTS 

AMERICAS

Protests took place in the USA on 13 June, with protesters blocking traffic on Interstate-75, a major highway in Atlanta, Georgia. Another small group set a Wendy’s fast food restaurant in the city on fire. At least 36 people were arrested. The unrest followed the 12 June killing of Rayshard Brooks, a black man shot by police at the restaurant as he was trying to escape arrest. The officer allegedly responsible for the shooting was dismissed, and another put on administrative leave. The incident, which comes amid heightened social tensions following the killing of George Floyd, also by law enforcement officers, will likely fuel further widespread protests in the coming days.

Speaking to reporters on 11 June, US Secretary of the Treasury Steven Mnuchin said that Washington is considering restricting US capital flows through Hong Kong as part of its response to China’s imposition of its national security laws on the territory. Mnuchin said that the treasury-led Working Group on Capital Markets would establish ‘a variety of recommendations’ to protect US investors from Chinese companies’ failure to comply with US accounting practices and disclosure rules, as per President Donald Trump’s order on 4 June. Mnuchin’s comments come approximately two weeks after Trump announced that the US would end Hong Kong’s preferential trading and travel status due to the new national security laws. Any move to restrict the flow of US capital through the territory would mark a significant blow to its status as a world-leading financial hub, potentially prompting some US companies to reduce their presence in Hong Kong. The US government has also publicly criticised banking giant HSBC for its support for the national security legislation, criticism which other multinationals will likely seek to avoid. More broadly, these developments form part of a growing economic, geopolitical, and military rivalry between the US and China.

On Thursday (11 June), the US government imposed new sanctions and visa restrictions on employees of the International Criminal Court (ICC) investigating whether US forces committed war crimes in the ongoing conflict in Afghanistan. The measures allow the US to block assets of designated ICC employees and prevent them and their families from travelling to the US. The US has not been a member of the Hague-based ICC since its foundation in 2002, and it refuses to recognise its jurisdiction over US citizens. The measure comes three months after the court allowed its prosecutor to investigate possible war crimes in the Afghanistan conflict committed by US forces and the CIA. There is a moderate-to-high likelihood of further US measures against ICC officials during the probe. Compliance managers, particularly of financial institutions, in the US and overseas should monitor Washington’s sanctions announcements and regularly update sanctions lists.

According to company data from Boeing released, the aerospace giant delivered just four aircraft in May, of which none were passenger jets. Orders for 14 737 MAX aircraft were cancelled, while a further 80 orders of 737 MAX jets were removed from Boeing’s official backlog after being deemed insufficient to meet US accounting standards. Boeing, however, did take in net new orders for five cargo aircraft. As of May, Boeing had delivered just 60 aircraft in 2020, significantly below the 160 figure of its main rival, European-based Airbus. The US aerospace company faces the dual challenges of the novel coronavirus (COVID-19) pandemic, which has collapsed demand for passenger flights and led many airlines to ground most of their fleet; and existing operational and financial difficulties posed by the fatal crashes of two 737 MAX aircraft. Despite widespread disruption to commercial passenger aviation, demand for air cargo has remained relatively strong. Companies in the aerospace sector should anticipate a continuation of relatively higher demand for cargo aircraft and services, and assess the impact this may have on commercial and financial performance and strategy.

On 8 June, Argentinian President Alberto Fernández announced that the government plans to expropriate bankrupt soy-crushing company Vicentin, Argentina’s largest exporter of processed soy. Fernández described the measure as a ‘strategic decision for the national economy’ and said that a bill allowing the expropriation would be sent to the legislature for its consideration. The decision to expropriate the company seeks to maintain the integrity of the country’s soy supply chain amid an economic crisis exacerbated by the coronavirus (COVID-19) pandemic. Furthermore, the decision aims to maintain Argentina’s position as a global leader in soy exports and protect a key source of foreign exchange. The expropriation is also ideologically in line with policies of Fernández’ ally and vice-president, Cristina Fernández de Kirchner, who in 2012 oversaw the renationalisation of YPF, the country’s largest energy company. Amid economic turmoil prompted by the country’s debt crisis and the COVID-19 pandemic, further government intervention in the economy is likely, particularly in sectors deemed strategic, such as agriculture and energy. Companies with interests in Argentina’s soybean industry should assess the impact of the measure on existing supply chains and future commercial prospects. 

US-based oil giant, Chevron, has confirmed that a tanker it has chartered and is currently travelling towards Asia is one of four vessels sanctioned by the US government on 2 June for transporting crude from Venezuela. A spokesman for Chevron said that the company is working with US government agencies to ensure compliance with relevant laws and regulations. This case highlights the ease with which companies operating in the oil sector can violate US-imposed sanctions on Venezuela, particularly on chartered vessels, as well as companies linked to sanctioned Venezuelan officials. Companies with interests in the oil and shipping sectors should monitor updates from OFAC and anticipate further sanctions. Sanctions lists should be regularly updated and reviewed to mitigate the risk of violating measures imposed by the US and other entities, including the EU.

APAC

The Organisation for Economic Cooperation and Development (OECD) has warned that Indonesia’s economy could contract by 3.9 per cent this year in the event the country experiences a second wave of COVID-19 infections. President Joko Widodo has warned of a second wave of infections as the number of new cases continues to soar following the loosening of large-scale social restrictions (referred to as PSBB in Indonesia) in several regions. Such a steep contraction, and the deep damage it would inflict across all sectors, would reverse many of the economic gains made by the country over the past two decades. While the increase in the number of cases detected may reflect improved testing, the government’s ‘new normal’ policy predicated on the virus remaining an endemic public health threat that cannot be permitted to cause any further economic harm is certain to lead to a large number of new infections and greatly reduce the country’s attraction for foreign investment and visitors.

The World Bank (WB) has warned that several Southeast Asian countries face steep falls in GDP growth in 2020 due to the coronavirus pandemic. The WB’s Global Economic Prospects report forecast Thailand’s economy would shrink to 5 per cent this year, Malaysia by 3.1 per cent and the Philippines by 1.6 per cent. However, the Bank said it expected growth to return quickly unless a more virulent second wave of the virus emerged in the next six months. To date there have been no overt or serious displays of public anger related to the economic impact of the virus. However, this could change as lockdown regimes are relaxed and the fear of infection is replaced by immediate and future financial concerns. Companies should prepare for an increased likelihood of popular unrest through much of the region in the six-month outlook. 

Lawmakers in Vietnam’s National Assembly ratified a free trade agreement with the EU, known as the EU-Vietnam Free Trade Agreement (EVFTA) on 8 June. The agreement will come into effect in July or August this year. Under the terms agreed, the EU will lift 85 per cent of tariffs currently applied on goods from Vietnam and gradually reduce other duties over a seven-year period. In exchange, Vietnam will cut 49 per cent of duties for EU exports, while a gradual phase out will occur over the next 10 years. Nearly 99 per cent of customs duties between the two are to be eliminated once the phasing out process is completed. The World Bank estimates that EVTFTA will help Vietnam lift hundreds of thousands from poverty and bolster GDP by 2.4 per cent in 2030. Firms with interests in EU-Vietnam trade should factor improved market access and more trade liberalisation into strategic planning.

A senior local politician warned that the rights of UK citizens to work in Hong Kong could be jeopardised if their government continued with its recently declared policy of permitting holders of British National (Overseas) passports limited residency. Britain has proposed allowing people with BN (O) status the right to live and work in the UK for renewable periods of up to a year if Beijing refuses to withdraw national security laws it plans to impose on the territory. The statement that “we have a visa waiver agreement with Britain and by giving 30 days' notice Hong Kong can change the agreement” is accurate, although foreign policy decisions are usually not within the responsibility of the Hong Kong administration. Her intervention, however, is significant as it closely matches a recent warning by a former Hong Kong chief executive that two British-based banks should support the national security laws if they wished to retain their privileges in the territory and China. Both did so. As the British government is unlikely to rescind its offer, companies with UK personnel in the territory should assess how their operations will be impacted if their visa rights are amended or withdrawn.

EUROPE

The UK government has scrapped plans to introduce full border checks on goods from the EU on 1 January, according to a report by the Financial Times. A temporary ‘light-touch regime’ will be introduced instead at entry ports such as Dover, regardless of the outcome of current talks aimed at reaching a trade agreement. UK goods arriving into the EU, however, could still face comprehensive checks after the Brexit transition period ends on 31 December. As the two sides have committed to intensifying trade talks following a lack of progress, the issue of checks at entry points has become especially relevant; talks are scheduled on 15 June between Prime Minister Boris Johnson and European Commission head Ursula von der Leyen. The limited progress made since February and recent comments by EU officials suggests that there are still key points separating the two sides. A no-deal Brexit, however, remains an unlikely scenario due to the severe economic impact this outcome would have on both sides of the Channel. 

On 9 June, Greek foreign minister Nikos Dendias and Italian counterpart Luigi Di Maio signed an agreement delimiting the exclusive economic zone (EEZ) between the two countries. The agreement is an extension of a 1977 accord and is based on the UN Convention on the Law of the Sea (UNCLOS). Greek government spokesman Stelios Petsas said the deal was ‘a development of historical significance.’ The deal will help both countries exploit maritime resources located within their respective EEZs. It will also facilitate Greek efforts to reach a similar accord with Albania. Turkey will perceive the agreement as a threat to its strategy of expanding influence in the region. In turn, this means that acts of aggression aimed at undermining the territorial integrity of both Greece and Cyprus are highly likely.

Hungary and Croatia are set to re-open their border from 12 June amid signs that national coronavirus (COVID-19) outbreaks have come under control. Hungarian foreign minister Peter Szijjarto said that previous border re-openings with Austria, Czech Republic, Slovakia, Serbia, and Slovenia had not led to a surge in new infections. This development comes as countries across the continent are re-opening their borders with neighbours as they seek to restore mobility close to pre-crisis levels. By and large, cross-border restrictions had exempted cargo transport, however, additional checks have frequently led to longer times when passing through frontiers. The re-opening of national boundaries with fellow EU countries indicates that member states are adhering to the European Commission’s call for countries to prioritise lifting restrictions within the bloc before re-opening to third nations. However, there are strong indications that this process will be unevenly applied in the coming weeks; Italy for instance removed a ban on international travel last week but neighbouring countries have failed to reciprocate. As a result, the restoration of economic activity will be slow and disproportionate. Travel managers should factor the latest announcements into planning, adapt pre-travel risk assessments accordingly, and ensure staff fully comply with any relevant conditions at destinations. 

According to a report by The Times, the UK government is examining legislation to increase scrutiny on foreign takeovers amid growing concern that Chinese firms will use the coronavirus (COVID-19) to acquire strategically important UK companies. Under the potential rules, UK firms will be forced to report any attempted takeovers that may pose security risks; failure to do so will carry the risk of criminal sanctions, with directors facing prison sentences, disqualification, or major fines. Proposed takeovers of 25 per cent in companies and the acquisition of ‘significant assets’ will be included. Prime Minister Boris Johnson also wants to include ‘academic partnerships’ between UK academic institutions and Chinese companies under the rules. The development comes in light of growing UK-China tensions over Hong Kong and Beijing’s moves to introduce a national security law in the former British colony. The UK has warned China against this, threatening to change the status of Hong Kong residents who currently hold a British National (Overseas) passport. As we have forecast, the escalation has spilled over into other areas of potential tension, including the role of Chinese technology firm Huawei in developing 5G networks in the UK. For UK firms seeking financing, new rules will likely complicate efforts to attract capital investment from foreign entities. If the legislation is adopted, companies should ensure full compliance to mitigate the risk of fines or potential legal sanctions against executive staff members.

MENA AND CENTRAL ASIA

A group of Republican lawmakers in the US on 11 June unveiled a legislative package that includes the ‘toughest sanctions’ to date on Iran. The plan, put together by the Republican Study Committee (RSC), the largest Republican caucus in Congress, calls for enhancing US President Donald Trump’s ‘maximum pressure’ campaign against Iran through various measures. More than 140 initiatives aimed at Iran and its allies, including Russia and China, are detailed and include recommendations such as enacting UN snapback sanctions on Iran; imposing further sanctions on Iran’s petrochemical, shipping, financial, construction and automotive sectors; and sanctioning the Instrument in Support of Trade Exchanges (INSTEX), a European mechanism that the United States has criticised as a way to evade US sanctions on Iran. The proposed RSC package is likely to have support from many Republican members of Congress, although its passage in current form is unlikely due to Democratic opposition to many of the aggressive recommendations and the desire to avoid increasing overseas tensions ahead of the US November election. However, even if it does not pass the proposal is likely to encourage the Trump administration to further increase pressure on Iran through sanctions. Indeed, the proposed bill comes as the Trump administration seeks to renew the UN arms embargo on Iran that will expire in October.

On 9 June, the Saudi Arabian Cabinet approved a new mining investment law aimed at encouraging more foreign investors. According to industry and mineral resources minister Bandar Alkhorayef, the new law is anticipated to boost the mining sector’s contribution to GDP by over USD64 billion. It is also expected to reduce imports by USD9.8 billion and create more than 200,000 direct and indirect jobs in the sector by 2030. The legislation also finances and supports geological surveys and exploration. The move is the latest aspect of Saudi Crown Prince Mohamed bin Salman’s Vision 2030 project, which aims to diversify the oil-dependent economy, and develop sectors such as health, education, infrastructure, recreation, and tourism. The mining sector currently contributes USD3 billion to GDP, and reaching the goal of USD64 billion will be challenging; the country will require numerous resources including mineral processing technology, equipment, and proven expertise to develop mineral-based manufacturing. Solid partnerships that bring industry expertise will be required.

The US-Iraq Strategic Dialogue took place virtually between 10 and 11 June, with Iraqi and US officials discussing a number of issues relating to their bilateral relations. Meanwhile, a rocket struck near the US embassy compound in Baghdad's International Zone on 10 June, with no injuries or damages reported. No group claimed responsibility for the attack. The talks come amid a period of elevated tensions between the US and Iran caused in part by Iran-backed militia attacks on US troops in Iraq and a US counterattack in January that killed Iranian General Qassem Suleimani in Baghdad. The future of US troops in the country, who have been stationed there since 2014 as part of a coalition battling Islamic State, is likely to be a main topic. The new prime minister, Mustafa al-Kadhimi, has good relations with Washington and is likely to push for an outcome that benefits both sides; it is unlikely a full troop withdrawal will be the end result as this would empower regional extremists as well as undermine the US’ influence in the Gulf as it focuses on its ‘maximum pressure’ campaign against Iran. Security managers should monitor the situation and note there is an elevated risk of attacks against US military and diplomatic interests in the country throughout the talks.

Dozens of protesters rallied in the southern Tunisian province of Tataouine on 9 June demanding jobs and more investment from the state. One demonstration took place at the provincial government headquarters. A second protest was planned for 11 June in the provincial capital Tataouine. Tataouine province is one of the country’s most marginalised regions, facing systemic poverty and lack of development projects. The government has not delivered on promises, made in 2017, for job creation and investment, prompting this new wave of mobilisations. It is unlikely that the protesters will quickly re-enter negotiations so long as the initial deal remains unfulfilled.

Libyan militias allied with the internationally recognised Government of National Accord (GNA) launched an operation on 8 June to retake the central city of Sirte from Field Marshal Khalifa Haftar’s Libyan National Army (LNA). GNA forces have reportedly entered and now control the western gates of Sirte, in addition to the Wadi al-Jarf neighbourhood in the south of Sirte. The GNA is taking advantage of momentum after recent battlefield gains and their rivals' withdrawal from around the capital Tripoli after they took control of the Tripoli International Airport on 3 June and the city of Tarhuna days later. Those victories have boosted the GNA forces, who now control the capital’s airport, all main entrance and exit points to the city and a string of nearby strategic towns.

The LNA has painted their recent defeats as a tactical measure aimed at giving the UN-backed peace progress a better chance. Indeed, Haftar accepted a unilateral ceasefire proposed on 6 June by Egypt, one of the LNA’s backers. The proposal, also accepted by LNA’s backer Russia, envisaged a ceasefire beginning on 8 June. However, the GNA’s interior minister, Fathi Bashagha, said the government would only engage in political talks after taking Sirte and the Jufra airbase, to the south. This suggests the GNA intends to take advantage of its current upper hand to push militarily so that it can enter into negotiations from a position of more leverage. 

Reuters news wire reported on 8 June that the Egyptian cement industry has come under greater pressure due to the COVID-19 pandemic. An unidentified senior company employee said that the pandemic has exacerbated an already poor economic situation, with closures likely to affect four out of five of the country’s roughly two dozen cement plants in the coming months. Demand for cement fell precipitously during April and May as construction activity slowed due to COVID-19-related movement restrictions in addition to general slower activity during the holy month of Ramadan, which took place from 23 April to 23 May. The industry had already been dealing with a supply glut of more than 40 per cent. This created difficulties for foreign firms who own cement factories, and the pandemic has further exacerbated the situation. An unidentified official at the trade and industry ministry suggested the government is carefully considering the possibility of offering support to faltering companies, although more information is not currently known. Companies with interests in Egypt’s cement industry should monitor developments and anticipate some disruption to regular supply-chain function in the coming three to six-week outlook.

Turkish President, Recep Tayyip Erdoğan, cancelled plans for the next round of lockdown measures, including a weekend-long lockdown in 15 cities, which was announced just the day prior. This is due to public backlash and concerns over ‘social and economic consequences.’ The move was made despite an increase in COVID-19 cases, with Erdoğan saying on 5 June that daily new COVID-19 cases rose from around 700 to nearly 1,000. The rapid U-turn suggests uncertainty within the government over balancing the health risks of reopening against the economic cost of aggressive lockdowns. Local newspaper Hürriyet reported on 5 June that authorities may extend a three-month ban on layoffs that was imposed in April to offset shuttered businesses and unemployment amid the pandemic. The government is also reportedly looking at ways to give incentives to companies that maintain employment or hire new people, highlighting the intention to provide support to workers. Security managers should monitor the situation for updates and prepare for the probable re-imposition of lockdown measures in areas that are badly affected by a new wave of cases.

Protests and rioting took place in Lebanon on 6 June, with at least 48 people injured in clashes with security forces during a rally at Martyrs’ Square in the capital Beirut. Security forces also used tear gas and rubber bullets to disperse protesters near Beirut’s Nejmeh Square after the protesters threw rocks and fireworks at police and attempted to force their way towards the parliament building. This was the largest mobilisation since the government in early May began easing restrictions to curb the spread of COVID-19. Protesters are denouncing what they see as the government’s poor performance and worsening macroeconomic conditions, with many calling for the five-month-old government of Prime Minister Hassan Diab to resign and for early parliamentary elections to be held. The unrest also took a sectarian turn, with some protesters issuing calls for the first time for the Shia militant and political group Hezbollah, which backs the government, to disarm. Protests are likely to continue in the coming weeks amid growing frustration. The government is currently negotiating an International Monetary Fund package it hopes will secure billions of US dollars in funding to prop up its collapsing economy; this process is likely to be delayed as major political parties are reluctant to implement reforms to a system that has given them vast access to resources and influence.

UAE flag carrier, Emirates, headquartered in Dubai, on 7 June extended 50 per cent salary cuts until 30 September, according to an internal memo. The wage cut was due to end in June. In April, Emirates reduced basic wages by 25 per cent to 50 per cent to combat its financial problems caused by the COVID-19 pandemic. The country’s second flag carrier, Etihad Airways, headquartered in Abu Dhabi, has also announced extended salary cuts of between 25 per cent to 50 per cent until September. Etihad said last week it had laid off some cabin crew but was not planning any further crew redundancies. Etihad and Emirates have operated limited, mostly outbound services since grounding passenger flights in March. They are due to begin operating transit flights from 10 and 15 June, respectively, after the UAE on 4 June lifted a suspension on services where passengers stop off in the country to change planes. Despite this, the most recent announcement of salary and in some cases job cuts underscores both companies’ dire outlooks. Companies partnering with Emirates and Etihad, as well as with other regional airlines, should engage with stakeholders to ascertain the impact of the situation on staffing, operations, and strategy.

Sub-Saharan Africa

The Coffee and Cocoa Council (CCC), a Cote d’Ivoire state agency, has announced three regulatory changes, including the reduction of fees paid by exporters. This comes after a CCC study, which was launched in February following growing complaints among local operators, concluded that some exporters are being charged twice for the same services, such as storage and security. This has meant that they are paying XOF40.6 (USD0.07) more per kilo. The changing rules are likely to force large operators to alter their operations and value chains to ensure compliance. Companies should take immediate steps to comply by contacting local stakeholders, including from the CCC, to seek more clarity about how the new rules may affect their operations.

Namibian flag carrier, Air Namibia, has discontinued charter flights with immediate effect, according to a report on 9 June by Chinese news outlet Xinhua. This comes as President Hage Geingob on 4 June called for the embattled and indebted airline to be liquidated due to the unprecedented looming macroeconomic crisis facing the country. The suspension of charter flights will limit the availability of repatriation flights, and possibly also cargo services over the coming month. Geingob’s call for liquidation of the airline also signals a likely end to the state-owned company and significant job cuts. Airlines across Southern Africa are scrapping for cash amid a virtually collapsed demand due to travel restrictions worldwide due to the COVID-19 pandemic.

On 7 June, Malawian President, Peter Mutharika, appointed Justice Chifundo Kachale as the new chairperson of the Malawi Electoral Commission (MEC), along with six new commissioners with immediate effect. This comes after embattled Jane Ansah resigned from the post on 22 May. Relatedly, local news sources expect the government to present three bills to parliament on Wednesday (10 June) to set the date for the re-run of the 21 May 2019 general elections, which the Constitutional Court on 3 February ruled null and void due to extensive irregularities. The date for the polls remains highly uncertain, in large part due to severe funding gaps, which have been made worse by the European Union reportedly cutting MWK6 billion (USD8.1 million) in funding and announcing it would not send any observers due to the COVID-19 pandemic. This suggests that the ability to hold free and credible elections over the coming month will be severely strained and will likely fuel anger against the government and increase the protest risk. Personnel in-country should monitor announcements by the MEC, the government, and opposition parties over the coming week, and avoid the planned HRDC protests.

On 5 June, a South Sudanese local businessman and philanthropist Kerbino Agok Wol announced the formation of a new rebel group called the October 7th Movement and vowed to launch a ‘citizen’s revolution’ against the South Sudanese government of President Salva Kiir and the ‘ruling elite’, which he deems corrupt. In the organisation’s manifesto, published on 12 April, calls are made for ‘armed self-defense of our communities and villages’, while advocating South Sudanese nationalism, as opposed to tribalism. Wol claimed in an interview with US state-owned news organisation Voice of America on 6 June that the group had about 1,000 members, predominantly dispossessed young men in rural areas, from where it was preparing to launch the insurgency from the countryside. Although the capabilities of the group remain unclear, the statement is likely to endanger state stability in the war-torn country.

Organisations with personnel and assets in South Sudan should monitor security incidents and announcements by the government and the 7th October Movement over the coming three to six months which will give a better indication of the threat to stability. Meanwhile, arms exporters should increase their due diligence efforts to mitigate the risk of their equipment being resold to third parties.