Geopolitical and Cybersecurity Risk Weekly Brief 19 May 2020

19 May 2020

COVID-19 Cybersecurity Update

The Financial Times reports that Chinese threat actors are targeting coronavirus research in the United States. This comes at a time of escalating tensions between Washington and Beijing over the pandemic. The FBI and CISA are investigating the “targeting and compromise” of US research groups by China and its affiliates and warned the illicit campaign could compromise the development of treatments for COVID-19. China has rejected the accusations.

Two UK companies involved in building emergency coronavirus hospitals were recently struck by cyberattacks. The two firms, Interserve and Bam Construct, have both reported incidents to the UK authorities. There is currently no evidence that the two attacks were linked. Bam Construct stated that the "significant" cyberattack against it "forms part of the wave of attacks on public and private organisations supporting the national effort on Covid-19". Its operations were not hindered by the incident. Interserve, however, stated that "some operational services may [have been] affected".

The new coronavirus contact-tracing app, which is due to be rolled out countrywide by the UK's NHS soon, has been put at risk after sensitive documents were leaked via a public Google Drive link. The misconfiguration of this database may cause users to lose confidence in both the privacy of this application - which is critical in the UK's fight against coronavirus - and the trustworthiness of the UK government.

Reuters reports that an Iranian APT has targeted US drugmaker, Gilead Sciences, as the firm works to develop a treatment for the coronavirus. The attackers deployed credential harvesting landing pages designed to collect the password from a top Gilead executive involved in legal and corporate affairs. “The Iranian government does not engage in cyber warfare,” said spokesman Alireza Miryousefi.

The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have issued an alert concerning APTs actively targeting health sector organisations and medical research facilities. Email servers belonging to health sector entities in Australia were compromised by adversaries, via brute-forcing; these are then used to distribute COVID-19 phishing emails in an attempt to deploy malicious software, including ransomware, or to gain access to other targeted organisations.

Fake websites, associated with COVID-19 financial assistance, are being used to steal credentials. These have mimicked various brands, such as the World Health Organization (WHO), Internal Revenue Service (IRS), Centers for Disease Control (CDC), the UK government, the government of Canada, and the government of France.

BitDefender has uncovered several phishing and website scams peddling fake COVID-19 cryptocurrencies and crypto-wallets that are used to steal data for phishing. Microsoft has discovered a new coronavirus-themed phishing campaign delivering the Lokibot malware. The lures are now claiming to be about business continuity plans for May 2020.

A Nigerian crime ring is exploiting the coronavirus pandemic by committing large-scale fraud against state unemployment insurance programmes in the US. The attackers have been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims.

 

Attacks and cybersecurity news

A cyberattack that hit ELEXON, a company that manages electricity supply and demand in the UK, impacted its internal IT network and employee laptops. The incident was announced on the company website on 14 May. The National Grid confirmed the issue but stated it had had no effect on the UK's electricity supply. The wording of the alert, coupled with the presence of CVE-2019-11510 as recently as March 2020, makes a ransomware attack a strong possibility.

Threat actor NamaTikure is claiming to have attacked and stolen data from the Spanish National Police in support of #OpCatalonia. The attacker has not yet leaked the data but has stated that the leak will be posted "soon". NamaTikure has been active since at least 2017 and appears to be a member of the Anonymous collective.

A successful business email compromise attack resulted in the theft of USD 10 million from Norfund, Norway’s state investment fund. The threat actors carefully monitored Norfund’s email system for several months before launching their attack.

Various ransomware attacks on major targets were announced this week. Fortune 500 healthcare company Magellan Health announced an incursion that led to the theft of employees’ personal data from one of its servers. The firm's customers include health plans and other managed care organisations, military and governmental agencies, and third-party administrators. The Texas court system was hit by a ransomware attack which caused the branch network, including websites and servers, to be disabled. Officials stated they would not be paying the ransom demand. And ATM manufacturer, Diebold Nixdorf, had services impacted for more than 100 customers after being hit by ProLock ransomware. The incident did not affect the actual ATM machines, customer networks, or the public.

Multiple supercomputers across Europe have had to shut down due to intrusions this week. The incidents occurred in the UK, Germany and Switzerland, with a similar incursion rumoured to have happened in Spain. The attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials to deploy a Monero cryptocurrency miner. The fact that the attacks happened in the same time period and used similar TTPs suggests they may be the work of the same group.

The New South Wales (NSW) government has confirmed that it was the target of a phishing attack. The attack was successful and resulted in the compromise of customer information held in employee emails. NSW is confident that the threat actors' access was limited to the content of the compromised email accounts.

ZScaler has uncovered a new malware campaign targeting the Indian government and financial sector. The Reserve Bank of India (RBI), IDBI Bank, the Department of Refinance (DOR) within the National Bank for Agriculture and Rural Development (NABARD) in India were all targeted by email attachments containing malicious JavaScript and Java-based backdoors.

Iranian officials have announced that threat actors damaged a small number of computers in a failed cyberattack on the port of Bandar Abbas. Based in the Strait of Hormuz, Bandar Abbas is Iran's largest port.

The attempted cyberattacks on Israeli Water facilities last month have now been attributed to Iran. Officials and analysts in Israel and abroad fear it could spike tensions between the two nations and may lead to an escalation in cyber-warfare. Iranian officials denied the allegations. Iran and Israel have been engaged in cyber-warfare for the last decade. To date, however, Iran has not successfully carried out a cyberattack against industrial equipment in any country.

Following the attack on its systems on 4 May, Toll has revealed the extent of the data loss it suffered. The threat actors infiltrated at least one corporate server containing information relating to past and present Toll employees, as well as details of commercial agreements with current and former enterprise customers. The group behind the Nefilim ransomware (responsible for the attack) is well known for publishing victim data if the ransom is not paid.

A new report appears to have confirmed that Russian state-sponsored threat actors were behind the intrusion campaign which targeted Germany’s parliament, the Bundestag, in 2015. This campaign resulted in around 16GB of data being exfiltrated from the Bundestag's network, including emails from Angela Merkel's own parliamentary account. Germany’s Federal Prosecutor has now officially issued an arrest warrant for Dmitry Badin, a Russian citizen who is the main suspect in the German parliamentary hack.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

The operators of the Maze ransomware have claimed responsibility for attacking and stealing data from Westech International - a provider of a wide range of IT services to the US government. Maze was also used in attacks against global tech company Pitney Bowes, and US companies South Western Wire, KollerCraft, Moseley Construction Group, and aVINC.

Maze was also used in an attack on HLB Belgium, a global network of independent advisory and accounting firms. Data was leaked relatively quickly, indicating that HLB Belgium decided early on not to pay the ransom demand.

The operators of the Clop ransomware have claimed responsibility for attacking and leaking data from Recreativos Franco - a Spanish gambling company – and TWL - a German municipal utility company.

A threat actor has begun selling multiple databases on a hacking forum, allegedly totalling around 550 million user records. The sale began on 7 May, with buyers allowed to purchase individual databases. It should be noted that most of these leaked databases are not new and have been leaked previously.

Fraud

A new phishing campaign impersonates a notification from Zoom to steal Microsoft credentials. The email and landing page in this campaign mimic meeting notifications and state that the user has missed a scheduled meeting. This link leads to a fake Microsoft login page with the name of the user’s organisation and Zoom above the sign-in location.

Security researcher Max Kersten has compiled a list of 1,236 domains which have been injected with a Magecart web skimmer. Although these domains are two to three weeks old, the researcher believes that the number of infected websites should be approximately the same. Most of the affected shops were based in the USA, India, the UK, Germany, Australia, Brazil, France, Italy, the Netherlands, Canada, and Spain. The retail sector and food and hospitality were worst affected.

A previously unknown threat actor, dubbed Vendetta, is targeting users around the globe in sophisticated social engineering malware-distribution campaigns. The group sends phishing emails impersonating the police or a coronavirus detection notice. This group is believed to be based in Europe and delivers various backdoors: the final payload in its campaigns is often the NanoCore or Remcos RAT.

Abuse.ch has shared malware samples from a malicious spam campaign against the US Department of Treasury and the Supreme Court of the United States. The first spam email’s subject includes a ‘contract payment’ from the US Department of Treasury. The other mentions setting up a VPN for remote work.

Vulnerabilities

A new attack technique, dubbed ThunderSpy, could allow a threat actor to bypass the login screen of a sleeping or locked Windows or Linux device manufactured before 2019. ThunderSpy targets Thunderbolt-enabled devices and permits unauthorised physical access. If successfully exploited, an attacker can access files and information stored on the device, even if hard disk encryption is employed.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Two remote code execution vulnerabilities in Adobe Acrobat Reader
  • SAP May 2020 Patch Tuesday security updates – 22 vulnerabilities; six rated critical
  • Adobe May 2020 Patch Tuesday security updates for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit – 36 vulnerabilities; sixteen classified as critical.
  • Microsoft May 2020 Patch Tuesday security updates – 111 patches in total; 13 classified as critical
  • Two high severity vulnerabilities in the Page Builder WordPress plugin
  • vBulletin announced a patch but no details for a security vulnerability in its platform (CVE-2020-12720)
  • Two vulnerabilities impacting Oracle's iPlanet Web Server
  • US CISA issued a security advisory for multiple vulnerabilities in Advantech ICS products.
  • AusCERT reported two vulnerabilities in VMware products
  • AusCERT also issued a security advisory for multiple vulnerabilities in McAfee antivirus software
  • Two vulnerabilities in Schneider Electric SoMachine and M221 PLC
  • Samsung has patched a critical vulnerability, that impacts all Samsung smartphones sold since 2014.
  • Critical vulnerability in Google's official WordPress plugin, Site Kit
  • Palo Alto patched over 20 vulnerabilities in its PAN-OS next-generation firewall software.
  • vpnMentor revealed several vulnerabilities in cybersecurity devices developed by Cyberoam Technologies

APT Activity and Malware Campaigns

APT activity

A previously unreported cyber-espionage toolkit, dubbed Ramsay, is tailored for the collection and exfiltration of sensitive documents and capable of operating within air-gapped networks. Parts of the malware were linked to the Retro backdoor, a malware that is commonly associated with a cyber-espionage APT, DarkHotel; the group has targeted the Chinese government, international health organisations, and South Korea and Japan.

Some new IOCs are believed to be linked to a campaign by Iranian cyber-espionage group APT33. The IOCs have a "kill switch date" of 1 June 2020, indicating that the campaign is likely to continue until that date. The targets of the campaign are unclear.

An information-gathering intelligence operation coordinated by cyber-espionage APT TropicTrooper has been traced back to 2018. Targets include Taiwanese and Filipino military and navy agencies, government institutions, military hospitals, and a national bank. TropicTrooper initially focused its activities on India, Hong Kong, Tibet, Taiwan and the Philippines, but has also targeted western organisations for the purpose of corporate espionage. The group has targeted government, NGOs, healthcare, transportation, and technology sectors.

Researchers have identified a new unnamed RAT which is potentially linked to Turla, widely suspected of being a Russian state-sponsored threat group. European diplomatic entities have long been targeted by the group, presumably for their intelligence value to the Russian government. This latest campaign’s emphasis on stealth and self-propagation suggests building a persistent presence in the target network is the objective.

An APT group has been planting backdoors and spying on high profile networks in Central Asia. Targets have included a telecommunications company, a gas company, and a government institution. The backdoor used in this campaign has been dubbed Mikroceen; it has allowed the threat actors the ability to manipulate and delete files, take screenshots, manipulate processes, and execute commands. Similarities in the code from this campaign and the malware used in the attacks on the Mongolian public sector have led the researchers to believe this campaign may be attributed to ViciousPanda.

Malware

FireEye has examined all the attacks associated with the Maze Ransomware-as-a-service (RaaS) platform since the malware's first appearance in May 2019. The researchers identified multiple Russian-speaking actors who claimed to use Maze. Three separate groups are involved in the distribution of the ransomware: designated Group 1, Group 2, and Group 3. Interestingly, Maze Group 3 has been connected to FIN6, a well-established and highly skilled Russian APT.

The SANS institute has shared new malware samples that are part of the long-running Dridex banking Trojan campaign. Instead of using Excel spreadsheets with malicious macros, the attackers use malicious URLs to ZIP archives containing Dridex, usually hosted on compromised sites. When a Windows host, infected the current variant of Dridex, is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.

A security researcher has reported considerable code overlap between the ZLoader and Dridex banking Trojans. The two malware use a similar function name convention that is hardcoded into them. This is the first time the malware has been linked, but there is a possibility that the same Russian malware developers worked on both of the Trojans.

A series of MyKings malware attacks have hit China. Compromised devices are used in the MyKings DDoS-for-hire botnet and extensive cryptocurrency mining operation. This version of MyKings has been dubbed DarkCloud III and removes competing mining malware prior to establishing persistence.

The Lampion banking Trojan has returned and is now targeting users in Portugal. It is being distributed in phishing emails that resemble those from previous campaigns. The template emails are from the Portuguese Ministry of Finance and Energias de Portugal, one of the country's largest electric utilities.

Researchers report that the Astaroth Trojan continues to target Brazil with upgraded TTPs, a variety of lures, and new innovations. The Astaroth developers have now implemented further anti-analysis and evasion techniques - among the most thorough that the researchers have seen in recent times. The malware is geo-fenced to Brazil. Many of Astraroth’s phishing lures leverage COVID-19.

An in-depth report on the recently discovered Mandrake spying platform has revealed that the malware is unusual because it tries not to infect too many victims. It instead chooses a handful of devices on which to carry out further exploitation. Most Mandrake victims are in Australia. The total number of victims is believed to be in the hundreds of thousands.

Darknet

The darknet market, Avior, has officially exit scammed. The original market admin claim they sold the market to one of their associates several months ago and blamed their associate for the markets exit. The original admin has yet to provide any evidence to support this claim, however, and it was met with derision from the darknet community. Overall, Avior was not a particularly large market, so its exit is unlikely to have a significant impact. Nonetheless, this underscores how small the current pool of reputable markets is.

A database containing potentially sensitive data from the now defunct forum WeLeakData is being sold on the darknet. WeLeakData was similar to Raid Forums, with both specialising in the trading of leaked data. Earlier this year, WeLeakData was taken offline – allegedly by the FBI. Recently, however, a database seemingly containing users email addresses, usernames, passwords, private messages and IP addresses has appeared. It is unclear how this database was obtained, or if there is any connection to the forum being taken offline. That cybercriminals who were involved in the trading of stolen data are now victim of the same activity illustrates how ruthless operating on the darknet can be.

We have recently identified a site specialising in creating fake documents called JAYDOCS. Moreover, it appears Nerds, the threat actor behind plugged[.]to, is also responsible for this site. JAYDOCS sells a wide variety of fake documents. This includes digital copies of the UK passports, both physical and digital payslips, and bank statements from a variety of UK banks, such as Natwest and Barclays. The site itself is linked directly to Nerds primary site, plugged[.]to, demonstrating, once again, how central plugged[.]to and its creator, Nerds, are within the UK fraud community.

 

COVID-19 Geopolitical Threats and Impacts

Americas

On 12 May, Twitter announced that it will allow some employees to work from home permanently, following major changes to global working patterns driven by the coronavirus (COVID-19) pandemic and need for social distancing. Twitter said that it will not re-open most offices before September, and employees can choose whether to work from the office or remotely. Twitter’s announcement comes amid rapidly evolving attitudes and practices related to remote working, particularly in office-based industries. Twitter’s decision is likely to lead to other companies, particularly in technology-based industries, expanding remote-working options in the short-to-medium term. This will have significant knock-on effects throughout the economy, including a reduced use of public and private transport, lower demand for office services, and a negative impact on the hospitality sector near office buildings.

Two semiconductor producers – US-based, Intel, and Taiwan-headquartered, TSMC – last week confirmed that they are in discussions with the US government over building US-based ‘foundries’, or chip factories. Intel said it has been in discussions with the US Department of Defense (DoD) over improving domestic sources for microelectronics, while TSMC has been in talks with the US Department of Commerce over potentially building a US factory. The talks highlight the US government’s desire to improve its domestic manufacturing capacity in technology-based industries. This trend is likely to accelerate in the medium-to-long term as governments and companies aim to build supply chain security.

The Mexican government’s leading health advisory body, CSG, this week announced that it has re-classified the construction, mining, and automotive sectors as ‘essential activities’. As such, they may continue to operate during the coronavirus pandemic. No timeline, however, was given for the resumption of activities in those industries. The government has come under pressure to order the resumption of operations in the automotive sector amid the shutdown’s disruption to the industry’s heavily integrated North American supply chains. This has prompted disruption to auto sector operations across the US, where Detroit-based carmakers are aiming to resume operations on 18 May. Companies with interests in Mexico’s construction, mining, and automotive industries and supply chains should monitor López Obrador’s announcement and assess its impact on operations.

Colombian flag carrier Avianca has filed for Chapter 11 bankruptcy protection in a court in New York, amid financial difficulties exacerbated by the coronavirus pandemic and associated collapse in global passenger aviation. Avianca is the largest airline in Colombia and El Salvador, in addition to being the second largest carrier in Latin America. Companies who partner with Avianca should monitor updates on the Chapter 11 bankruptcy proceedings and adjust planning accordingly.

APAC

New Zealand’s Foreign Minister Winston Peters reiterated the country’s position on backing Taiwan’s presence at a World Health Organization (WHO) meeting this week, despite repeated warnings by Beijing that it could damage bilateral ties. New Zealand joined the US, UK, Australia, Canada, Germany, France and Japan to support Taiwan’s participation at a meeting of the World Health Assembly (WHA), the WHO’s decision-making body, to consider issues relating to the coronavirus (COVID-19) pandemic. In line with its consistent claim that Taiwan is an integral region of China, Beijing has condemned such moves as interference in its domestic affairs.

The top four exports to China in 2019 were meat, dairy and wood products and travel services. Despite Foreign Minister Peters’ effort to separate diplomatic from economic ties all these sectors are now vulnerable to retaliatory measures by Beijing, not least because New Zealand’s high dependence on exports to China make it a politically expedient target to signal disapproval of the growing efforts by many mainly western countries to erode past acceptance of the ‘one China’ policy.

China’s trade relations issues also continue with the USA. A Chinese newspaper with close links to the ruling communist party reported on 11 May that unidentified advisers were urging the Beijing government not to agree to the so-called ‘Phase 1’ trade deal with the US as it was too heavily weighted toward Washington’s interests. US President Donald Trump told a media briefing after the Global Times story appeared that he had no intention of reopening negotiations with Beijing over the terms of the trade pact signed in January 2020.

All stories that appear in China’s state-run media should be assumed to reflect the views of senior party leaders rather than a consensus. However, in this instance it is highly probable that most senior politicians agree relations with the US are now so poor that it is futile to debate the modalities of the Phase 1 trade pact trade and instead be prepared to see it rescinded. Unnamed Chinese officials also appear to believe November’s US presidential elections and the country’s struggling economy may weaken Trump’s negotiating position. This is likely a miscalculation and the potential for a collapse of the Phase 1 deal now looks increasingly probable.

Efforts by the Australian government to delink its call for an inquiry into the source and causes of the coronavirus (COVID-19) pandemic with its key trading relationship with China appear to have stalled. Australia’s Trade Minister Simon Birmingham said on Wednesday (13 May) that he had not received any response from the Beijing government over why four large beef Australian exporters were suspended in recent days, soon after China imposed an 80 per cent tariff on the country’s barley shipments. The Beijing government and state-owned media have explicitly and repeatedly linked future trade relations between the two countries with Australia’s initiative to demand an international inquiry in the COVID-19 pandemic, a move Beijing views as ‘anti-Chinese.’ Any prolonged reduction of shipments to China would have a severe impact on Australia’s economy. However, conceding to China’s demands not to pursue an investigation into the COVID-19 pandemic, or any other issues that offend Beijing and the ruling communist party, would cause major domestic political turmoil for the Australian government.

Europe

On 11 May, the UK government published new guidance for companies to restart operations and ensure workplace safety during the COVID-19 pandemic. The guidelines contain 5 key points and the government ‘expects’ all businesses with over 50 employees to publish the results of their risk assessment on their website. The new guidelines will inform companies’ future courses of action to protect staff as well as ensure some level of operational resilience. Companies should adapt the new guidelines, which can be found here, into business continuity plans and inform employees of any procedural changes.

During a televised address on 10 May, Prime Minister Boris Johnson had unveiled plans to loosen coronavirus lockdown restrictions. Schools for some primary students could also re-open by 1 June at the earliest. In the next phase of the process, hospitality businesses may also re-open ‘if the numbers support it’ after 1 July. The government also outlined plans to introduce new rules requiring air passengers arriving at UK airports to self-isolate for 14-days. Those arriving from France and Ireland are exempt. It remains unclear when the new measure will come into effect.

While the message is designed to show that the government is pursuing a cautious approach in easing measures, it has come under intense criticism for lacking clarity and being inconsistent. Adding to the uncertainty, devolved administrations in Wales, Scotland, and Northern Ireland have indicated that they would stick to their ‘stay at home’ public messaging, opposing the UK government’s shift to the more moderate ‘stay alert’ message. Differing conditions across the UK will create challenging circumstances for companies to navigate.

The UK government is considering plans to cut tariffs on agricultural imports from the US in a bid to move closer towards reaching a comprehensive bilateral trade deal. However, some cabinet ministers and members of the ruling Conservative Party are opposed to any such concessions due to their impact on the UK farming sector. UK-US trade talks began last week. Access to US agriculture imports is seen as a key concession, which will increase the likelihood of a bilateral trade deal. This will also make any potential deal more palatable to the US Congress, particularly representatives from states with a thriving agriculture sector. However, UK-based agricultural producers are likely to pressure London against offering such concessions; less expensive products from the US threaten the interests of UK farmers, who may also face less access to the pivotal EU market post-Brexit.

A potential trade deal with the US would be a major political victory for Prime Minister Boris Johnson, currently faced with mounting criticism over his government’s handling of the coronavirus (COVID-19) crisis. UK negotiators will seek to ambitiously reach an agreement by November, when a presidential election in the US could lead to a change in administration, which might be less supportive of a deal. Johnson’s close personal relationship with US President Donald Trump will also be a key factor in the ongoing trade negotiations. Companies should assess how a potential tariff cut on US agriculture imports will impact operations and monitor the latest updates regarding US-UK future trade ties.

Under a bill voted into law on 13 May in the French Assemblée Nationale, social media companies and other firms hosting online content will be required to remove any paedophile and terrorism-related content within an hour of receiving such instructions from the authorities. The penalty for non-compliance will be a fine of up to 4 per cent of the company’s global revenue. The new legislation also forces companies, including Facebook, Twitter, YouTube, Instagram, to remove other ‘manifestly illicit’ material in 24 hours after being notified. A new government unit to monitor hate speech online will also be established.

The law forms part of broader measures aimed at tackling online hate as well as radicalisation efforts by extreme groups. Significantly, it creates additional requirements for technology firms, which will need to ensure they have capacity to process and act on complaints within a very tight timeframe. Governments across the EU are likely to seek to introduce similar legislation and companies should plan for such an outcome in countries where they operate.

MENA and Central Asia

An Israeli soldier was killed on 12 May during a security operation in the village of Ya'bad, just west of Jenin in the West Bank. The 21-year-old soldier, identified as Staff Sgt. Amit Ben Ygal, was part of a team carrying out a series of four overnight arrests in the village when he was hit in the head by a large stone. Subsequently, there were clashes between Palestinians and Israeli security forces, and a Palestinian attempt to stab a soldier with a screwdriver at a checkpoint. Ban Ygal’s death marks the first combat fatality this year for the Israel Defense Forces (IDF). It comes amid elevated tensions with Palestinians over Israel’s proposed annexation of parts of the West Bank.

Israeli Prime Minister Benjamin Netanyahu has secured a new term in office with the unity deal with rival Benny Gantz, and his new coalition agreement allows him to present an annexation proposal to the government as early as 1 July. Secretary of State Mike Pompeo will visit Israel on 13 May to discuss the annexation plan, among other things, and there is a realistic probability his visit and the days following will see an increase in protest activity and/or low-level, lone wolf attacks.

Local media reports suggest that at least two anti-government protesters were killed in the southern Iraqi city of Basra during unrest on 10 May. The protestors were reportedly killed when pro-Iran militias used live ammunition to disperse a rally outside the Basra governorate building. The reports have not been independently confirmed. Anti-government demonstrations also took place in other cities across the country, including the capital Baghdad, Kut in the east, and Diwaniya and Nasiriyah in the south. In Baghdad, security forces reportedly used tear gas and water cannon to disperse gatherings including at the Al-Jumhuriya Bridge.

The resumption of unrest ends months of relative calm due to coronavirus restrictions and comes days after parliament approved Prime Minister Mustafa Kadhimi’s government. It highlights the fact that the protest movement, which began last October with rallies in Baghdad and Shia-majority southern cities to demand an end to corruption and unemployment and an overhaul of the ruling class, remains unsatisfied.

Saudi Arabia will increase its value-added tax (VAT) from 5 to 15 per cent in July, according to the finance ministry on Monday (11 May). From 1 June, the kingdom will also suspend its cost of living allowance of SAR1,000 (USD267) per month, which has been in place since 2018 for state and military employees. Riyadh also said it would cut about SAR100 billion (USD26.6 billion) in expenses, which will affect some operational and capital expenditure for government agencies as well as major projects for Vision 2030, the development plan championed by Crown Prince Mohammed bin Salman (MbS) to diversify the economy and reduce dependence on oil.

The Saudi government relies on a social contract involving generous subsidies in exchange for political support. As the situation persists with the poorer population likely to suffer the worst, there is a realistic probability that social unrest could develop in the coming three- to six-month period. Hotspots for unrest are likely to be Shia communities in the Eastern Provinces, which have long complained of marginalisation and suppression.

Sub-Saharan Africa

On 8 May, the labour court in Johannesburg ordered that the planned mass retrenchment of staff at flag carrier South African Airways must end with immediate effect, deeming the process unfair and that the approximately 1,000 workers were entitled to an alternative arrangement. The ruling came three days after regional airline Comair announced it had entered voluntary business rescue proceedings and ended trading on the Johannesburg Stock Exchange, making it the third major domestic airline to do so since December 2019. The other two are flag carrier South African Airways and SA Express, both of which are owned by the state.

This marks a partial victory for the National Mineworkers Union South Africa and South African Cabin Crew Association, who represent the workers affected by the retrenchment plans, while SAA’s future remains highly uncertain. However, the government’s refusal to re-inject cash into the ailing company and the severe crisis the domestic aviation and tourism sectors are likely to experience over the coming 12 months, suggests significant cuts to operations are likely during this timeframe. The struggles of the sector are also underscored by the decision made by Comair, which operates British Airways flights in-country, to enter into business administration, although the move could be thrown out by the labour court should it rule in favour of the Union Association of Southern African which is challenging the decision at the court.

In a statement on 12 May, the IMF raised Kenya’s risk of debt distress from Moderate to High due to the macroeconomic downturn caused by the COVID-19 pandemic and related restrictions on transport and economic activity. While the fund deems that the government’s debt burden remains sustainable, it flags deteriorating external debt-to-exports and external debt service-to-exports ratios, underscoring Kenya’s severely impacted trade. The latest statement also follows credit-rating agency Moody’s Investors Service on 8 May downgrading Kenya’s credit-rating outlook from Stable to Negative, also citing the impact of COVID-19. However, Moody’s maintained the country’s credit rating at B2.

Kenya’s debt-to-GDP surpassed 60 per cent by the end of 2020. That is above the IMF’s recommendations for developing countries of no more than 50 per cent of GDP. The revised credit outlooks highlight this trend, which is making the economy vulnerable to future financial shocks akin to the current pandemic. Moody’s outlook downgrade signals a likely investment-grade revision in the coming months, potentially exacerbating access to finance over the coming year.