Geopolitical and Cybersecurity Risk Weekly Brief 20 July 2020

20 july 2020

COVID-19 Cybersecurity Update

The US National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC) have disclosed new information regarding Russian threat group APT29 targeting research organisations worldwide. The group is believed to operate on behalf of the Russian intelligence services. The campaign against organisations participating in coronavirus (COVID-19) vaccine development also targeted government agencies, diplomatic entities, think tanks, and the healthcare and energy sectors. As noted by the NCSC, this APT29 campaign is ongoing and likely to continue for some time. While it is unusual for the security agencies of the UK and US to be so firm in their attribution, the NCSC states that it has 95 per cent certainty in connecting Russia to this attack.

Google has warned the Australian Senate select committee on foreign interference through social media of a spike in COVID-related cyberattacks. Google detected 18 million COVID-19-related malware and phishing messages daily, alongside over 240 million virus-related spam messages. More than a dozen government-backed APT actors were identified using COVID-19 themes for phishing and malware attempts. Google also added that it is not seeing an overall rise in phishing attacks by government-backed groups, but it is “observing a change in tactics” during the pandemic.

A new phishing campaign is targeting HMRC credentials and sensitive personal information from those expecting COVID-19 relief grants. The email address incorporates "HMRC" to add legitimacy to the campaign. The message offers between GPB2,500 and GBP7,500 in grants and includes a link to a cloned HMRC sign-in page. The user is asked to enter their credentials and other sensitive data which is not usually needed to sign into the legitimate service. This phish could be modified to target various countries and governments, as many countries are currently offering similar grants.

The MassLogger infostealer and Nautilus Android banking Trojan are being distributed in two separate campaigns. Masslogger has been sent in emails with the subject “COVID-19 POST LOCKDOWN ACTION”, whereas Nautilus is being pushed in fake virus tracking apps called ‘V-LERT COVID-19’. Cyjax analysts also uncovered three fake Android apps called ‘corona virus checker’ on Koodous that aim to access the device's mobile calling capabilities.

 

Attacks and cybersecurity news

On 15 July, multiple high-profile Twitter accounts were hijacked to spread a cryptocurrency scam. Victims included cryptocurrency exchanges (such as Bitcoin, Coindesk, and Bitfinex), high-profile members of the cryptocurrency community, as well as Barack Obama, Elon Musk, Kim Kardashian and numerous others. Twitter appeared to have contained the issue by 16 July. The incident appears to have resulted from a coordinated social engineering attack targeting some Twitter employees with access to internal systems and tools. Once Twitter became aware of the issue, affected accounts were locked and unauthorised tweets removed. TechCrunch has reported that a threat actor called ‘Kirk’ was responsible for the attack. Kirk reportedly gained access to an internal Twitter tool that was used to reset the email addresses and passwords of high-profile accounts, before pushing the scam. Over USD100,000 was generated within a few hours. A statement from Twitter on 18 July indicated that the threat actors behind the attack are believed to have targeted 130 accounts; only a small number were compromised and used to send the scam tweets.

Kaspersky has analysed an ongoing Brazilian banking Trojan operation it has dubbed Operation Tetrade. The campaign comprises four banking Trojans that are being distributed to victims across South America and Europe. The Tetrade operation's controllers are benefiting from the fact that their targets operate both in Brazil and abroad, enabling a seamless shift to other geographies. Operation Tetrade also indicates that Brazilian cybercriminals are creating an ecosystem of affiliates from other countries by leveraging Malware-as-a-Service tactics. This professionalised approach is similar to the way in which banking Trojans such as Zeus evolved.

Belgian savings bank, Argenta, has fallen victim to two jackpotting attacks. As a result, the bank shut down 143 cash machines. One attack impacted the city of Roselare on 10 July; the other hit Ingelmunster on 11 July. The threat actors targeted the oldest machines in the bank's network, ATMs manufactured by Diebold that were scheduled to be replaced. Jackpotting attacks have been around for many years, but this is believed to be the first to hit Belgium. In June, Microsoft found vulnerabilities in the Windows drivers used in ATMs and PoS devices. Attackers could exploit these systems to gain additional privileges, access information, and steal money or customer data. These vulnerabilities were present in Diebold Nixdorf ATMs, underscoring the risks of unpatched ATM software.

Cloudflare DNS suffered an outage on 17 July that caused a short period of disruption to several services, including Discord, Riot, Gitlab, Patreon and Digital Ocean. Cloudflare promptly addressed the issue and stated that the downtime was a result of a bad router located in Atlanta. The affected data centres were situated in multiple cities in the US, Europe, and South America. While there has been some speculation that a DoS attack caused the outage, Cloudflare issued an email statement emphasising that the downtime "was not caused by an attack or breach of any kind”.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

Citrix has released a statement addressing allegations that the company's network was breached. It was reported that a threat actor was selling a database containing information on 2,000,000 Citrix customers on the darknet. Following an investigation, Citrix found no evidence that its network had been compromised. However, a threat actor had infiltrated the network of a third-party vendor. This third-party has since secured the Citrix data. Notably, the cybercriminal behind the alleged breach claims that the data was taken from Citrix's "main domain".

Bailey & Galyen, a Texan consumer law firm, is the latest victim of the Ragnar Locker ransomware. The leaked data appears to comprise significant amounts of sensitive information, including internal email correspondence and files relating to specific cases. Bailey & Galyen is one of many law firms targeted by ransomware recently. Others include Brian Philips P.A; Slater, Sgarlato & Cappello; Cowan, Liebowitz & Latman; and CBKLAW.

A threat actor called NightLion claims to have breached the backend servers of US cybersecurity firm Night Lion Security and stolen information from their "data leak detection" service, DataViper.

The attacker claims to have exfiltrated more than 8,200 databases, comprising billions of previously leaked records. Some companies that appear to have been impacted are Cloud154, MGM Grand Hotels (see below), ApexSMS, Fotolog, Avito.ru, Storybird.com, ClassPass.com, LocateFamily.com, Rocket-Text.com, and ROMWE.com.

The breach that hit MGM Resorts affected more than 142 million hotel guests, rather than the 10.6 million initially reported in February this year. This came to light after a threat actor known as NightLion put the hotel's data up for sale on darknet forum, Empire. MGM claims it was aware of the scope of the breach, and that all affected users have been notified despite not seeking to clarify the original figure of 10.6 million when it was reported. At the time, MGM claimed that all affected clients had been notified in July 2019 (when the breach took place), but some customers continued to experience fraudulent activity on their accounts in August 2019.

ShinyHunters leaked a database from Indonesian retailer Bhinneka on Raid Forums. The database includes 1.2 million user details, including emails, mobile phone numbers, addresses and more.

Stolen data from Wattpad, a social network and user-generated story publisher, is being sold on the darknet in private sales for over USD100,000. The database contains 270 million records, and while it was for sale at first, it is now being offered for free on underground forums. Bleeping Computer received an anonymous tip claiming that this database was being sold by the threat actor ShinyHunters but the attacker denied any involvement.

Ransomware such as REvil, Doppelpaymer, and Netwalker continue to cause disruption for their victims around the world. New companies are announced almost daily on the respective leaks blogs and there is no indication of any respite. This is likely a response to at least some of the victims paying the ransom. As long as this proves an effective money-making enterprise for the cybercriminal operators, the data theft and subsequent encryption of servers will continue.

Fraud

British cryptocurrency exchange, Cashaa, has suspended all of its crypto-related transactions after a cybercriminal stole over 336 Bitcoin (around USD3 million). The company is still investigating the damage caused by the attack but has revealed that the theft occurred after a malicious actor compromised one of the exchange's digital wallets. Cryptocurrency exchanges are a prime target for attackers: once funds have been stolen, they are difficult to recover due to the intentionally anonymised nature of many cryptocurrencies.

Vulnerabilities

SAP has patched a critical vulnerability in the SAP NetWeaver AS JAVA (LM Configuration Wizard) affecting over 40,000 customers. The bug has been dubbed RECON and is tracked as CVE-2020-6287. This flaw can be remotely exploited by an unauthenticated threat actor to fully compromise unpatched SAP systems. This is a particularly serious issue because many of the affected systems are open to the internet. While this allows companies to connect more easily with other business partners, employees, and customers, it also increases the likelihood of remote attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory on this bug, highlighting its significance.

Twitter user Jonaslyk is threatening to release various vulnerabilities affecting Microsoft products. Jonaslyk claims they have not been paid for bug bounties in over 7 months. Some of the affected products include Hyper-V system escapes, BitLocker encryption bypasses, login bypasses, total NTFS access control, and more.

Backdoors and vulnerabilities have been discovered in 29 Fiber-To-The-Home (FTTH) Optical Line Terminal (OLT) devices from Chinese vendor C-Data. These devices are sold under various brands, including BLIY, OptiLink, V-SOL CN, and C-Data. Backdoor credentials were found to differ between firmware versions and vendors but can still provide access to the affected devices. These vulnerabilities were identified in December 2019. The researchers disclosed their findings publicly this week, as they believe the vendor intentionally installed some of the backdoors. It is unclear if any of these flaws have been, or will be, patched.

VpnMentor has discovered multiple Hong Kong-based virtual private network (VPN) applications with exposed Elasticsearch instances. The unsecured data included the personally identifiable information (PII) of over 20 million users. Notably, each VPN application claimed to be a “no log” service, meaning that they do not record or store any user activity. The researchers discovered, however, that these VPNs stored internet activity logs in multiple instances which included a plethora of PII and technical information. The VPNs affected include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule: 

  • Microsoft released its July 2020 Patch Tuesday security updates, with 123 vulnerabilities patched in total. Of these, 18 are classed as critical. One of the most serious vulnerabilities is a critical remote code execution issue in the Windows DNS server.
  • Adobe released its July 2020 Patch Tuesday security updates for Adobe Download Manager, Adobe ColdFusion, Adobe Genuine Service, Adobe Media Encoder, and Adobe Creative Cloud Desktop Application. A total of 13 vulnerabilities were patched, four of which were rated critical.
  • Oracle has released a critical patch update that fixes multiple security vulnerabilities. This addresses 443 new security issues from a range of Oracle’s products. A large volume of these vulnerabilities can be used remotely without authentication, in that they can be exploited over the network without requiring user login information.
  • ACROS Security has issued a security advisory after a new remote code execution (RCE) 0day vulnerability was discovered in the Zoom Client for Windows. A micropatch for this issue has been added to the 0patch agent to minimise the risk of exploitation.
  • Cisco has issued a security patch for five critical vulnerabilities in various of its routers and firewalls (Small Business routers, RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, RV215W Wireless-N VPN Router, PLM Software).
  • Cisco Talos has issued a security advisory for multiple vulnerabilities disclosed in the RemoteFX feature of AMD and Intel chipsets. Successful exploitation can lead to attackers escaping a Hyper-V virtual machine to access the host.
  • US CISA issued security advisories for various high and critical risk vulnerabilities in Baxter, Moxa, Advantech, and Capsule Technologies ICS products. These ICS products are used by healthcare, manufacturing, energy, and water management systems.
  • US CISA issued security advisories regarding critical patch updates for multiple Siemens ICS products. Siemens ICS products are used in chemical, energy, food and agriculture, and water management systems.
  • Five vulnerabilities have been uncovered in Tenda router version AC15 AC1900, including one that allows threat actors to sign in as root.

 

APT Activity and Malware Campaigns

APT activity

Secure messaging mobile application, Welcome Chat, has been spying on its users in a suspected cyber-espionage campaign across the Middle East. The campaign appears to be linked to the GazaHackers group. Welcome Chat falsely claims it is a secure messaging app that is available on the Google PlayStore. Instead, it is distributed on attacker-controlled domains and gives its operators access to the user’s communications and the ability to perform several other malicious actions. GazaHackers’ campaigns are primarily geared towards the gathering of intelligence on countries in the Middle East and North Africa (MENA). @GazaHackers has previously targeted sectors including defence, aviation, finance, government, and media: in this case, its motives appear to be surveillance, communications interception, and signals intelligence (SIGINT).

Analysis of SideWinder activity has investigated malware samples linked to the state-sponsored cyber-espionage group. Since the start of 2020, SideWinder has targeted multiple governments, militaries, and mineral and energy firms across South Asia, focusing predominantly on Pakistan. The attacks used spear-phishing for credential harvesting. Many of the spear-phishing emails leverage COVID-19 and targeted educational institutions and government agencies in China and Pakistan. The group has leveraged exploits in older versions of software, highlighting the importance of installing security updates and replacing end-of-life (EoL) products. The use of CVE-2020-0674 is particularly interesting as it was also leveraged by the DarkHotel APT in attacks against China and Japan. The researchers predict that SideWinder may have been able to intercept these attacks or use the same supplier of 0day exploits as DarkHotel. Both groups knew about the 0day vulnerability before Microsoft and other major players in the security sphere.

The ongoing Patchwork APT campaign, first disclosed in mid-June, continues to target countries around the South Asia region. The researchers have found samples in daily spear-phishing emails that they have linked to Patchwork. The decoy documents imitate the "Federal Investigation Agency, Ministry Interior, Government of Pakistan"; one document also masqueraded as the "Ministry of National Health Services, Government of Pakistan" and leveraged COVID-19 guidelines. The precise targets of this campaign are unclear, although Patchwork is known to focus primarily on political or military personnel.

A new attack campaign, uncovered in June 2020, has been linked to Russian state-sponsored threat group Turla. In this campaign, the APT used a previously unknown implant called NewPass. It is suspected that the malware has been used to attack diplomatic or foreign affairs organisations in at least one EU country. The malware enables the threat actors to maintain persistence on infected devices. Turla is believed to be one of the most advanced threat groups in the world. It develops and implements advanced detection avoidance and persistence techniques in its malware. Its victims are often high-value targets in the government, defence, and education sectors worldwide.

Malware

REvil (Sodinokibi) was first observed in 2019 and quickly rose to prominence, taking a 12.5 per cent share of the ransomware market in Q2 2019. It is the improved version of the GandCrab malware, which earned its operators USD2 billion before they announced their retirement and its removal from the threat landscape in 2019. According to new research, the REvil operators have been cooperating with and recruiting threat actors on the darknet since August 2019. One of these, Kerberos, is a breach specialist with whom the REvil operators collaborated in a bid to maximise their profits. The REvil group also recently recruited a threat actor known as SHERIFF, a Russian cybercriminal known for targeting banks, financial institutions, and government agencies. It was also revealed that the group has previously been in contact with energydrinkkk, a threat actor who has targeted the energy sector in the past. energydrinkkk recently offered RDP access to a UAE and Canada-based energy company’s Microsoft Online workspace.

The SANS ICS has uncovered a new malicious spam campaign pushing the IcedID banking Trojan via Word Documents. Interestingly the same campaign previously pushed Valak and Ursnif, which both subsequently delivered IcedID as a follow-up payload. LunarSpider is the Eastern European operator and developer of Bokbot (IcedID). They have been observed distributing a custom variant of Trickbot – the banking malware operated by Russian threat group WizardSpider. CrowdStrike recently mapped LunarSpider and IcedID’s connection to the high-end cybercriminal ecosystem, demonstrating links to other malware such as Emotet, TrickBot, QakBot, and Dridex. IcedID mainly targets North American users, potentially for larger payouts per victim.

A backdoor malware named ServHelper, which has been linked TA505 – a financially motivated Russian APT – is targeting the financial and retail sectors. ServHelper facilitates the installation of additional malware, such as information stealers and remote access Trojans. A new version was found in January 2020 that can install a cryptocurrency miner, tracked as LoudMiner. This is hidden in a spawned virtualised environment, which allows it to evade detection. TA505 has targeted the financial, retail, and hospitality sectors since at least 2014. It has remained active throughout 2020 and was most recently observed delivering the GraceWire malware in phishing emails.

A report on BlackRock, a new Android Banking Trojan, has shown that the malware is derived from the same code as the Xerxes mobile banking malware, which was based on the LokiBot Android Trojan. Notably, BlackRock’s target list contains several social networking and dating applications that have never appeared in other banking Trojan’s targeting lists. The malware operators may be testing a new tactic to abuse the growth in apps used for socialising during the COVID-19 pandemic. The organisations targeted in the overlay attacks include Royal Bank of Scotland, N26, Westpac, and banks operating in Europe, Australia, and the US and Canada.

Darknet

Cyjax has identified a threat actor, sailormorgan32, selling access to the internal network of a bank on a darknet hacking forum. The name of the bank has not been disclosed. Based on the screenshots provided by sailormorgan32, the system settings are in Portuguese, significantly reducing the potential countries to Portugal, Brazil, and several in Africa (Angola, Cape Verde, Guinea-Bissau, Mozambique, São Tomé and Príncipe) and Asia (East Timor and Macau). Recent reports have found some evidence linking specific threat actors selling access to internal networks to the ransomware group REvil. While Cyjax is unable to independently confirm these reports, they fit with the broadly observed trend of ransomware operators collaborating with threat actors selling access.

Another new market has launched called Tor2Door. This market currently has around 200 listings. Notably, despite being relatively new, Tor2Door has already been listed on Dark[.]Fail, which is generally considered to be the most credible source for market links. Tor2Door is one of several markets to have been added to Dark[.]Fail in recent weeks: this will undoubtably provide these markets with increased exposure and potentially boost their customer base.

FraudBay has shut down, having only been active for just over a week. It is unclear why the market was suspended operations so quickly, but the admin claim it was due to the development process being “rushed”. They have also stated that FraudBay will return once these issues have been resolved, although no timeframe was provided. It should be noted that many markets have claimed a shutdown would be temporary, only to remain closed. As such, FraudBay is another example of how ephemeral the lifespan of small markets can be.

 

Geopolitical Threats and Impacts

Americas

On 16 July, Cuban economy minister Alejandro Gil Fernández announced that some retail stores are to be allowed to sell food, personal hygiene, and other consumer products in US dollars (USD). The minister also announced that a 10 per cent tax on the use of the USD would be eliminated from 20 July. The latest measures are in line with previous government efforts to cautiously expand the use of the USD, and further gradual steps to facilitate its use are likely in the medium-to-long term outlook. Organisations with interests in the Cuban economy, particularly in the large tourism sector, should assess the impact of the changes and the wider increasing acceptance of the USD on operations and strategy.

On 15 July, US Secretary of State Mike Pompeo announced that Washington will place travel restrictions on workers of Chinese companies deemed to assist authoritarian governments in cracking down on human rights. Pompeo listed telecoms giant Huawei as an example of a company affected by the action, saying it provides ‘material support’ to the Communist Party of China (CPC). The latest announcement will likely prohibit the entry to the US of some of the company’s 194,000 staff globally. Pompeo accused the CPC of censoring political dissidents and operating mass internment camps in its north-western territory of Xinjiang. The full details of the policy have yet to be announced, however it is likely to impact some workers of other major Chinese technology companies, including ZTE. Companies whose personnel will be affected by the new travel restrictions should assess how this impacts operations and staff travel plans.

US President Donald Trump signed an executive order ending Hong Kong’s preferential economic treatment under US law on 14 July. This follows Beijing’s introduction of new national security legislation on the territory. Trump also signed the Hong Kong Autonomy Act into law, giving US authorities the power to penalise banks which do business with Chinese officials implementing the new national security law. Responding to Trump’s actions, the Chinese foreign ministry warned that Beijing will impose retaliatory sanctions on relevant US individuals and entities. The announcements, which come in the broader context of worsening Sino-US ties, follow similar measures limiting Hong Kong’s access to US defence equipment and dual-use commercial-military technologies imposed due to the new national security law. Trump’s latest actions have wide-ranging implications for Hong Kong, not least for the territory’s long-term future as a world-leading financial hub. Companies with interests in Hong Kong and its legal, political, and trading status should assess the impact of the latest US measures on operations and strategy.

On 14 July, the US federal government dropped plans announced last week to deport foreign students whose courses move fully online amid the COVID-19 pandemic. The government has reportedly agreed to reinstate its policy introduced in March as the pandemic escalated rapidly, whereby students whose classes move online can legally remain within the US on student visas. The plans had prompted immediate rebukes and legal challenges from universities, including leading institutions and multiple state attorneys general. The administration’s U-turn marks a positive development for US educational institutions, many of which rely on attracting foreign students, both for revenue purposes and to enhance their international standing. Organisations dependent on foreign students studying in the US should alter planning to account for the policy reversal.

Chinese demand for Chilean salmon has fallen to ‘practically zero’ after Beijing linked an outbreak of the novel coronavirus to a chopping board used by a seller of imported fish, the head of industry body Salmon Chile said in an interview on 10 July. Most governments and health authorities have said that it is very unlikely that the novel coronavirus can be transmitted via the consumption of food. As Beijing has not placed any formal restrictions on imports of Chilean salmon, the sharp contraction is likely due to shifting consumer preferences amid heightened public concern over the possible spread of the virus.

Ford has warned that staffing restrictions in the northern Mexican state of Chihuahua, where it has an engine factory and multiple suppliers, risk disrupting the industry’s North American supply chain. The Chihuahua state government has limited staff attendance in vehicle plants to 50 per cent of capacity as part of efforts to tackle the COVID-19 pandemic. Kumar Galhotra, president of Ford’s Americas and International Markets Group, warned in an emailed statement last week that with the company’s US plants operating at 100 per cent capacity, disruption to operations in Chihuahua rendered the company’s US operations ‘not sustainable’. Companies in the automotive sector with supply chains dependent on operations in Chihuahua should monitor statements from the state government and scenario plan for potential supply-chain disruption.

Amid an ongoing dispute over the outcome of the 2 March Guyanese general election, last week the US government-imposed travel restrictions on Guyanese officials it accuses of undermining democracy in the South American country. In a statement, US Secretary of State Mike Pompeo called on Guyanese president David Granger to stand down after a ruling from the Caribbean Court of Justice (CCJ) – Guyana’s highest appellate court – effectively confirmed that Granger had been defeated in the March poll. The supreme court is set to rule on 20 July on a lawsuit blocking the electoral commission from declaring the opposition PPP/C movement as the winners of the election. If Granger does not promptly step aside, there is a high likelihood of further US measures, potentially including sanctions targeting senior government officials. Such measures would hamper development of the country’s nascent oil sector, and potentially expose foreign companies to sanctioned individuals. Companies with interests in Guyana’s economy, particularly its oil industry, should monitor updates on the political dispute and its impact on operations and strategy.

Asia-Pacific

Washington is weighing a travel ban on Chinese Communist Party (CCP) members, according to US media reports. The ban would revoke visas of CCP members and their families, according to the New York Times, citing four people familiar with the matter. A draft of a presidential order has been circulating among senior US officials, but it has not yet been submitted to President Donald Trump, according to a source cited by Reuters. A potential barring of CCP members’ children from attendance at US universities is also being mulled, according to the source. Chinese Foreign Ministry spokeswoman Hua Chunying responded by saying that such a measure would be ‘pathetic.’ If implemented, such a ban would impact China’s approximately 92 million CCP members. It would also mark a further serious deterioration in Sino-US ties, which are already at a historic low amid escalating tensions over the national security law in Hong Kong, alleged human rights abuses in Xinjiang, the COVID-19 pandemic, and territorial disputes in the South China Sea. Further measures by Washington targeting China and retaliatory action by Beijing targeting US interests are likely ahead of Trump’s November 2020 re-election campaign.

Media on 16 July reported the findings of an Australia-China (AustCham) business chamber poll of almost 90 companies operating in Beijing and southern and western China that suggested that, for many companies, bilateral tensions are now a greater threat than economic factors. More than 70 per cent of the Australian companies surveyed reported being concerned about the deteriorating relationship, against 45 per cent in a similar 2018 survey. Although some Australian business groups express optimism over their long-term ties with China, there is little doubt the relationship at the diplomatic and commercial levels will remain tense and complex in the six- to 12-month outlook.

Beijing on 14 July announced it will be sanctioning US arms manufacturer Lockheed Martin over its role in Washington’s most recent arms sale to Taiwan. Lockheed is the primary contractor in a USD620m upgrade package for Taiwan’s Patriot surface-to-air missiles, which Washington approved on 9 July. The nature of the sanctions was not specified. The sanctions come in addition to previous sanctions Beijing has imposed on arms manufacturers involved in arms deals between the US and Taiwan, of which details are also unclear. Beijing has increased pressure on Taiwan since Taiwanese President Tsai Ing-wen, who rejects Beijing’s ‘one China’ stance, assumed power in 2016. Tsai was re-elected in January 2020 in what was widely viewed as a defiant move against Beijing’s increasingly aggressive rhetoric towards the island. Cross-strait tensions have recently flared over Beijing’s increasingly assertive measures, including the implementation of the national security law in Hong Kong.

The New York Times (NYT) has said it will be relocating some of its personnel to Seoul over concerns around the viability of Hong Kong as a centre for journalism in light of China’s imposition of a new national security law. This underscores the uncertainty for businesses in Hong Kong due to the encompassing and vague national security law. Expatriate personnel, particularly those viewed unfavourably by Beijing due to strained international relations or criticism of the Chinese government, are likely to be under increased risk of arbitrary detention under the new law. Risks for media organisations in mainland China have already escalated due to a row with the US that has involved China’s retaliatory expulsion of several foreign reporters. US tech firms Amazon Web Services, Google, and Microsoft have reportedly denied Hong Kong authorities access to customer banking records over privacy concerns and fears of exposure to US sanctions. Under the national security law, technology firm execs could be jailed and fined if they refuse to comply with data requests.

Beijing is drafting an amendment to China’s criminal code to include a new section on trade secrets theft by foreign entities. The amendment is one of a range of changes being made to China’s criminal code. A draft of the bill has been released for public review until 16 August. The amendment could give Beijing a method of enacting reprisals against the US over alleged economic espionage.  The ‘China Initiative’ of the US Department of Justice (DOJ) – launched in November 2018 to probe and prosecute Chinese firms over alleged economic espionage, trade secret theft, and other breaches – in a June report said that approximately 80 per cent of all economic espionage prosecutions brought by the DOJ would be profitable for China. In approximately 60 per cent of cases, there was some form of connection to China, according to the DOJ. In a June interview, FBI director Christopher Wray said the agency had over 2,000 active Beijing-linked probes, an approximately 1,300 per cent increase in China-linked economic espionage probes over the past decade. Foreign firms – particularly US technology companies – with interests in China should monitor the passage of the law and assess its impact on strategy and operations.

Beijing on 13 July imposed retaliatory sanctions on US envoy Sam Brownback and three senior Republican lawmakers – Chris Smith, Marco Rubio, and Ted Cruz – accusing Washington of damaging Chinese interests and meddling in China’s domestic affairs. Though mostly symbolic, the sanctions underscore the escalating tensions between the US and China. They come after Washington on 9 July imposed sanctions on three senior Chinese officials over alleged human rights abuses against ethnic minorities in Xinjiang. The US on 11 July also joined Australia in warning its citizens about the risk of arbitrary detention in China.

The Japanese Ministry of Economy, Trade and Industry announced that fifty-seven businesses will receive subsidies totalling JPY57.4 billion (USD536 million) to invest in production in Japan. Separately, a further 30 firms will receive unspecified subsidies to invest in Southeast Asian nations including Myanmar, Thailand, and Vietnam. Japan’s move marks the first explicit policy by a country to become less dependent on Chinese supply chains and manufacturing and signals a significant denting of bilateral trade amid heightened tensions between China and Japan over the COVID-19 pandemic, as well as long-standing territorial disputes.

Europe

On 15 July, the European Commission (EC) unveiled a series of new tax measures aimed at combating tax abuse and tackling unfair tax competition. The EC views the new Tax Package, which comprises three initiatives, as a complement to the EU’s road to economic recovery and long-term growth, with fair taxation forming a key priority. The EC has proposed actions simplifying tax rules and removing administrative burdens for taxpayers across several sectors. Moreover, tax transparency rules will be expanded to cover digital platforms. Improvements on the EU list of non-cooperative jurisdictions, which includes countries that fail to meet international standards on tax transparency, have also been proposed. The rules were announced in the wake of a ruling by the General Court of the European Union overturning an earlier decision ordering US-based Apple to pay almost USD15 billion in tax to the Irish state. The case was brought forward by the EC in 2016, which claimed that Apple had benefited from unfair tax breaks given to it by Ireland. By extending coverage to include digital firms, the new measures will translate into heightened scrutiny on the revenue and sales of platforms such as the App Store. Due to the cross-border model and nature of digital platforms, national tax authorities have struggled to effectively detect income generated and tax this effectively. For instance, under the current proposals, member states will be able to automatically exchange information on revenues of sellers via online platforms. This will help tax authorities better identify those firms earning revenues from digital platforms and pay appropriate amounts in taxes. Companies should assess how the new measures will impact strategic and tax planning.

The US has threatened to expand sanctions on the Nord Stream 2 pipeline, which once completed will transport natural gas from Russia to Germany. During a press conference on 15 July, US Secretary of State Mike Pompeo said ‘Get out now -- or risk the consequences’, after announcing new guidelines for sanctions targeting the pipeline, which could see individuals or companies involved in the project being sanctioned. Through removing language that excluded Nord Stream from the Countering America's Adversaries Through Sanctions Act (CAATSA), Washington is setting the groundwork for new sanctions if Russian companies move forward with plans to lay out the remaining pipes for completion. US legislation in December allowed sanctions for any vessel laying underwater pipes, forcing Swiss-based Allseas to withdraw from the project. Firms involved in Nord Stream 2 should factor the likely expansion of sanctions relating to the pipeline into risk planning and mitigation plans.

The UK government is making preparations to exclude Chinese telecommunications firm Huawei from its 5G telecommunications network, with no new equipment set to be installed from 2021, according to UK media on 14 July. The UK’s revised stance on Huawei is almost certain to draw the ire of China, which has threatened Britain with unspecified ‘consequences’. UK businesses with interests in China should assess the impact of potential diplomatic or commercial reprisals by Beijing on strategy and operations.

On 12 July, fashion retailer Primark announced that it would not accept a GBP30 million (USD37.8 million) bonus payment from the UK government for bringing staff furloughed during the COVID-19 pandemic back to work. On 8 July, finance minister Rishi Sunak announced that companies which bring employees back from furlough will be eligible to receive a one-off bonus of GBP1,000 (USD1,261) per worker. Primark, which placed around 30,000 members of staff on furlough at the beginning of the pandemic, said it has now brought them all back to work and would not claim the bonus. Primark’s announcement puts pressure on other companies to reject the taxpayer-funded bonus. Media reports indicate that department store chain John Lewis is considering joining Primark and also turning down a significant bonus payment. Primark’s announcement comes amid a trend of heightened corporate social awareness and activism globally, as well as perceived reputational risks to otherwise profitable companies benefiting from taxpayer-funded financial support during a period of extreme economic difficulty. Companies eligible for the government’s bonus scheme should carefully assess the financial, reputational, and operational implications it would have for the business.

The UK home secretary, Priti Patel, announced on 13 July new immigration rules that will be implemented from 1 January 2021 in a post-Brexit system. This includes the scrapping of freedom of movement, meaning residents of European Union countries will be treated the same as arrivals from the rest of the world. An Australian-style points-based immigration system will also be established with 70 points needed for all skilled EU and non-EU migrants and a minimum salary requirement of GBP20,480. The decision will most significantly impact sectors that currently employ a high number of EU nationals; this includes healthcare, food production, retail, construction, and hospitality. There is a risk that when implemented, the immigration system could result in severe disruption to these industries across the short- to medium-term with detrimental economic impact. Businesses with operations in the UK should ensure they are prepared to adapt and adjust models to the end of free movement, while also putting in place compliant systems and processes.

Middle East, North Africa and Central Asia

A fire damaged at least seven vessels at a shipyard in the southern Iranian port city of Bushehr on 15 July. The cause of the fire has not been confirmed; there were no reported casualties. The incident took place after another fire was reported on 14 July at the South Aluminum Corporation in Lamerd, in the southern Fars province. The facility reportedly sustained minor damages. Iranian officials said that the fire was caused by an ‘oil leak’. These fires are the latest in a string of some dozen incidents involving fires and explosions that have hit highly secure and sensitive sites since 26 June, including a fire on 2 July at the uranium enrichment facility at Natanz that caused a major setback to operations. Iran has claimed many of the incidents were caused by gas leaks or worker negligence. Iran’s infrastructure is indeed in poor shape and industrial accidents do happen. However, given the large number of incidents occurring in such a short period of time, the nature of the targeted sites, many of which have been linked to Iran’s nuclear and missile programmes, and the currently tense geopolitical climate, it is highly likely the incidents are part of a targeted state-sponsored campaign against Iran.

At least three Russian soldiers and an unspecified number of Turkish soldiers were injured when a joint military patrol was hit by an improvised explosive device (IED) in Syria on 14 July. Russia's defence ministry confirmed that three Russian soldiers were ‘lightly’ injured. No group immediately claimed responsibility. This is the first time a joint patrol has been directly attacked, marking a likely escalation of opposition. Security managers should note that further low-level militant attacks in addition to clashes and protests are probable in Idlib province and surrounding areas in the coming days and weeks. Professional security advice and support should be sought prior to any travel to Syria.

Yemen-based Houthi rebels claimed on 13 July to have hit a large oil facility in the southern Saudi city of Jizan with ballistic missiles and unmanned aerial vehicles (UAVs) overnight. No further information was given. State-oil company Saudi Aramco operates a 400,000-bpd refinery in Jizan, located some 60km from the Yemen border. Aramco did not comment on the alleged attack. Yahya Sarea, a Houthi military spokesman, also claimed that the strikes destroyed a number of military bases and installations of the Saudi military coalition in Jizan, Najran and Asir provinces near the border with Yemen, as well as Saudi aircraft and Patriot systems in Khamis Mushait, Asir province.

There has been an uptick in cross-border attacks coinciding with the expiration in late May of a unilateral ceasefire by the Saudi-led coalition in Yemen. Periodic cross-border attacks are likely to continue and primarily affect Saudi’s southern border provinces of Asir, Jizan, and Najran. Likely targets include key infrastructure such as airports, oil facilities, and military positions. The Saudi air defence systems are highly capable and intercept the majority of cross-border armed projectiles. As such, these are unlikely to cause significant disruption to the wider security environment, particularly as the Houthis are generally unable to hit intended targets consistently and accurately. However, the risk remains for rockets to periodically make contact or for debris from the aftermath of a projectile interception to pose incidental risks to those in the vicinity.

Turkish president, Recep Tayyip Erdoğan, issued a decree on 10 July ordering the historic Hagia Sophia museum to be opened for Muslim prayers. The decree came hours after a ruling from the Council of State, Turkey's highest administrative court, which revoked Hagia Sophia’s status as a museum, saying the building's conversion was illegal. The decision to convert the building into a mosque will create tensions between Turkey and the Christian community, particularly Russia and Greece who consider themselves stewards of Orthodox Christianity. The move comes at an especially sensitive time in Turkish-Russian geopolitical relations, as the countries back opposing sides in civil conflicts in Syria and Libya. It is also worth noting that Erdoğan is likely using the Hagia Sophia issue to draw support for the ruling Justice and Development Party, whose public approval has slipped amid economic hardship caused by COVID-19-linked restrictions in the country. There is a realistic probability that protests or celebratory gatherings take place in the vicinity of the building following the decision and ahead of the first prayers which are slated for 24 July.

Sub-Saharan Africa

The South African government-supported National Income Dynamics Study – Coronavirus Rapid Mobile Survey (NIDS-CRAM) indicated on 16 July that 3 million jobs were lost between February and April, and that 47 per cent of households ran out of money to buy food in April. Two-thirds of the job losses affected women, and black females with lower earnings and no higher education were the worst affected. The findings paint a dire outlook for the country, which has seen the number of COVID-19 cases rise rapidly since authorities began to ease the nationwide lockdown; South Africa now has the sixth highest number of confirmed infections in the world, according to John Hopkins University data. The lack of revenue and growing hunger among the poorest households could predict two parallel trends. Firstly, increasing hunger rates is likely to reduce health resilience among the population. This suggests that the death rate, which has remained low by global comparisons, may increase in the coming months, particularly as hospitals in some of the worst-affected areas, such as Eastern Cape, are reaching full capacity. Secondly, it signals a growing risk of civil unrest and criminality over the coming three months, when the country’s peak of infections is anticipated by several health experts. Companies with staff and assets in the country should prepare for a growing risk of robberies, burglaries, and insider threats that may result from job cuts.

London-based advocacy group Global Witness (GW) in a report on 16 July alleges serious flaws in supply-chain due diligence by gold traders based in Switzerland and the United Arab Emirates, and weak governance controls by a UK-based accreditation agency. GW alleges in its report that Valcambi of Switzerland and Kaloti of the UAE had likely purchased so-called ‘conflict gold’ in 2012 from Darfurian militias and probably continued to do so between 2013 and 2019. According to the report, Kaloti bought gold from the Central Bank of Sudan, which in turn sourced the precious metal from mines that were under the control of the Janjaweed militia (whose forces were subsequently incorporated into the paramilitary Rapid Support Forces) and Sudan Liberation Army-Abdul Walid. The report also suggests that international accounting firms helped downplay due diligence concerns, which allowed the commodity to make it into legitimate supply chains through accreditation provided by the London Bullion Markets Association (LBMA). Kaloti has denied the allegations, while Valcambi and the LBMA have not made public statements with regards to the report. Compliance managers of companies reliant on gold should ensure their due diligence programmes are in line with international standards and US legislation to mitigate legal risk.

In a report by Qatari news network Al Jazeera English on 15 July, City of Windhoek (COW) councillor Brunhilde Cornelius claims she was offered bribes by local officials who wanted her to drop her opposition to Chinese telecoms giant Huawei developing 5G mobile telephony in the country. According to Cornelius, who is a member of the Namibian opposition Rally for Democracy and Progress (RDP) party, fellow RDP member Nicanor Ndjoze and his cousin Reckliff Kandjiriomuini, who reportedly heads COW’s ICT division, attempted to pressure her into signing a memorandum of understanding with the company in exchange for money from a NAD40 million (USD2.6 million) ‘slush fund’. Kandjiriomuini has denied there is any recorded evidence against him, while Ndjoze has not responded to the media. Al Jazeera also reported there is no evidence that Huawei was aware of the events.

The allegations follow a series of corruption-related investigations, including bribery in exchange for fishing quotas which led to the arrest of two senior ministers in November 2019. The multiplication of corruption-related investigations and allegations signals growing corruption risks in the country. As the reporting suggests the Chinese company was unaware of the events, the case indicates a growing need for companies to strengthen their due diligence practices when investing in the country. Furthermore, the allegations come at a bad time for Huawei, which is facing growing hostility and suspicion from Western governments over its potential ties to the Chinese government, and are likely to damage its reputation in the country.

On 15 July, the International Maritime Bureau (IMB), part of the International Chamber of Commerce, published its piracy report for the first two quarters of 2020. The report indicates a year-on-year increase to 98 reported incidents linked to piracy, compared to 78 in 2019. Fifty-four of incidents that involved violence against crew were kidnappings, with the Gulf of Guinea (GoG) accounting for 90 per cent (or 49) of those incidents. Furthermore, the rate of kidnappings has increased over the past three months, with 32 of the incidents occurring in this timeframe. The IMB report also says that pirates are attacking vessels further out at sea than previous years.

The findings are consistent with those published by the IMB in January, and confirm a trend in the region over the past few years of an increased number of reported piracy incidents, despite global rates declining. While waters off Nigeria remain the biggest concern, our own reporting this year indicates that criminals are increasingly attacking vessels in nearby countries. This underscores the high flexibility of GoG pirates, most of whom are believed to be linked to Nigerian organised crime groups, who have demonstrated an ability to adapt their operational zones in response to campaigns by the littoral law enforcement agencies. The growing rate of attacks over the past months is concerning, but also reflects certain regional specificity in the piracy threat involving spikes in attacks during different periods of the year. Regardless, the findings of the report underscore the continued high exposure to piracy to shipping companies transiting the GoG. Such companies need to ensure their security measures are in line with the Best Management Practices West Africa guide that was published in April this year.

On 17 July, Zimbabwean police issued a search warrant against Econet Wireless, ordering the company to disclose all its customers’ details and transactions made between 2 January and 30 June 2020 within seven working days. The search warrant is part of an investigation into suspected money laundering by the company. The move reflects serious government concern over soaring consumer prices due to a depreciating Zimbabwe dollar and low foreign currency reserves, with year-on-year inflation reaching 785.55 per cent in May The investigation into the country’s largest telecoms service provider underscores high political risks, and follows several erratic policy moves since the onset of COVID-19 in the country. Fuelling the uncertainty are calls by the ruling ZANU-PF party to delist South Africa-headquartered financial services group Old Mutual from the Zimbabwe Stock Exchange, or even ‘eject’ it from the country’s financial system. The party accuses Old Mutual of ‘externalising foreign currencies’ which it claims is depreciating the Zimbabwe dollar further. Further companies are likely to be targeted by similar claims and possible probes, as there are signs of intensifying accusations against foreign actors for the country’s current economic crisis, which has been exacerbated by the COVID-19 pandemic.