Geopolitical and Cybersecurity Risk Weekly Brief 22 June 2020

22 june 2020

COVID-19 CYBERSECURITY UPDATE

Citizens Advice in the UK has warned users not to fall for a new scam campaign that is sending fake messages purportedly from the UK government. The messages can come in the form of calls, text messages, or emails in relation to the new NHS test and trace service. Citizens Advice has reportedly received thousands of reports of this nature.

Microsoft Threat Intelligence Center has analysed the past several months of COVID-19-themed cyberattacks. The key findings include: 

  • Attackers start to actively deploy pandemic-related campaigns after 11 February, when the World Health Organization officially named the outbreak as a pandemic.
  • The week following that declaration saw these attacks increase eleven-fold.
  • COVID-19-themed attacks peaked in the first two weeks of March.
  • By the end of March, every country in the world had seen at least one COVID-19-themed attack.
  • Most COVID-19 themed attacks were repurposed attacks using existing infrastructure and malware with new lures. The overall number of malware detections worldwide did not vary significantly.
  • More phishing attacks are deploying localised social engineering lures. Attacks often exploit trending topics and news articles.
  • The number of attacks targeting the UK typically followed key headlines in the news, such as the announcement of the first COVID-19 death, the FTSE 100 stock crash, the US travel ban to Europe, the Queen’s speech, and Boris Johnson’s admittance into hospital.
  • The level of COVID-19-themed attacks against the UK plateaued at about 3,500 daily attacks until roughly the end of April. Once the peak number of infections had subsided, attacks dropped to 2,000 per day.
  • The US saw roughly 20,000 to 30,000 COVID-19-themed daily attacks between April and May. The initial spike also came with the WHO announcement, with another second spike arriving after the US confirmed 100,000 deaths due to coronavirus.

Portugal and Spain are being targeted with COVID-19-themed spam. These messages are pushing malware in malicious documents. Elsewhere, Android Trojans were detected being delivered to victims in Brazil, the US, the UK, the UAE, Egypt, Turkey, Portugal, Russia, Saudi Arabia, and Myanmar. 268 victims have been infected so far.

 

Attacks and cybersecurity news

US-based T-Mobile customers experienced nationwide outages this week and could not make or receive phone calls or send text messages. DownDetector indicated a major outage. While there was some speculation saying that Level 3, a large fibre network operator on which many mobile providers rely, was experiencing a network failure, this was soon debunked. Various threat actors associated with the Anonymous collective claimed that this was a DDoS attack which took down Instagram, Facebook, T-Mobile, Verizon, and Twitch. These claims were conclusively disproven.

The NHS has announced that 113 internal email accounts have been compromised in a malicious phishing campaign. These accounts were then used to send phishing emails outside the health service. This incident is linked to a wider mass credential harvesting campaign which has been active in the UK since at least July 2018. The NCSC warned about this campaign in October 2019. The attacks appear to be indiscriminate in their targeting and have hit a wide range of business sectors.

Threat group LulzSecITA claimed responsibility for attacking and infiltrating an Italian government transparency portal. This attack may be linked to a recent attack on the Italian Chamber of Commerce by AnonymousItaly: both groups have worked together in the past.

Attacks continue in support of the #BlackLivesMatter movement. Threat actor NamaTikure claimed responsibility for a DDoS attack against the Atlanta Police Department website with that hashtag alongside #JusticeForGeorgeFloyd and #OpGeorgeFloyd. The attack followed a fatal shooting of an unarmed black man on 12 June. Another threat actor, S0u1, with the help of NamaTikure (also known as AnonOpUSA), claimed responsibility for a DDoS attack against the website of The Loyal White Knights of the Ku Klux Klan. They claim that they will keep taking down the site until it is "down for good", using the hashtag #destroyKKK. This attack was in support of #JusticeForGeorgeFloyd, #OpMinneapolis, and #RayshardBrooks.

Amazon Web Services (AWS) mitigated a 2.3 Tbps DDoS attack in February this year - the largest DDoS attack ever recorded. It was not specified who was targeted. However, the attack was carried out using hijacked CLDAP web servers. CLDAP is an alternative to Microsoft's LDAP protocol that is used to connect, search, and modify Internet-shared directories.

Prime Minister Scott Morrison warned Australia that is experiencing a massive cyberattack from a state-based actor. Morrison stated: "This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, central service providers, and operators of other critical infrastructure." It was not specified who was targeted, or which nation was responsible. Further, the activity is not new but has increased in frequency. Some commentators have suggested that China was the most likely culprit but given that this was not one large-scale incident but an uptick in attacks, this attribution should be treated with caution.

It was reported this week that China had launched sustained DDoS attacks on Indian information and news sites, as well as against the country’s financial payments system. Most of the attacks were allegedly traced back to the city of Chengdu in Sichuan province which, according to sources, is known for “being the headquarters of the People’s Liberation Army’s Unit 61398, the Chinese military’s primary covert cyberwarfare section.” This alleged cyberattack came after clashes between Chinese and Indian troops in Ladakh's Galwan Valley, which resulted in the deaths of 20 Indian Army personnel.

Researchers exposed a long-running Russian disinformation operation that has been active since 2014. Known as “Secondary Infektion”, the operation was still active in early 2020. It predominantly targeted Europe and North America with forged documents to influence public opinion. The operation was most successful when the established sources shared the content.

Multiple exposed remote desktop protocol (RDP) ports originating from various banks have been reported on Twitter. The financial institutions at risk are located in Venezuela, Bolivia, Spain, and France; these include Banco Caroni, Banco Bisa, Banco Pichincha, Bancamiga, and BNP Paribas - the world’s eighth-largest bank. RDP (TCP/Port 3389) is a favourite target of ransomware operators as a simple ingress point for attacks. Cryptocurrency mining botnets also scan for exposed RDP ports.

A newly disclosed spyware campaign has been uncovered after 32 million malicious extensions were downloaded by Google Chrome users. Most of the free extensions warned users about questionable websites or masqueraded as file conversion tools. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Google has removed 106 browser extensions following the original report.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

The operators of the Sodinokibi ransomware continue to add to their list of victims. This week hotel chains, hospitality businesses, healthcare equipment manufacturers, financial firms, and others were all added to the group’s leaks blog. Data from Canadian accountancy firm, Goodman Mintz, has now been put up for auction. The group claims there is roughly 100GB of data: pricing starts at USD150,000 and the data can be bought immediately for USD1 million.

Maze ransomware has added ten new victims to its list of victims this week. The threat actors claimed to have attacked and stolen data from exclusively North American companies, including a publisher, a telecoms company, and a system-on-chip manufacturer.

Fraud

A new campaign is using fake CVs to deliver a multi-stage malware attack. The threat actors are using Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications in the final stage of the attack. The lure document was distributed in spear-phishing emails as a CV from a person named "Anadia Waleed". This campaign does not target Russia or the US, although researchers believe avoiding Russia may be misdirection and avoiding the US could be an attempt to prevent analysis by US malware analysts.

Threat actors are using fake data breach notifications to distribute malware and scams. Google Alerts is being used to spread these fake notifications. So far, notifications have purportedly been sent from various organisations including Chegg, EA, Canva, Dropbox, Hulu, Ceridian, Shein, PayPal, Target, Hautelook, Mojang, InterContinental Hotels Group, and Houzz.

South African financial institution, Postbank, is replacing 12 million bank cards after a large security breach exposed the personal data of millions of account holders. The breach was the result of the bank's encrypted master key being printed in plaintext and then stolen by employees. This key allows the holder to gain access to Postbank's systems, read and rewrite account balances, and change information and data on any of the bank's cards. Those affected include regular account holders, as well as between 8 to 10 million beneficiaries who receive social grants from the bank each month.

Threat actors are using a hijacked University of Oxford email server to deliver malicious emails designed to harvest Microsoft Office 365 credentials from European, Asian, and Middle Eastern targets. These emails pose as an Office 365 voicemail notification, claiming that an incoming voice message was waiting in the user's voice-portal. Most of the emails originated from multiple generated addresses belonging to legitimate subdomains from different departments in the University of Oxford. This meant that the messages bypassed security software and secure email gateways.

Vulnerabilities

New research has found that high-impact vulnerabilities in modern communication protocols can be exploited to steal user data, impersonate users, commit fraud and conduct denial of service (DoS) attacks. 28 telecommunication providers were tested across Europe, Asia, Africa, and South America. The vulnerabilities stem from the GPRS Tunnelling Protocol, an IP-based communications standard which defines a set of rules governing data traffic over 2G, 3G, and 4G networks. Vulnerabilities affecting this protocol can allow attackers to interfere with network equipment. 5G networks are equally as vulnerable to spoofing and disclosure attacks due to their use of EPC as the core network for wireless communication.

Adobe has released an out-of-band security update addressing 18 critical vulnerabilities which could allow an attacker to execute arbitrary code. These patches address flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition on Windows and macOS devices.

The company has also released a patch for an important vulnerability in Campaign Class, tracked as CVE-2020-9666, which could lead to information disclosure.

The operators of the Black Kingdom ransomware have been observed targeting organisations with unpatched Pulse Secure VPN software. These attacks are exploiting CVE-2019-11510, a critical arbitrary file read vulnerability in Pulse Connect Secure which could allow an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file reading vulnerability. The group establishes persistence by impersonating a legitimate scheduled task for Google Chrome.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Two high severity vulnerabilities in the Cisco WebEx Meeting Desktop App for Windows and macOS.
  • Several vulnerabilities in Oracle E-Business Suite (EBS) could allow attackers to alter an organisation’s financial records if left unpatched.
  • Multiple vulnerabilities in the Linux Kernel. Successful exploitation can lead to root compromise, arbitrary code and command execution, denial of service, and information disclosure.
  • Recent Google Chrome browser update included a critical vulnerability. If successfully exploited, it could lead to remote code execution on the targeted system.
  • VideoLan has patched a vulnerability in VLC Media Player which could allow attackers to remotely execute commands or crash the service on a vulnerable device.
  • Plex has patched and mitigated three vulnerabilities in its Plex Media Server for Windows, The vulnerabilities are tracked as CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742.
  • Drupal has patched multiple security vulnerabilities in its systems, including a critical flaw which could allow an attacker to execute arbitrary PHP code. They affect Drupal versions 7, 8, and 9.
  • Recently uptick in mass scanning for vulnerable Office 365 Sharepoint servers vulnerable to a remote code execution (RCE) vulnerability, tracked as CVE-2019-0604. A patch for this vulnerability has been available for over a year

 

APT Activity and Malware Campaigns

APT activity

The North Korean threat group, Lazarus, has been targeting European and Middle Eastern aerospace and military companies in a phishing campaign for malware deployment. The campaign, dubbed Operation Interception, involved targeting aerospace engineers via LinkedIn with bogus job offers from Collins Aerospace and General Dynamics (GD), two US-based aerospace organisations. Lazarus then aims to infiltrate the target network and brute force any Active Directory admin accounts. Any data discovered would be exfiltrated to a Dropbox account.

Lazarus and Kimsuky, another North Korean threat group, have both been observed targeting the defence sector and aerospace organisations. Security researchers uncovered several Boeing and BAE Systems-themed phishing lures used to infiltrate organisations in these sectors. Recently, it was also reported that Kimsuky is repurposing Lazarus' malicious documents to target North Korean human rights defenders. A series of spear-phishing attacks were detected against the North Korean Human Rights Commission, the North American North Korea Commission, and other North Korea-related organisations based in Washington DC. The attacks aim to harvest credentials.

It was recently reported that Lazarus was planning a massive attack on the US, the UK, Japan, Singapore, India, and South Korea. This took the form of a mass phishing campaign masquerading as a COVID-19 relief effort targeting more than five million individuals. The phishing emails are designed to impersonate the Ministry of Manpower (MoM), using a spoofed email account, offering a one-time subsidy of USD750 for employees under the ‘Work Support Plan’. Apart from Singapore's Ministry of Manpower, other government agencies due to be targeted in the campaign include Japan's Ministry of Finance and the Bank of England. Amongst others, Lazarus reportedly has the details of 1.1 million individual email IDs in Japan, another 2 million in India, and 180,000 business contacts in the UK.

The InvisiMole spyware has been rediscovered in a new campaign targeting high-profile organisations in Eastern Europe. According to threat researchers at ESET, the @InvisiMole group has updated its TTPs and heavily updated the toolset. InvisiMole is designed by state-sponsored attackers to stealthily gather as much information as possible from a compromised device.

A new campaign is being carried out by Indian APT, Patchwork, which uses National Network Security Incident Contingency Plans as a lure to entice victims. The final payload is a backdoor malware. Patchwork is believed to be an Indian APT which uses a combination of new and old exploits and tools in its attacks. The group was recently seen using coronavirus as a lure in its phishing emails, with one campaign targeting the Chinese government.

Malware

Cisco Talos’ Summer 2020 Incident Response Trends report has revealed that the Ryuk ransomware dominated the threat landscape for the fourth quarter in a row. Ryuk has reportedly shifted from relying on commodity Trojans to living-off-the-land tools. This led to a decrease in attacks from malware such as Trickbot and Emotet, both of which were involved in the typical Ryuk infection chain of the past few months. Email remained the primary method of compromise, along with the exploitation of remote desktop services (RDS) and attacks on Citrix and Pulse VPN products.

Suspicious emails masquerading as BOTAS International, Turkey’s state-owned oil and gas pipeline and trading company, have been observed delivering the AgentTesla infostealer. The emails are sent from ‘info@botas.gov.tr’ and contain a malicious RAR archive and ‘pdf.exe’ file that delivers AgentTesla. The infostealer was observed in two recent campaigns targeting the oil and gas industry in Malaysia, the USA, Iran, South Africa, Oman and Turkey, among others. It was also being distributed by a new threat from Iran, the BehnazGroup, to countries such as the UAE, Spain, Turkey, and South Korea.

A new malware, dubbed AcidBox, has been uncovered: it is a complex modular toolkit and part of a bigger toolset that is being used by an unknown APT actor. AcidBox contains a 0day exploit for a vulnerability in a signed VirtualBox driver (version 2.2.0). This demonstrates that the malware was most likely developed by advanced threat actors who were able to incorporate a 0day vulnerability into their creation. The choice of VirtualBox is significant because many organisations use it for virtualisation and essential IT work.

Google Play Store has once again accepted another Trojanised Android application that contains malware. The Trojan hides as an app called ‘Smart Call Screen’ that has been available for five weeks, has over 100,000 downloads from the Play Store and is Google Play Protect verified. The Android package files (APK) for this app are detected as malicious by many antivirus engines and are concealed as ‘smart.call.screen.tools-1.apk’ or ‘smart.call.screen.tools.apk’.

A new malware, dubbed TroyStealer, has been discovered targeting Portuguese users. Phishing emails claiming that there is a problem with a payment being sent to the recipient's bank account are used as a lure to spread this information stealer.

Cyjax analysts have uncovered several fake Android package files (APK) being distributed online and masquerading as McAfee antivirus software for Android phones. Further investigation found that the apps concealed an Android banking Trojan. Other security researchers uncovered the malicious website used to host the fake McAfee APKs that warns users their phones have been infected by malware.

Darknet

In recent weeks, the Cerberus operators announced they were suspending public sales, but that the malware would still be available privately to a select group of affiliates. The operators, however, have recently advertised multiple open affiliate positions on public forums. This recent recruitment drive for affiliates suggests Cerberus will continue to expand its operations, posing a significant threat to organisations, despite the suspension of public sales.

EncroChat, a company which sells customisable, privacy-focused Android operating systems, claims to have been compromised by law enforcement. EncroChat’s software has been repeatedly associated with criminal activities, including large scale drug operations across Europe and other forms of organised crime. Other privacy-focused Android operating systems, such as GrapheneOS, are also frequently discussed on the darknet in relation to criminal activities. Earlier this week, EncroChat allegedly messaged all customers claiming that its domain had been seized by “government entities” and that the security of EncroChat devices could no longer be guaranteed. All users were to dispose of EncroChat devices. Currently, law enforcement organisations have not commented on EncroChat’s claims.

Finally, a threat actor has begun to auction off access to a major European cloud service provider on a popular darknet forum. Currently, the name of the cloud service provider has not been disclosed. However, this threat actor has a history of auctioning of access to organisations internal networks, so the threat should be considered credible.


Geopolitical Threats and Impacts

Americas

US President Donald Trump held a large campaign rally at the BOK Center arena in downtown Tulsa, Oklahoma on 20 June. The rally was Trump’s first major public campaign event since the rapid escalation of the spread of COVID-19 in the US in March. The choice of Tulsa as the venue and original date of 19 June, or Juneteenth, have drawn widespread criticism as being culturally insensitive amid widespread civil unrest over racism and police brutality. Several counter-protests were organised in the city. Staff and residents should exercise heightened vigilance during any campaign rallies and associated protests in the coming weeks.

In an update to its Mexico travel advisory on 17 June, the US government warned of armed criminal groups targeting commercial vessels, oil platforms, and offshore supply vessels in the southern Gulf of Mexico’s Bay of Campeche area. Despite this, the country’s overall risk level remained unchanged at ‘Level 2: Exercise Increased Caution’. The Bay of Campeche is home to many Mexico’s oil fields. In the past year, multiple security incidents have been reported in the area. Companies with staff and operations in the southern Gulf of Mexico, particularly in the Bay of Campeche, should review security measures in light of the updated US travel advisory, and collaborate with law enforcement and industry colleagues on timely information sharing protocols.

The US Department of Commerce announced on 15 June a new rule allowing US companies to work with Chinese telecoms giant Huawei to develop standards for 5G and other emerging technologies. This is in spite of Huawei being listed on the US’s ‘entity list’ since May 2019, which restricts sales of US goods and technology to the company over national security concerns. While at first sight this announcement appears to mark a deliberate de-escalation in long-running Sino-US trade hostilities, it is more likely an attempt to prevent US companies from being marginalised in international standards organisations. US companies with interests in global telecoms standards should take note of the new rule and consider modifying their participation in standards bodies.

On 12 June, Brazil’s state-controlled oil giant Petrobras said it would not hire any tankers which have visited Venezuela in the past 12 months, in compliance with US sanctions against Caracas’ vital oil sector. The measure comes after the US has repeatedly imposed sanctions on vessels and their owners for trading in Venezuelan crude despite pre-existing US sanctions seeking to discourage commercial involvement in the crisis-hit South American country’s oil sector.

Several days later, the US Department of Transportation (DOT) fined Panamanian flag carrier Copa Airlines USD450,000 for unlawfully transporting passengers between Venezuela and the US via a stopover location. The DOT said that for several weeks after Washington issued a ban on passenger flights between the US and Venezuela in May 2019, Copa Airlines continued to sell tickets and transported more than 15,000 passengers between the two countries. The US imposed the ban amid widespread civil and political unrest in the oil-rich South American country. The measure, however, also served Washington’s broader foreign policy objectives towards Venezuela by further isolating the government of President Nicolás Maduro.

Foreign businesses with interests in Venezuela should carefully assess their exposure to current US sanctions and likely future measures, particularly targeting the country’s oil sector. Regarding the Petrobras decision, companies with interests in the shipping industry should carefully assess the legal implications of lifting Venezuelan crude prior to signing contracts.

APAC

US President Donald Trump on 17 June signed the Uighur Human Rights Policy Act of 2020 into law. The bill calls for sanctions on Chinese officials over the alleged repression of Uighurs. It demands that US companies operating in the Xinjiang region, home to most of China's Uighur population, ensure that they do not use parts created through forced labour involving Uighurs and other Muslim minority groups. Beijing, which claims that its actions in Xinjiang are countering violent extremism, accused the law of attacking China and Chinese interests and has threatened countermeasures. Trump’s signing of the bill and its seamless passage through Congress with near-unanimous bipartisan backing highlights the consensus among the US’s major parties over the treatment of ethnic Uighurs, signalling a protracted dispute over the issue regardless of the outcome of November’s presidential race. In the more immediate term, it marks another worsening of Sino-US relations, already marred by a trade war and mutual allegations of culpability for the novel coronavirus (COVID-19) pandemic. US companies with interests in China should assess how operations and strategy may be impacted by a further deterioration of bilateral relations, potentially prompting commercial or diplomatic retaliation from Beijing.

Demonstrations have taken place in various urban centres in India on 16 and 17 June in response to deadly clashes between Indian soldiers and Chinese forces in the Galwan Valley of the remote disputed region of Aksai Chin-Ladakh. Protesters rallied outside the Chinese embassy in the capital New Delhi, with a number of people detained by police. The rallies passed off mostly peacefully, although protesters burned or destroyed items such as Chinese flags, photos of the Chinese president, and Chinese products. Meanwhile, Prime Minister Narendra Modi issued a strongly worded statement on 17 June regarding the clash, saying ‘India wants peace, but if instigated, India at all costs is capable of giving an appropriate response’.

The situation remains tense, though Chinese foreign ministry spokesman Zhao Lijian said on 17 June the border situation is ‘stable and controllable’. In a sign of de-escalation, foreign ministers from both countries spoke via telephone and agreed to a diplomatic solution. Additional protests are likely to take place but will remain low-level and relatively localised. There is a moderate likelihood of protests erupting in violence, including clashes with security forces who may forcibly disperse gatherings due to ongoing COVID-19 related assembly restrictions. Security managers should monitor the situation for updates and anticipated elevated security presence in the vicinity of protests.

North and South Korean military units were reported to be mobilising along the demilitarised zone (DMZ) separating the two countries on 17 June as tension on the divided peninsula rises. On 16 June, North Korean forces demolished a liaison office set up on North’s side of the DMZ in 2018 during a period of relative stability, an action ostensibly linked to South Korea permitting the release of balloons carrying anti-North Korean propaganda from its territory. The building has been unoccupied for some time. Why it matters: The destruction of the liaison office within its own territory is likely to be followed by other acts by North Korea, presumably intended to force an advantageous response from South Korea and the US. Foreign companies in South Korea should ensure their contingency plans for any heightened alert status are current and crisis management teams are refreshed and rehearsed. 

Cambodia’s Health Minister Mam Bunheng announced on Monday (15 June) that all foreign nationals barring diplomats entering the country with immediate effect are required to deposit USD3,000 in testing and quarantine fees. According to media reports if any passenger on an aircraft arriving in Cambodia tests positive all the other passengers will be required to enter a 14-day quarantine at a cost of up to USD1,276. If an individual tests positive, up to USD3,550 will be charged for 14 days treatment and quarantine. No timeframe has been given as to when the new measures will be reviewed. The new regulations, introduced with only a few days warning and open to abuse due to Cambodia’s endemic corruption levels, are certain to serve as a major disincentive for any business or leisure traveller to visit Cambodia until the financial and quarantine requirements end.

Europe

Several towns and local communities have imposed local lockdowns to combat a recent surge in coronavirus (COVID-19) cases. On 17 June, a spokesperson for the district of Gütersloh, located in Germany’s North Rhine-Westphalia state, announced that schools and day-care centres would be shut after an outbreak was reported at a local meat-packing plant. In the northern Greek community of Echinos, a strict quarantine is in place for a seven-day period after 73 new cases were recently reported there. This comes as Bulgaria reported a record high number of new cases, after 112 infections were confirmed in the last 24 hours. The developments provide an indication into how governments will manage future national outbreaks. In the first instance, local lockdowns – aimed at containing the spread to the wider community and other parts of the country – will be used. Restrictions for travel to and from affected areas will also be in place. Contact tracing apps, currently being rolled out across the continent, will complement efforts to contain outbreaks in the early stages. Key determinants for local lockdowns will be the profile of a location where a new outbreak has been detected, the number of cases recorded in a short period compared to other parts of the country, and capacity at healthcare centres.

The Russian government is considering changes to the fines levied against organisations found to have breached private data. Under the proposals, maximum fines for leaking private data would be raised from RUB50,000 (USD724) to RUB500,000 (USD7,240). Levies for individual businessmen, officials, and regular citizens found responsible for data breaches are also set to rise. The proposed changes follow a series of high-profile data leaks reported in recent months. Firms operating in Russia should expect further announcements regarding the fine proposals and ensure they comply with any relevant regulations.

On 16 June, the European Commission (EC) confirmed it was launching two antitrust probes into US-based technology firm Apple. One investigation is examining whether iPad and iPhone devices have been limited to installing applications from Apple’s App Store. Another probe centres on Apple Pay, a mobile payment service, and has been triggered by concerns that other services are unable to use the iPhone’s tap-and-pay function. The probes form part of the latest EC bid to exert more regulatory and political pressure on major technology firms to promote competition across the EU. This comes as Japanese online retailer Rakuten filed an antitrust complaint against Apple over its policies; Rakuten and other firms such as Netflix and Spotify are forced to pay a 30 per cent fee per purchase to the App Store, which is too high. Technology firms should regularly monitor regulatory and legislative developments, ensuring full compliance with current EU regulations.

On 14 June, the German government ‘noted with regret’ the approval a day earlier by US senators of sanctions targeting the Nord Stream 2 pipeline, which will transport natural gas from Russia to Germany. Germany’s foreign ministry said, ‘new sanctions would constitute a serious interference in European energy security and EU sovereignty’. Under existing sanctions, individuals and entities linked to the project may have their US visas revoked and face potential asset seizures in US jurisdiction. The expansion of sanctions is part of a bid to apply increased pressure aimed at delaying or preventing the completion of the pipeline, which Washington argues will mean Europe’s continued reliance on Russian energy exports. The US has promoted US-produced liquefied natural gas (LNG) as an alternative. Companies involved in the project should factor the likely introduction of new sanctions into risk planning and mitigation plans.

China has halted imports of European salmon over concerns that a coronavirus (COVID-19) cluster identified in Beijing may be linked to the fish. According to multiple local newspapers, the virus was discovered at Beijing’s Xinfadi market, specifically on chopping boards used for imported salmon. The spike in infections has led to fears of a potential surge in new COVID-19 cases. Major supermarket chains in the city have removed salmon from shelves. According to Norway’s Food Safety Authority there is no evidence to suggest that fish could be infected by the virus. Experts have also questioned the claims that contaminated fish was the direct source of infections. China accounts for around 5 per cent of global demand for salmon. Norway is the world’s main exporter of the fish, and the cost of a prolonged ban on European salmon imports would disproportionately harm Norwegian producers.

Besides Norway, other key exporters to China include Chile and the Faroe Islands. News of a new outbreak in China coincides with data published on 15 June by Eurostat, the EU’ statistics office, EU exports fell by nearly 30 per cent in April, highlighting the global disruption in trade flows resulting from COVID-19. Exporters of salmon should assess the impact of the ban on sales strategies and operations. Identify alternative export markets if possible and adjust marketing strategies accordingly.

MENA and Central Asia

Turkish forces launched a military operation into northern Iraq on Wednesday (17 June). The operation, known as ‘Claw-Eagle’, hit targets suspected to belong to the Kurdistan Workers' Party (PKK) in several regions in Iraq's north, including Qandil, near the Iranian border, as well as the areas of Sinjar, Zap, Avasin-Basyan and Hakurk. Turkey's military claimed 81 PKK targets were hit, including shelters and caves. Turkish warplanes frequently target the PKK, which the government considers a terrorist organisation, in northern Iraq. The most recent operation, the first known airborne and land offensive, is in response to an increase in harassment and attempts to attack Turkish army bases near the border, according to Turkey’s defence ministry. Security managers should monitor the situation for updates and note that elevated security measures are commonly put in place following attacks and counter-terrorism operations.

Sanctions imposed by the United States under the Caesar Syria Civilian Protection Act come into effect on 17 June. The sanctions target the oil, construction, engineering, and military aircraft sectors and prevent any individuals, companies, or entities from doing business with Syrian officials or state institutions in addition to participating in any reconstruction efforts in the country. The US ambassador to the UN, Kelly Craft, told the Security Council on 16 June that the sanctions aim to push Syrian President Bashar al-Assad to implement Security Council Resolution 2254, which calls for a ceasefire, elections, and political transition along with long-stalled UN-led peace talks. The new sanctions will exacerbate Syria’s current economic crisis, which has already been affected by the COVID-19 pandemic and the near collapse of the banks in neighbouring Lebanon. Despite this, the impact on the regime is likely to be cushioned as Assad’s main ally, Russia, has sought to reopen the M4 international highway in northwest Syria with the intention of circumventing the sanctions in parts of the country connected by the strategic road.

The United States state department said on 12 June it will further reduce its troop levels in Iraq due to ‘significant progress’ towards eliminating the Islamic State (IS) threat there. The statement came after delegations from the US and Iraq met for the US-Iraq Strategic Dialogue, the first round of which took place on 10 and 11 June. Some 5,000 US troops remain in Iraq as part of the US-led military coalition against IS. Washington has already withdrawn some troops from Iraq as part of overall efforts to draw down its troop’s presence in the Middle East. A number of other coalition countries have also pulled troops due to concerns over the COVID-19 pandemic. The decision will relieve some pressure from new Prime Minister Mustafa Kadhimi amid criticism by pro-Iran groups over the US’ troops presence in the country. However, some pro-Iranian parliamentary blocs have reportedly expressed dissatisfaction with the absence of an agreed timeframe for the troop withdrawal.

Lebanese authorities have toughened their rhetoric toward anti-government protesters, with President Michel Aoun saying on 15 June security forces will arrest those who attempt to destroy public properties and attack security forces. On the same day, the Lebanese army said it had arrested dozens of suspects for ‘vandalism’. The announcements come after hundreds of protesters clashed with security forces throughout the weekend. The rallies were the latest in a series of protests denouncing Lebanon’s economic crisis, which has led to soaring unemployment and forced the country to default on its sovereign debt for the first time. Protesters are angry at a political elite they see as incompetent and nepotistic. Hotspots for unrest are Beirut’s Martyr’s Square, Tripoli’s Abdul Hamid Karami square, the central bank of Lebanon, and other financial institutions in the country. Security forces are likely to use heavy-handed tactics to disperse gatherings.

The Peoples’ Democratic Party (HDP), the main pro-Kurdish party in Turkey, called for a five-day intercity march toward Ankara starting on Monday (15 June). The marches, organised to denounce the arrest of two Kurdish politicians, will begin from the northwestern province of Edirne, where many HDP politicians are imprisoned, as well as the southeastern province of Hakkâri, an HDP stronghold. The government imposed a temporary ban on public gatherings and intercity travel in cities along the way to Ankara in an apparent effort to curb the march. The protests come amid a recent spate of arrests and detentions over the past three weeks, part of a wider purge of opposition elements that has been ongoing over the past four years, facilitated by state of emergency powers and sweeping anti-terrorism legislation. Additional protest activity by pro-Kurdish groups will take place in the 2 to 4-month outlook, especially if the proposed amendments progress into law.

Sub-Saharan Africa

Évariste Ndayishimiye was inaugurated as president of Burundi on 18 June, which attracted large crowds to the capital Gitega. This comes after the constitutional court on 12 June ruled the presidency vacant, and urged an expedited installation of the new head of state in a bid to defuse concerns about instability. However, Burundi is entering a fragile transitional period after 15 years under Pierre Nkurunziza, who died on 8 June. Nkurunziza was a highly influential figure who had managed to keep ambitions among senior military and intelligence officers in check, but there have been divisions regarding Ndayishimiye’s nomination. Although he has repeatedly expressed strong support for the ruling CNDD-FDD party’s youth wing, the Imbonerakrure, there are also indications he may want to disarm the group which could be a cause for growing insecurity and instability in the six-month outlook.

Integrated petrochemicals and energy company Sasol on 18 June announced restructuring plans which will lead to an undisclosed number of job cuts and divestment from West Africa-based oil operations. In its press release, the company said its strategy will require a new operating model which it hopes to have finalised by 2021. Meanwhile, the company has contacted South African trade unions and will do the same in other countries where it has operations. The restructuring plans are due to the detrimental impact of the lockdowns imposed to slow the spread of COVID-19, in South Africa and elsewhere, as well as the severe drop in demand for crude oil earlier this year. Companies working with Sasol in other segments should assume their co-operation will be affected and should take steps to engage relevant stakeholders in consultations in a bid to assess the likely impact on their activity.

On 15 June, the International Monetary Fund (IMF) announced it was lowering Senegal’s GDP forecast for 2020 to 1.1 per cent. The IMF also forecasts that the public deficit will reach 6.6 per cent this year. In addition, sovereign credit-rating agency Moody’s Investors Service announced it was placing the government’s foreign and local currency issuer ratings, as well as its foreign-currency senior unsecured rating, under review. Moody’s explained that the government’s participation in the G20’s Debt Service Suspension Initiative (DSSI) raised the risk of default on private-sector debt obligations. The moves underscore the serious concerns about Senegal’s economic outlook and its consequent ability to meet its debt obligations. Private lenders should take steps to ascertain the ability of public institutions to honour their debt obligations and consider a multilateral approach, for instance through a delay in debt servicing, over the coming three years in a bid to limit their financial losses.

On 15 June, members of the National Association of Resident Doctors (NARD) embarked on a Nigeria-wide, indefinite strike over the lack of supply of personal protective equipment (PPE) and demanded a risk allowance for frontline workers treating patients who have contracted COVID-19. The union said resident doctors working in COVID-19 isolation centres will continue to work but would also join the strike if NARD’s demands are not met within two weeks. The strike comes amid proposals, currently under parliamentary review, to cut basic public healthcare spending by 43 per cent in a bid to reduce public expenditure due to the shortfall in government revenue because of the COVID-19 pandemic and low oil prices. The strike reflects serious concerns in the healthcare sector over the planned budget cuts and comes as the rate of infections is accelerating in the country. Other unions could take similar action over the coming weeks. Although the striking doctors are employed in the public sector, a reduced capacity at such institutions is likely to have knock-on effects on private hospitals and clinics as well.

On 14 June, Malian President Ibrahim Boubacar Keïta (commonly referred to as IBK) said he would engage the opposition in talks to form a unity government, pledged to increase salaries of public sector teachers who are currently on strike, and reiterated a promise made during a national dialogue in December 2019 to take initial steps towards reforming the constitution. His announcement comes amid growing anti-government sentiment over the past two months, which culminated on 5 June when tens of thousands of protesters gathered in the capital Bamako to call for IBK’s resignation. While legislative elections, which had been repeatedly delayed over the past two years, were held in April amid high security risks, a government has yet to be formed. It is unclear how the opposition and civil society will respond, although international actors such as the African Union and the Economic Community of West African States have reportedly urged influential cleric and political leader Mahmoud Dicko, who led the 5 June rally, to resume a dialogue. Organisations with personnel and assets in the country should monitor further announcements by IBK and other political leaders in the coming weeks which will give a better indication about the likely success of negotiations.