Geopolitical and Cybersecurity Risk Weekly Brief 24 August 2020
ATTACKS AND CYBERSECURITY NEWS
Japanese business technology organisation Konica Minolta was hit with a ransomware attack towards the end of July: its services were impacted for almost a week. Researchers obtained a copy of the ransom note and established that the attackers deployed RansomEXX. It is not believed that this malware steals user data before encrypting victim systems, as has become commonplace among ransomware in 2020. RansomEXX is a human-operated ransomware strain; threat actors must manually compromise a network and spread to other devices until they find administrative credentials to access the Windows domain controller. RansomEXX can prevent system restore and will delete logs to cover tracks. It also has an extended list of processes that it will terminate, including antivirus products, database services, cloud platforms, and backup systems.
All three Emotet Epochs are working at near full capacity and continued to deliver moderate-to-heavy amounts of malspam throughout the week. The operators appear to have moved from a hashbusting method of evading antivirus solutions, towards a code change that does not require hashbusting. Statistics based on a large data set of Emotet IOCs have revealed several things about the operation, not least that the C&C infrastructure has steadily grown since September 2018 and that the breaks between each Emotet run have been roughly four months each time. Cofense and security researchers from Japan uncovered a wordlist for Emotet’s naming conventions. This could be useful for filtering malspam. The latest round of Emotet attachments have been tailored for English-speaking users. Most of the email templates are generic, featuring the target’s username with a subject of “RE:”. In recent days, Emotet’s hashbusting has averaged 24,500 hashes on EXEs alone.
The US army has published a report on North Korean military tactics, including cyber operations. This report is being used to train US troops and military leaders and lists information about the Korean People’s Army’s (KPA) weapons arsenal, leadership structure, troop types, logistics, and electronic warfare capabilities. Cyber-warfare operations are said to take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121. The report claims that all of North Korea's hackers are linked to Bureau 121 and that the agency has grown in recent years as North Korea has expanded its cyber activity: from around 1,000 elite threat actors in 2010 to more than 6,000 members today. The US Army, however, does not believe this number is entirely accurate and claims that it is likely to be much higher now.
Korea CERT has issued a security advisory concerning DDoS attacks against Korean companies and educational institutions. The attacks leverage UDP Flooding to strain bandwidth and render services unavailable. Small and medium-sized organisations in Korea are advised to sign up to the CERT’s free DDoS defence service provided by the Korea Internet & Security Agency.Chinese threat actors have gained access to some 6,000 email accounts belonging to more than a dozen Taiwanese government agencies. The investigation into this cyberespionage campaign is still ongoing. However, government officials have already stated that the damage inflicted was “not small”. It is believed that two groups, BlackTech and Taidoor, are responsible for these attacks. They are known to have targeted government departments and information service providers since 2018.
COVID-19 Cybersecurity update
A new pharmacy-themed spam campaign involves injecting spam links into compromised sites. The domain found in one example belongs to a compromised third-party local government website. The pharmacy spam is targeting interest around the coronavirus and is explicitly advertising Aralen, the brand name for the drug chloroquine. Since the spammers are using domains that belong to local governments, users are more likely to trust the information as it is coming from an authority, rather than a typical pharmacy spam page.
A Canadian government online portal, known as GCKey, was breached in an attempted coronavirus relief payments theft. The threat actors used credential stuffing to access 9,041 GCKey accounts - this out of a total of 12 million accounts. GCKey is a single sign-on system used by the public to access multiple Canadian government services, including those for immigration, taxes, pension, and benefits. Over 30 federal services also use GCKey as an alternative access route for users signing-in to the Canadian Revenue Agency (CRA) systems. It is currently unclear how much (if anything) the attackers were able to steal.
Data Breaches, Fraud and Vulnerabilities
Credit service agency Experian South Africa confirmed a data breach that exposed the personal information of around 24 million South Africans and 793,749 business entities to a suspected threat actor. Experian SA has been working with the South African Banking Risk Centre (SABRIC) to identify affected customers. Experian claims that information was accessed on 13 August, but that no consumer credit or financial information was stolen. It also alleges that the suspect plans to use the stolen data to offer insurance and credit-related services. Its infrastructure and systems were not affected. This bears some resemblance to the 2017 Equifax data breach, which was described as "one of the largest data breaches in history". Threat actors stole sensitive PII from 145 million Americans.
Artificial intelligence company Cense exposed over 2.5 million records containing the medical and personal information of users. The records were labelled as 'staging data' and seemingly intended to be held temporarily before being loaded into the AI Bot or Cense’s management system. Medical data is highly sought after by cybercriminals, as it holds great resale value. The Cense data was open and publicly accessible, and could have been edited, downloaded, or deleted without authentication.
Cruise line operator Carnival Corporation disclosed a ransomware attack. The company claims that the ransomware encrypted a portion of the brand's IT systems, and gained unauthorised access to some company files, including the personal data of guests and employees. This is the second data breach announced by Carnival Corp this year. In March, the company disclosed that two of its subsidiaries, Holland America Line and Princess Cruises, suffered a cyberattack in May 2019 that resulted in a data breach. The investigation into the incident revealed that an unauthorised threat actor had accessed the personal information of some guests and employees.
Spanish photos and graphics service Freepik reported a data breach impacting 8.3 million users. Freepik is one of the most popular websites on the internet, currently ranked #97 on the Alexa Top 100 sites list. Using an SQL injection vulnerability, unknown actors gained unauthorised access to a database that stored user data. The threat actors are believed to have obtained usernames and passwords for users registered on the Freepik and Flaticon websites.
The operators of the DoppelPaymer ransomware announced their latest victims: three out of the four are based in Japan. This is noteworthy, because there is generally no discernible pattern in terms of ransomware victimology, with attacks occurring across a range of sectors and geographies. This small cluster of Japan-based victims, all of whom were likely to have been attacked recently, may indicate a more organised targeting approach by the DoppelPaymer operators. However, more consistency in terms of victim geographic location and a wider data sample is required before any conclusions can be drawn.
The University of Utah's College of Social and Behavioural Science (CSBS) was the victim of a ransomware attack. Content on the compromised CSBS servers was encrypted by an unnamed entity and was not accessible by the college. Attackers were also able to steal files before encrypting the servers. CSBS decided to pay a ransom of USD457,059.24 to protect student data and prevent it from being released to the public. It claims that their cyber insurance policy paid the ransom and that no tuition, grant, donation, state, or taxpayer funds were used.
The operators behind the Maze ransomware have added numerous victims to their leaks site this week. The threat actors show no sign of stopping. This is also the case with other major ransomware being widely disseminated in the threat landscape today, including REvil and Netwalker.
Customers of the Ritz hotel in London have become the target of an "extremely convincing" phishing attack that posed as hotel staff to steal payment card details. The attackers called clients of the hotel, asking them to confirm their restaurant booking and provide their payment card details because they had been declined. As all victims had been previous customers of the Ritz, and the attackers knew that each target had restaurant reservations, the hotel is now investigating a potential data breach. The Information Commissioner’s Office (ICO) has been informed. Victims of the attack claim that the call was even more convincing because it appeared to come from the hotel's real phone number, suggesting that caller ID spoofing was also deployed.
Cyjax analysts uncovered a new Office 365 credential harvesting campaign targeting the private and public sector. Over 80 phishing URLs were discovered targeting a wide range of organisations. The New York Federal Reserve, Hawaii Medical Service Association, the Bank of Montreal, the University of Idaho, and Deloitte, represent the diversity of sectors being targeted. This style of attack, in which the recipient's email address is pre-filled on the fake login page, is becoming more commonly leveraged by phishing groups. The campaign started on 17 August; we expect more organisations will be targeted.
A new phishing campaign has been targeting Portuguese users by impersonating the MultiBanco online payment service, MB WAY. Attacks started on 17 August and are being disseminated via email and SMS; the number of affected users is not yet known. The phishing landing page impersonates the MB WAY service, and is fully responsive, adapting to the target device depending on whether it is a smartphone or computer. Data collected by the phishing page includes sensitive information such as credit card details, victim's phone numbers, and SMS codes which are used to manage the MB WAY accounts.
The FBI and local police in the US have made multiple arrests as part of a crackdown against criminal gangs who exploited a software glitch in Santander ATMs to cash-out more money than was stored on the cards they were using. The glitch was caused by a bug which allowed fake debit cards or valid preloaded debit cards to be used to withdraw amounts of money from the ATMs above their stated threshold. Details of the glitch were initially kept private and shared or sold between members of the threat group; they were eventually leaked online and shared on Telegram chat rooms, Instagram, and other social networks this week, resulting in exploitation by multiple criminal groups. This resulted in a sudden spike of ATM cash-outs at Santander banks. To prevent further loss, Santander shut down all ATMs on 18 August. They were reopened a day later.
There has been an increase in phishing attacks targeting Facebook users: between 120-180 fake Facebook accounts, all using official-sounding names were discovered. However, the names contained Roman characters that appeared similar to English script, allowing attackers to create Facebook accounts which closely mimicked the names of genuine accounts. This is known as a homoglyph attack. In many cases, even after a victim had discovered that their account had been compromised, many chose to create a new account rather than attempting to regain control of their previous one. The attackers also appear to be increasing their attempts to gain control over the Facebook pages of high-profile celebrities. The precise motivation for this operation is currently unknown, though there are several possibilities: one possibility is that these accounts will be used to spread misinformation in the future.
Threat actors could hijack user accounts in dozens of fitness and gym mobile applications, even if two-factor authentication (2FA) is active, according to new research. All of the affected apps use Fizikal, an Israeli management platform for gyms and sports clubs allowing customers to control their subscription and register for classes. Around 80 applications rely on Fizikal's API, with close to 70 of them found in Google Play Store's health and fitness section. There are currently over 240,000 total active installations of these apps. Bleeping Computer believes that a threat actor could leverage these bugs to learn the schedule and details of high-profile individuals, with all the potentially malicious consequences that entails.
There has been a rise in targeted attacks attempting to exploit multiple security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin. The plugin allows users to manage product pricing and discount campaigns on WooCommerce online stores, and currently has more than 30,000 installations. If successfully exploited, the vulnerabilities could allow unauthenticated attackers to retrieve a list of all users and coupon codes, inject XSS into a site's header, footer, or admin page, and trigger remote code execution exploits. Despite the release of the version 2.1.0 patch, the latest update has only been downloaded 12,000 times. This suggests that at least 17,000 WordPress-based WooCommerce online stores with active Discount Rules plugin installations are still vulnerable to attacks.
Google has patched a critical security vulnerability affecting Gmail and G Suite that could allow attackers to send spoofed malicious emails as any other Google user or enterprise customer. The bug was caused by a lack of verification when configuring mail routes. To exploit this flaw, an attacker would need to send spoofed emails to an email gateway on the Gmail or G Suite backend. From there they could run a malicious email server to allow the email to progress. A second bug could then be chained to establish custom email routing rules that take an incoming email and forward it while spoofing the identity of any customer using a native Gmail/G Suite feature named "Change envelope recipient." This bug validates the spoofed email against SPF and DMARC security standards, providing authentication.
We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:
- Remote code evaluation vulnerability in the Concrete5 content management system (CMS) that can lead to a full compromise of the susceptible web application and the web server on which it is hosted. This vulnerability has now been addressed in updated versions of Concrete5.
- High-risk vulnerability in Apache Dubbo. Successful exploitation can lead to remote code execution. Upgrading Apache Dubbo to a secure version (Dubbo 2.7.8 and 3.2.9) as soon as possible is recommended.
- Critical vulnerability in Jenkins Jetty web server which could result in memory corruption and information disclosure. CVE-2019-17638 affects Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521. This has been addressed in the latest version by Jenkins.
- Tencent has issued a security advisory for a high-risk vulnerability in Apache Shiro. This has been patched in version 1.6.0.
- Hong Kong CERT has issued a security advisory over multiple vulnerabilities identified in ISC BIND. Successful exploitation can lead to a denial of service condition and data manipulation on the targeted system. Patches have been released.
- US CISA has issued a security advisory over multiple vulnerabilities disclosed in Phillips ICS products used in medical facilities. Successful exploitation can lead access to administrative controls and system configurations, which could allow changes to system configuration items causing patient data to be sent to a remote destination. Patches have been released.
- US CISA has issued a security advisory regarding several vulnerabilities in Cisco products. Successful exploitation could result in remote code execution, denial of service, or privilege escalation. Patches are available in the individual advisories.
- Microsoft has issued an emergency out-of-band software update to patch two security vulnerabilities, tracked as CVE-2020-1530 and CVE-2020-1537. Both vulnerabilities can allow a remote attacker to gain elevated privileges after successful exploitation.
- IBM has patched a vulnerability affecting the IBM Db2 relational database, tracked as CVE-2020-4414. IBM Db2 versions for Linux, UNIX, and Windows are affected.
- IBM has issued a security advisory concerning a new vulnerability in Thales products that affects many Internet of Things (IoT) devices. The vulnerability can be remotely exploited, and its impact varies based on the devices using the affected software. A patch was made available in February 2020.
- Multiple vulnerability notifications surrounding issues present in NCR SelfServ and Diebold Nixdorf ATMs. Diebold Nixdorf and NCR have released software updates that protect communications between the cash depot module and the host computer and prevent attackers from exploiting the vulnerabilities. If these flaws are successfully exploited, attackers can successfully carry out ‘deposit forgery’ attacks.
- CISA encourages users and administrators to apply the latest update for Google Chrome version 84.0.4147.135 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.
APT Activity and malware campaigns
Threat actors claiming to be well-known malicious groups such as FancyBear and ArmadaCollective are threatening organisations with distributed denial of service (DDoS) attacks of up to 2Tbps. Organisations in a variety of sectors, including finance and retail, have been targeted for attempted extortion. The attackers contact the target and warn them of an imminent DDoS attack on their infrastructure. They claim that this can be avoided if a ransom is paid quickly, whilst also warning that if the company tries to report the incident to the media, the attacks will begin immediately and last for a long time, destroying the company's reputation. Researchers believe that these extortion attempts are the work of copycat groups, and not actually FancyBear or ArmadaCollective. Using the reputation of these well-known groups is most likely to be an attempt to intimidate potential victims and force them into paying the ransom without considering that the attacks may not present a genuine threat.
New activity attributed to MustangPanda has been disclosed. The Chinese state-sponsored APT has been using a weaponised copy of a report titled “Tibet-Ladakh Relations” to target separatist groups. The group’s C&C server was uncovered, along with samples of the PlugX remote access Trojan (RAT). The malware uses a DLL-sideloading technique to infect a target’s device that must be using Microsoft Office 2007. One of the domains linked to the C&C server was also previously disclosed in a report called Operation RedDelta - a Chinese cyber-espionage campaign against the Vatican.
A new campaign is being orchestrated by TransparentTribe (also known as APT36, ProjectM, and MythicLeopard), a state-sponsored group from Pakistan. Over the past year, the APT has been developing its TTPs, increasing the frequency of its attacks, and using new tools. TransparentTribe is also increasing its focus on Afghanistan. The group continues to spread its Crimson RAT, infecting many victims in multiple countries, mainly India and Afghanistan. And the threat actors have also developed their USBWorm component further as part of Crimson RAT’s toolbox. TransparentTribe is a prolific group whose activities can be traced as far back as 2013. This APT group has never taken time off. It continues to hit its targets, which typically are Indian military and government personnel. Its TTPs have remained consistent over the years, mainly using malicious documents with embedded macros generated via a custom builder.
US CISA and the FBI have disclosed a new remote access Trojan (RAT) dubbed BLINDINGCAN. This malware has been attributed to a cyber-espionage campaign from the North Korean group HIDDENCOBRA (the name US authorities use for Lazarus). It was used to gather intelligence surrounding key military and energy technologies. The APT actors used malicious documents masquerading as job postings from leading defence contractors as lures and installed a data gathering implant on its victims’ systems. This campaign also leveraged compromised IT infrastructure across multiple geographies as command and control (C&C) systems. Based on CISA and FBI malware analysis results, the BLINDINGCAN malware can also remove itself from compromised systems and clean its traces to avoid detection.
Ukraine’s National Cyber Coordination Centre (NCCC) has disclosed a large cyberattack against the Ukrainian government attributed to a state-sponsored Russian APT group tracked as Gamaredon. The attack included a large, coordinated malware campaign against government agencies and critical infrastructure. The goal of this operation was to destabilise the region before Independence Day (24 August) celebrations and local elections (25 October). Cyjax analysts have investigated the IOCs linked to this campaign. The malicious documents used by Gamaredon group exploit a vulnerability tracked as CVE-2017-0199, which affects older versions of Microsoft Office, as well as Windows 7 and Windows 8.1 - all of which are End-of-Life (EoL) software, meaning that they no longer receive patches or updates from Microsoft.
Threat researchers have identified new SmokeLoader malware samples and C&C domain infrastructure. The attacks appear to masquerade as FedEx parcel delivery notifications using a typosquatting domain. SmokeLoader is developed by an organised cybercriminal group tracked by Crowd Strike as SmokySpider. These malware developers offer access to their downloader on underground forums for high-end cybercrime affiliate programmes such as DanaBot, DoppelDridex, REvil, and GandCrab. The latest malware to be dropped by SmokeLoader includes the recently disclosed WastedLocker ransomware, operated by EvilCorp.
PurpleWave, a new infostealer from Russia, has been disclosed by researchers. PurpleWave is a custom-built malware that aims to collect sensitive data, exfiltrate it to the attacker’s C&C server, and download additional malware. Commodity malware like PurpleWave represent an active threat as they are still available for purchase on underground forums. PurpleWave is in the early stages of its development, but already has many data-stealing features. It is highly likely that the author will continue to enhance its capabilities and add more features.
Threat researchers have uncovered the first cryptocurrency-mining worm that possesses the functionality to steal AWS credentials from infected servers. This new feature was first seen in malware used by TeamTNT, a threat group known for targeting Docker installs. Researchers claim that TeamTNT has now expanded its attacks to target Kubernetes installations. If the group infects a Docker or Kubernetes system running on top of AWS infrastructure, it can scan the underlying infrastructure for any Amazon Web Services (AWS) credentials. The researchers believe that the threat group has not yet used any of the stolen credentials.
Sucuri has disclosed a new version of a Magento credit card-stealing script that exfiltrates the stolen information to a malicious domain. The attacker-controlled domain masquerades as a legitimate service by using ‘cdn-filestore[.]com’. Credit card stealers have become a common threat. As consumers continue to rely heavily on online shopping, we expect to see a rise in attacks targeting e-commerce sites. Magento products are at high risk of being targeted by Magecart groups. The attackers often target online payment processes to inject web skimmers and steal customer payment card data, as well as other sensitive information. The primary mitigation against attacks of this sort is maintaining up-to-date software, so that known vulnerabilities cannot be exploited.
Tencent has issued a security advisory concerning an active Mirai botnet campaign carrying out SSH brute-forcing attacks on Linux-based devices in China. After successfully logging in, the attackers execute shellcode to download the Mirai Trojan for DDoS attacks. The attacks target Internet of Things (IoT) devices with Linux OS which are then connected to the attackers’ C&C servers and await instruction. This Mirai campaign is reported to have successfully compromised tens of thousands of devices, mainly located in Guangdong, Shanghai, and Beijing.
A sophisticated botnet campaign, dubbed FritzFrog, has been using brute force tactics to breach SSH servers and mine Monero cryptocurrency. FritzFrog is both a worm and a botnet that targets the government, education, and financial sectors worldwide; it has also attacked medical centres and telecoms companies. The attack compromised over 500 servers in the US and Europe, targeting various universities and a railway company.
A new phishing campaign delivering the IcedID banking Trojan is targeting business customers and using password protection, keyword obfuscation, and minimalist macros to avoid detection. This campaign also uses dynamic link library (DLL) as a second stage downloader, showing a new level of skill for the threat actors behind the Trojan. The latest version of IcedID is being distributed through compromised business accounts: the targets are customers of that same business.
Trend Micro has uncovered two Trojanised Docker images called “alpine” and “alpine2” to trick developers into using them, as Alpine Linux is widely used. If a developer ran Docker containers from these images, they would run the XMRig cryptomining program, used to mine Monero (XMR) as well as Masscan, a tool used to find other vulnerable servers. The Trojanised images were tactically placed on DockerHub waiting for unsuspecting developers to download and use them for Alpine Linux containers.
Several prominent darknet sites, including Empire market, Dread, and Dark[.]Fail, have come under sustained DDoS attacks. These began during the middle of last week and resulted in sustained downtime on many of the sites. Empire market has been hit particularly badly, with some users reporting that they are unable to withdraw any funds or even access the market over the weekend. The attacks also led to a significant number of phishing attacks against Empire users. DDoS attacks of this scale targeting darknet sites are not unprecedented. In January, DDoS attacks kept several high-profile darknet markets offline for an extended period. The origin of these latest attacks remains unknown.
The operators of the Raccoon infostealer have announced they are integrating ransomware functionality into their malware-as-a-service platform. They intend to achieve this by partnering with a ransomware group, although they are still in the process of selecting a partner. This represents a significant evolution in the threat posed by the Raccoon infostealer, which until now has only been used to steal data from victims. This announcement also underscores the high demand for ransomware-as-a-service (RaaS) platforms that currently exists on the darknet.
geopolitical threats and impact
On 20 August, the US Department of Justice (DOJ) charged Joseph Sullivan, a former chief security officer at ride-hailing giant Uber, with attempting to conceal a 2016 hack which exposed personal information of 57 million users and drivers. The DOJ said that Sullivan took ‘deliberate steps’ to keep the Federal Trade Commission from learning about the hack, and arranged for the hackers to be paid USD100,000 under the company’s cybersecurity ‘bounty’ programme. A spokesman for Sullivan said the charges were without merit, and that disclosure was the responsibility of the legal department. The case marks one of the first times that a corporate information security officer has been charged with concealing a major cyberattack. Organisations which experience breaches and data theft should promptly report these to the relevant legal authorities in their jurisdiction. Considering this case, companies may also wish to review their protocols when a cyber incident is detected.
US efforts to repatriate its citizens from Venezuela amid the COVID-19 pandemic have been repeatedly rejected by authorities in Caracas, US Department of State spokeswoman Morgan Ortagus said in an emailed statement on 20 August. It is not known precisely how many US citizens in Venezuela are seeking to return to the US, however they are likely to number at least several hundred. While Venezuela has offered to repatriate US citizens on flights operated by state-owned airline Conviasa, this is prohibited by US sanctions and should not be considered a genuine attempt at resolving the issue. In the immediate term, US citizens seeking to return to the country may wish to consider travelling via another country, potentially on repatriation flights bound for other countries in Latin America or Europe, before subsequently boarding an onward flight to the US.
In tweets published on 19 August, US President Donald Trump called for a boycott of tyres produced by Goodyear, based in Akron, Ohio, amid controversy over the company’s staff attire policies. Trump’s comments followed reports that Goodyear had deemed clothing bearing certain political stances as ‘unacceptable’, including hats with Trump’s ‘Make America Great Again’ (MAGA) slogan and t-shirts with the phrases ‘All Lives Matter’ and ‘Blue Lives Matter’, the latter in reference to police officers. In a statement, Goodyear said there had been ‘misconceptions’ around its policies, and that it supports equality and law enforcement. While Trump’s latest comments are likely to be well received by his supporters, any negative impact on Goodyear’s sales could affect jobs in Ohio, a key swing state that Trump is seeking to retain in November’s presidential election. More broadly, the incident highlights the potential difficulties facing corporates related to equality policies, particularly regarding employee support for political and social causes amid heightened civil society awareness of racism and discrimination. Organisations reviewing anti-discrimination policies should carefully consider the internal and external implications of rules on staff clothing and support for social causes.
On 18 August, Joe Biden was officially confirmed as the Democratic Party’s presidential nominee for November’s presidential election. Biden’s candidacy was confirmed after delegates from across the country participated in a roll call vote during the 2020 Democratic National Convention, which is being held virtually due to the COVID-19 pandemic. Centrist Biden routinely leads in national opinion polling and has established important leads in swing states won by Trump in 2016, including Florida, Michigan, and Pennsylvania. Importantly, many significant electoral developments are likely before the 3 November election, including debates between the major party candidates and the release of data on the economic impact of the COVID-19 pandemic. This means that while data suggest Biden is the current frontrunner, a victory of either major party’s candidate remains entirely plausible. Organisations with interests in November’s election should monitor electoral developments and scenario plan for either plausible outcome.
In comments to the press on 17 August, Mexican President Andrés Manuel López Obrador said that an ethane supply contract signed under one of his predecessors, Felipe Calderón, and backed by a Brazilian-Mexican consortium was ‘unfair’ and should be cancelled. Under the agreement, state-owned oil company Pemex provides a consortium of Brazil’s Braskem – controlled by scandal-tainted construction giant Odebrecht – and Mexico’s Grupo Idesa with ethane well below current market rates. The deal, signed in 2010 under the centre-right PAN administration of Calderón, is for a 20-year supply contract. Companies with interests in Mexico, particularly with agreements signed with former federal administrations, should monitor updates on potential reviews into existing business deals, and assess the impact on operations, investments, and financial planning.
On 19 August, the Central Crime Branch in Chennai, capital of the Indian state of Tamil Nadu, lodged three criminal cases against three businesspersons, including two from an agricultural export company and three officers from a private bank located on West Marret Street. This case revolves around allegations that the company and bank defrauded a US-based company of GBP94,000 worth of goods. The US company had placed an order for peas and legumes and paid in full; however, the goods were never delivered. A Mumbai-based trader was also defrauded by the same entities, and the Chennai police filed similar charges. As India becomes a more attractive market for foreign investors and companies, it is prudent to understand the myriad business and operational risks by conducting a pre-entry market study that will identify the risks as well as offer entry strategies to mitigate those risks, including fraud and corruption.
Bangladesh’s private sector is looking for the government to secure a free trade agreement (FTA) with the UK to boost trade volumes and ensure longer-term economic prosperity. The UK is already the country’s third largest exporter, shipping around USD3.5 billion worth of goods, mainly textiles, during FY2018-2019. There are also more than 200 UK-based businesses that have around USD2.5 billion worth of investments in the South Asian state. Though Bangladesh already receives preferential trade benefits as it is technically classified as a ‘least-developed’ state, there is a sense of urgency by the private sector to get an FTA in place after the current Brexit transition period ends in December 2020. Businesses are advised to monitor Bangladeshi-UK trade developments and consider carrying out new market entry studies prior to investment.
The US government on 19 August informed the Hong Kong authorities that it had suspended or terminated three bilateral legal agreements related to shipping industry taxation and the transfer and extradition of criminal suspects between the two judiciaries. The unilateral suspension or termination of the accords follows previous US measures intended to signal Washington’s opposition to Beijing’s recent decision to impose China’s national security law (NSL) on Hong Kong. While the termination of the extradition accord was seen as inevitable given China’s pretentions that the NSL applied globally, the end of the reciprocal tax agreement will have an immediate financial impact on Hong Kong-based international shipping companies that will now be liable for a higher tax rate when they deliver cargo to the US. The decision to remove the exemption is in line with earlier US sanctions or suspension of commercial and trade privileges, some explicitly intended to protect Hong Kong from direct interference by Beijing by placing an economic value on the maintenance of the post-colonial status quo. The imposition of the NSL has negated these advantages, and further US economic measures intended to emphasise Washington’s opposition to Beijing’s actions can be expected in the three-month period ahead of the US presidential elections.
US electric automobile manufacturer Tesla has entered a dispute against China-based e-commerce site Pinduoduo after the latter ran an advertising campaign offering Tesla’s Model 3 car with a promotional discount. This latest development highlights a significant problem in the market for foreign companies: transparency and better control of the supply chain. The foreign auto industry has grown rapidly in China, largely facilitated by the strength of the Chinese e-commerce culture. Pinduoduo, among many similar companies, largely operate in a very fast and loosely regulated environment, where the lack of transparency is pervasive and adherence to the terms and conditions of reseller agreements can be flouted. For foreign companies, it is notoriously difficult to have full oversight and control of the supply chain in China, posing risks to the brand and potential legal liabilities. In order to manage the risks, companies are advised to keep abreast of such developments and understand the legal recourse available to them. An end-to-end supply-chain audit and review is also advisable to identify any vulnerabilities.
On 18 August, the administration of US President Donald Trump announced an expansion of sanctions against Chinese technology company Huawei. According to the Commerce Department, 38 Huawei affiliates were added to the sanctions list, raising that total to 152 since May 2019. This latest round of sanctions targeted suppliers, particularly those foreign manufacturers of chips and related technologies that utilise US software and technology. Commerce Secretary Wilbur Ross said that those foreign suppliers and future others will be banned from using American software and technology without a license. A day after the announcement, stocks in several of these Asia-based suppliers, such as Taiwan-based MediaTek and Novatek Microelectronics, dropped significantly, underscoring specifically how this ongoing trade dispute is touching companies further down the supply chain. For foreign technology firms, they are advised to maintain constant monitoring of related developments, specifically sanctions-related announcements from the US and Chinese governments, due to their potential financial and operational impacts. It would be prudent to review and update contingency plans to minimise any operational disruption to the supply chain in the event of sudden changes on trade.
An incident in which a Vietnamese fisherman died after being shot by Malaysian coastguards has strained relations between the two countries and highlighted what may be a more assertive policy by Hanoi in the South China Sea. There have been numerous incidents of Vietnamese fishing boats being intercepted by Malaysian, Indonesian and Thai coastguard, and naval patrols in the past. However, the latest clash occurred less than a month after Vietnam’s Civil Defence Law (2019) came into effect in July. The new law appears to regulate and effectively encourage acts of self-defence against threats to Vietnam’s territorial interests. The ‘aggressive’ actions described by the Malaysian authorities may have been either a misinterpretation or a requirement of the new law. Until this is clarified by Vietnam and their fishing sector brought under greater control in terms of respecting the national sovereignty of other nations, such incidents are certain to reoccur, potentially with even more damaging consequences in terms of diplomatic and even economic relations between Vietnam and other countries. Foreign companies operating in Vietnam should factor such scenarios into their crisis management contingency planning.
Unconfirmed reports claim that North Korea’s leader Kim Jong Un is seriously ill and in a coma with his sister, Kim Yo-jong, preparing to assume power over the country. Kim’s health has been the subject of widespread speculation in recent months following unsubstantiated reports he underwent a failed heart operation in April and has been seriously ill ever since. South Korea’s Yonhap News Agency reported a South Korean National Intelligence Service assessment that a power vacuum appeared to have developed in North Korea either due to Kim Jong Un’s medical condition or other factors. Any instability within North Korea’s closely held leadership increases the threat of unpredictable action by the regime, potentially raising the overall threat level on the peninsula. However, there is no indication at present that the South Korean and US militaries have increased their defence posture or raised the country’s ‘Defcon’ status. Nevertheless, there are concerns that in the event Kim Jong Un’s incapacity or death are confirmed North Korea may conduct provocative actions, such as a nuclear test or missile firing, to emphasise the regime’s continuing control over the country. Foreign companies in South Korea should be aware of the potential for a heightened period of tension in the immediate outlook.
EU Industry Commissioner Thierry Breton said on 19 August that the European bloc will impose tighter sanctions on Belarus in response to that government’s handling of the current civil unrest and the disputed re-election of President Alexander Lukashenko. The EU is set to hold an extraordinary meeting in Brussels where they will discuss sanctions and other measures aimed at supporting economic and political reforms in the beleaguered state. Companies with ties to, or interests in Belarus, are advised to monitor the latest updates from the EU about upcoming sanctions and prepare contingency plans to minimise any operational disruption.
Polish health minister Lukasz Szumowski resigned from his position on 18 August, amid allegations surrounding the procurement of medical supplies during the COVID-19 pandemic. Some medical equipment procured by the government has been found to be ineffective or did not reach the country, while a company owned by Szumowski’s brother has received large quantities of money in government grants. Szumowski denied wrongdoing and said his resignation was unrelated to the allegations. Companies providing medical supplies to governments during the pandemic should account for the heightened risk of probes and anti-corruption investigations into such dealings.
Germany’s Federal Cartel Office (BKA), the country’s antitrust authority, has launched an investigation into whether US-technology firm Amazon is abusing its dominant market position. In particular, the probe will explore the way in which Amazon influences the setting of prices by third-party sellers on its marketplace platform. Amazon has also blocked out some sellers due to allegedly excessive prices. A company spokesperson denied the market abuse charges, saying that ‘systems are designed to take action against price gouging’. After the US, Germany represents Amazon’s second-largest market, with around 13,000 people employed at 13 distribution centres across the country. During the COVID-19 pandemic, Amazon experienced substantial growth in line with an industry-wide trend benefiting online shopping platforms. However, the company has faced multiple antitrust probes both on the national and EU-level amid claims that it is using its dominant market position to limit competition. If antitrust authorities find conclusive evidence confirming the market abuse claims, Amazon may be faced with a significant fine and ordered to modify its platform. In September 2019, a Paris-based commercial court fined Amazon EUR4 million after finding that new contract clauses with third-party vendors unlawfully disadvantaged sellers. Technology firms should assess their potential exposure to the ongoing probes and ensure full compliance with EU competition law.
MENA and Central Asia
On 20 August, the US initiated a process at the UN Security Council to trigger a ‘snapback’ in sanctions against Iran. These sanctions were previously lifted following the 2015 Joint Comprehensive Plan of Action (JCPOA), under which Iran agreed to limit its uranium enrichment programme. The US submitted a letter to the 15 members of the Security Council, underlining that Tehran has failed to comply with the agreement. The submission of a formal demand now means that other members have 30 days to adopt a resolution and stop the snapback; it is important to note that as a permanent member, the US holds veto power. Any attempt to permanently block the ‘snapback’ mechanism via a resolution could be blocked by the US, meaning the issue is likely to remain a point of serious contention between members, elevating geopolitical tensions across the medium term. As of 21 August, five remaining powers are upholding the JCPOA: Britain, China, Germany, France and Russia. These countries have notified the Security Council that they will not recognise the US' snapback. In a joint statement, Britain, France and Germany said that the US’ move was ‘incompatible’ with their efforts to maintain the nuclear deal.
The move comes amid a ramping up of US pressure against Iran in recent months, including through the implementation of sanctions against various companies and individuals affiliated to the regime. The UN Security Council, however, has been consistent in its opposition to re-imposing sanctions. On 14 August, the council overwhelmingly voted against a US proposal to extend an arms embargo on Iran. If triggered, the ‘snapback’ mechanism would reintroduce the idea of an arms embargo, including a ban on Iran developing ballistic missiles with nuclear capability. In a move that is likely to further escalate tensions between Iran and the US, the Atomic Energy Organization of Iran (AEOI) announced on 21 August that ‘big steps’ had been taken to expand its uranium enrichment capacity. The statement referenced the snapback mechanism, suggesting that the move was likely in response to US efforts against Iran. A resolution against the ‘snapback’ sanctions will likely be presented in the upcoming weeks by Security Council members, meaning there is a low likelihood of the implementation of pre-2015 sanctions against Iran in the short-term outlook.
Iran’s foreign ministry stated 20 August that a United Arab Emirates-registered ship was seized on 17 August after violating Iranian waters. The crew was detained, and the ship confined by coastguards. The foreign ministry also reported that on the same day the UAE’s coastguard force had shot dead two Iranian fishermen. Tensions between UAE and Iran will probably escalate further once an agreement between UAE and Israel is officially signed, likely in the upcoming month.
The UN-backed Special Tribunal for Lebanon (STL) on 18 August found one member of the group Hezbollah, Salim Ayyash, guilty in the 2005 assassination of former Lebanese Prime Minister Rafik al-Hariri. Three other Hezbollah members were cleared due to insufficient evidence proving they were accomplices. The Tribunal also exonerated Hezbollah leadership and the Syrian government, citing a lack of evidence. The STL, an international court based near The Hague in the Netherlands, has been in session for more than ten years. The four Hezbollah members were tried in absentia as Hezbollah has refused to disclose their whereabouts. It is not clear what the real consequences of the ruling will be. The verdict will be disappointing for those who wanted justice for the assassination and expected the revelation of new evidence. It will likely cause further strain on the delicate sectarian balance and increase tensions following the deadly 4 August Beirut port explosion which has resulted in increased demands for accountability and transparency and eventually led to the government’s resignation.
The Lebanese army is reportedly on high alert for possible demonstrations connected to the verdict. Security managers should monitor the situation for updates, especially in the coming weeks as focus shifts to forming a new government. A State of Emergency, initially declared on 5 August, has been extended for a month and will remain in place until 18 September, giving authorities the power to close spaces of assembly and impose curfews at short notice. Avoid all forms of public gathering for risk of exposure to incidental violence.
On 16 August, the Turkish government issued an international maritime alert, announcing that it would expand its hydrocarbon exploration programme from next week by commencing explorations along the southwestern coast of Cyprus. According to the state-run news outlet, Anadolu Agency, a drill ship, identified as Yavuz, will operate between 18 August and 15 September across this region, exploring along Ertuğrul Bey, Osman Bey and Orhan Bey. Turkey’s recently renewed efforts to conduct hydrocarbon activities in the disputed area of the eastern Mediterrean have provoked regional backlash and escalated tensions. The European Union issued a statement on 14 August underlining support for Cyprus and Greece where Turkey’s drilling is believed to be infringing on the countries’ exclusive economic zones. In a further sign of escalating tensions in the area, on 10 August France notably sent a small navy fleet and seismic vessels to bolster its presence in support of Greece. Continued acts of aggression by the Turkish navy could result in the imposition of sanctions from the EU, particularly given mounting pressure from Cyprus for the bloc to commit to a stronger position on Turkey’s actions. The elevated tensions carry operational constraints for international energy firms with interests in the region and will likely test their risk appetite.
In a statement on 15 August, Sami al-Amassi, president of the General Federation of the Palestinian Trade Union (PGFTU), said that the closure of Gaza’s Kerem Shalom crossing on 11 August, had paralysed the public transport and construction sectors, impacting 400 factories across the Gaza Strip. Kerem Shalom is Gaza’s main commercial trade route situated in the southern Gaza Strip on a juncture with Israel. The crossing was closed by Israeli Defense Minister Benny Gantz in response to the recent uptick of rocket fire and launching of incendiary balloons into Israel by Palestinians. All construction materials, fuels, and goods except for essential humanitarian aid are now banned from being shipped via the crossing.
The closure of the crossing is the latest sign of escalating security tensions amid recent breaches of a 2019 Egyptian brokered ceasefire agreement by both Israel defence forces and Hamas, who currently control the Gaza Strip. Further attacks on either side of the border are highly likely in the coming weeks, particularly as Hamas labelled the closure of Kerem Shalom an act of aggression and indicated that retaliatory attacks against Israel will increase as a result; Israel has equally stated they will respond with military force. The restrictions on construction materials are likely to have the most severe impact across the affected industries. The United Nations has previously recorded that around 50 per cent of all truckloads passing through Kerem Shalom into Gaza are carrying construction goods. Significant delays to production are likely in the short-medium term outlook. These restrictions are also likely to further exacerbate the territory’s economic decline caused by COVID-19. The World Bank estimated on 1 June that the Gazan economy is projected to contract by 7.6 per cent in 2020. If the closure is upheld by Israel for an extended period of time, a realistic possibility given the recent escalation in conflict activity, this figure will likely increase further given the significant cross-sector losses.
Israeli Prime Minister Benjamin Netanyahu said on 23 August that he had accepted a proposal to extend budget negotiations. The move will prevent the government from collapsing and forcing the country to hold what would have been the fourth parliamentary election in less than two years. Netanyahu and his rival and coalition partner, Benny Gantz, had faced a Monday night deadline to agree on a budget. The accepted compromise will give Netanyahu and Gantz’ camps an additional 100 days to reach a budget deal. Security managers should monitor further updates. A collapse of the government would result in political instability amid economic and public health crises and would be highly likely to see an increase in social unrest.
In comments to the press on 20 August, the Zambian central bank’s governor, Denny Kalyalya, said that it was considering holding some reserves in Chinese renminbi (commonly referred to as yuan). Kalyalya said that gold may also be held as part of the country’s obligations to meet Chinese-held debt. Zambia’s central bank, the Bank of Zambia, already holds reserves in US dollars, and smaller quantities in euros and British pound sterling. While Kalyalya’s comments have little immediate impact on operations, they point to the growing Chinese commercial and diplomatic influence both in Zambia and wider sub-Saharan Africa, together with the increasing international usage of the yuan currency, often at the expense of other commonly-traded currencies such as the US dollar. Zambia reportedly owes at least USD8 billion to Chinese creditors, while Chinese businesses have wide-ranging interests in the country’s mining, agriculture, and energy sectors. Organisations with interests in Zambia, and other countries in sub-Saharan Africa with significant Chinese investment, should assess how growing Chinese economic and diplomatic influence, together with the increasing usage of the yuan, impacts operations and strategy.
Demonstrations in the Sudanese capital, Khartoum, have taken place over the past three days, sparked by the anniversary of a transitional power-sharing agreement signed by the military and a pro-democracy movement on 17 August 2019. The constitutional agreement is scheduled to last 39 months under a joint military-civilian rule which will lead the country to elections at the end of this period. Prime Minister Abdallah Hamdok was appointed head of the transitional government following the agreement; however, since this time, the slow pace of reforms has generated anti-government resentment across the population, culminating in this week's widespread protests. Further social unrest is likely in the coming week with violent clashes between security forces and protesters. Staff are advised to avoid all demonstrations and exercise vigilance when travelling across Khartoum in addition to other urban centres such as Port Sudan and Omdurman where protests could also spread.
Malian President Ibrahim Boubacar Keïta resigned in a national TV broadcast around midnight on 19 August after being detained on Tuesday by mutinying soldiers at his residency in Bamako. In his address, Keïta announced the immediate dissolution of his government and the National Assembly. Prime Minister Boubou Cisse and several other senior government officials, including Finance Minister Abdoulaye Daffe and Chief of Staff of the National Guard Mahamane Touré, were also detained. A spokesman for soldiers behind the coup, who identify as the National Committee for the Salvation of the People, gave a televised address early Wednesday; the statement pledged to bring stability via general elections within a ‘reasonable time’. It also announced the closure of all Malian land and sea borders until further notice, while a daily curfew is now in place between 0900 and 1700. As of 19 August, opposition leaders have not commented on the coup. However, the coalition M5-RFP, which is largely responsible for organising the recent mass protests, have expressed support for the detentions. The coup will likely work to further destabilise the country’s fragile economic and political structures in a move that has been met with international and regional condemnation. Businesses should monitor local and international media for updates related to this latest development. Business personnel across the country should follow the advice of their embassy or consulate and make evacuation preparations in the event of further escalations.
According to sources quoted in Reuters, the World Bank is planning to postpone approval for a USD1.5 billion financing from multilateral investors due to concerns over Nigeria’s progress in adopting necessary economic reforms. A key focus point is reform relating to currency, with the World Bank ‘recommending’ a more flexible exchange rate and likely supporting reductions in fuel and electricity subsidies. The postponement of crucial funds needed to finance the budget could leave Africa’s largest economy with substantial gaps and amplify a fiscal crisis. Lack of clarity over when the loan will be approved – according to some sources this may be extended until October – will add further uncertainty to investors. For countries relying on oil exports for public revenue such as Nigeria, the coronavirus (COVID-19) pandemic and attendant price fall has been especially damaging. Companies with interests in the country should monitor updates on the loan and adapt the current economic situation as well as forecasts into strategic planning.