Geopolitical and Cybersecurity Risk Weekly Brief 27 April 2020

27 APRIL 2020

COVID-19 CYBERSECURITY UPDATES

In the face of the continuing coronavirus pandemic, individual cybercriminals and groups have re-geared their operations to use coronavirus lures. Recent research revealed a 148 per cent month-on-month increase in ransomware attacks from February to March, alongside a spike in attacks on financial institutions. Over a dozen state-sponsored threat groups have been identified using coronavirus phishing lures for malware delivery. This does not, however, indicate a rise in phishing attacks by government-backed groups. It merely demonstrates a change in tactics with a slight decrease in overall volumes of state-sponsored phishing attacks attributed to productivity lags and issues stemming from global lockdowns and quarantine efforts. 

The FBI has warned of ongoing coronavirus-themed phishing campaigns targeting US healthcare providers. More broadly, researchers reported a surge in coronavirus-themed phishing; one group of analysts observed a 656 per cent increase in daily coronavirus-related domain name registrations between February to March. In the same time frame, there was a 569 per cent growth in malicious registrations and a 788 per cent growth in “high-risk” registrations linked to scams, unauthorised cryptocurrency mining, and bulletproof hosting sites.

Phishing lures used in email subjects and malicious attachments tend to use either ‘COVID-19’ or ‘coronavirus’ in order to dupe victims. These include ‘covid19-classified-document.pdf’, ‘COVID-19-FAQ.xls’. ‘Medicare’, ‘RE: Invoice’, and ‘RE: Treatment’. While many of these have targeted regular users, governments have also been impacted. Both the Canadian and Chinese governments have experienced spear-phishing attacks in recent months. Elsewhere, a scam impersonating an employee of HMRC invites recipients to make a financial claim under the UK government's Coronavirus Job Retention Scheme. The victim is asked to provide their bank account details in order to receive payment: the data is then stolen.

Analysis from Microsoft suggests that Trickbot is the most prolific malware in operation using coronavirus-themed lures. HawkEye, Warzone RAT, Remcos RAT, NetSupport Manager RAT, and Lokibot have all also been seen in COVID-19-themed malspam attacks. These malware can facilitate the theft of data, remote access to victims’ devices, or the encryption of infected machines.

Other malware detected this week includes numerous Trojanised apps masquerading as COVID-19 tracking maps or symptom checkers that are being distributed through a fake Google Play Store. Threat actors are also distributing a WiFi attack program which installs a coronavirus-themed malware, called 'CoronaLocker', which attempts to lock the user out of Windows.

The UK’s National Cyber Security Centre (NCSC) launched a cross-governmental ‘Cyber Aware’ campaign, which offers actionable advice for people to protect passwords, accounts, and devices from COVID-19 scams. This initiative aims to build on existing takedown services: over 2,000 online scams related to the coronavirus have been removed in the past month.

Various security vulnerabilities have been identified in a coronavirus tracking app developed by the Robert Koch Institute (RKI), a German federal government agency and research institute responsible for disease control and prevention. The issues in the app, which harvests data from ‘donors’, include problems with data retention and fitness trackers, inadequate pseudonymisation, inadequate protection of access data, and integrity issues surrounding the collection process which is prone to data manipulation.

A potentially severe data breach from the National Institute of Health (NIH), World Health Organization (WHO), Bill and Melinda Gates Foundation, and others, was widely reported this week. Lists of email addresses and passwords were published on hacker forums and made their way into far-right groups’ attack techniques. However, it was found that much of the data was duplicated, or was from older, previous breaches of other companies.

The personally identifiable information (PII) of thousands of people applying for federal disaster loans has been potentially exposed. The incident occurred during the rollout of a Small Business Administration (SBA) programme in the US, designed to help those currently affected by the coronavirus pandemic. It is estimated that nearly 8,000 applicants to the Economic Injury Disaster Loan program (EIDL) may have seen the PII of other applicants before the SBA fixed and relaunched the site.

Prague Airport and a regional hospital in the western city of Karlovy Vary, as well as several other hospitals across the Czech Republic, were hit in multiple cyberattacks. The incidents come after NUKIB, the country’s cybersecurity agency, warned on 16 April that attacks were expected. While it remains unclear who is responsible for the attacks, the nature of the incidents and the target profile indicates they are part of a broader effort to undermine the EU’s response to the global COVID-19 outbreak. 

Zoom, Skype, and Video Conferencing Risks

Zoom's rise in popularity in the wake of the coronavirus outbreak is well-documented. This use has been accompanied by increased scrutiny from the security community and the discovery of numerous vulnerabilities. The platform has acted quickly and responsibly to try and address all security flaws, claiming to prioritise the safety of its users and readily acknowledging errors. Despite the fast patching of the flaws found in Zoom, however, many large organisations, including Google, SpaceX, and NASA, as well as the Taiwanese and German governments, have banned its use for official business.

Towards the end of the week, Zoom announced that it will release an upgraded version of its app within the next seven days. Zoom 5.0 features a range of new security features designed to protect users and their data, including 256-bit encryption, the ability to report disruptive and abusive users, as well as an expansion of the ‘waiting room’ feature and use of meeting passwords.

There has been an increase in video conferencing company-themed attacks which aim to steal credentials and deliver malware. These campaigns have included Cisco WebEx 'alerts', Zoom account 'verification', missed Zoom meetings and cancelled Zoom calls, emails from the recipients' HR department, or an outsourced HR contractor. Some of these push ServLoder/NetSupport RATs while others lead recipients to a fake payroll or Zoom/WebEx login pages.

A malicious copy of the Zoom app is being distributed to unsuspecting users in China. Threat actors have repackaged the legitimate Zoom Android app with additional malware, adware, and spyware. This campaign has been running since July 2019 but has only now incorporated Zoom.

Threat actors have initiated a phishing campaign targeting remote workers using Skype. Fake notifications purporting to be from Skype are used as a lure. This attack managed to infiltrate the defences of some email protection services. The email initially links the user to an .APP generic top-level domain (gTLD) that is managed by Google. gTLD is intended for app development by companies, support services, and professionals and requires an HTTPS connection, giving broader access than might otherwise be the case.

 

Attacks and cybersecurity news

Threat actors have stolen over $25 million in cryptocurrency from the Uniswap exchange and the Lendf.me lending platform. Both ‘reentrancy attacks’ are believed to be related and carried out by the same group or individual. Uniswap is estimated to have lost between $300,000 and $1.1 million in funds; Lendf.me lost more than $24.5 million.

A new vulnerability has been disclosed in the Microsoft SMBv3 network communication protocol. Details surrounding the bug have not yet been disclosed as it is unpatched at this time. New SMB vulnerabilities are always a concern due to the history of attacks stemming from issues with SMBv1, also known as EternalBlue. Some of the costliest cyberattacks in history, such as WannaCry and NotPetya, leveraged this wormable vulnerability. While the researchers have developed an exploit, they have not made it publicly available.

A highly focused business email compromise (BEC) scam is targeting three UK and Israeli finance firms. The companies were tricked into wire-transferring a total of $1.3 million. By tracking the group's various domains, researchers uncovered an additional 39 lookalike domains registered between 2018 and 2020. All of these were linked to the attempted impersonation of legitimate businesses, making it likely that these companies were also targets of this group.

A cryptocurrency mining botnet, known as VictoryGate, which infected more than 35,000 computers, has been taken down by researchers. The botnet has been active since May 2019; 90 per cent of its victims are located in Peru. Between 2,000 and 2,500 computers are still connecting to the malware's C&C on a daily basis. ESET is working to notify owners of all devices that remain infected.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

The Maze ransomware group continues to announce data stolen from companies it infected, in some cases, many weeks ago. Over the last seven days the operators have posted data on their leaks blog from eight US insurance companies, as well as various other businesses in a variety of sectors around the world, including healthcare organisations, going against the group’s promise not to attack the medical sector during the coronavirus pandemic.

Most notably, on 19 April, Cognizant, one of the largest IT service providers in the world, was reportedly infected with ransomware. Though the Maze operators initially denied involvement, perhaps fearing reprisals from the cybersecurity sector, researchers subsequently connected the group to the attack through infrastructure used in previous incursions. After learning about the attack, Cognizant notified customers and warned about potential downtime.

Maze is not the only ransomware stealing data from victims. The operators of Sodinokibi (REvil), Nefilim, and DoppelPaymer, all released data pertaining to previous victims and new ones. Notable victims include the city of Torrance in California, Aban Offshore, India’s largest offshore drilling services provider, an Albanian bank, and a major video gaming software supplier, SeaChange.

Polish energy company Fortum exposed an internal cloud database containing the personally identifiable information (PII) of 3,376,912 customers. Security researcher Bob Diachenko believes that Fortum's complete customer base in Poland was exposed.

US healthcare provider, Hartford Healthcare, has reported a data breach. The incident took place between 13 and 14 February, when attackers gained access to email accounts belonging to two employee email accounts. Up to 2,651 patients may have been affected by the attack.

Nintendo confirmed that attackers have been abusing its NNID (Nintendo Network ID) legacy login system since the beginning of April to compromise accounts. Nintendo claims that approximately 160,000 accounts have been compromised leading to the exposure of customers’ personal information. In some cases, unauthorised in-game financial transactions were made via Fortnite.

Cyjax analysts discovered records, allegedly from a UniCredit employee database, posted on Raid Forums. The entire database is for sale for $1,000. The data exposed in the post belongs to five Romanian employees and contains work email addresses, phone numbers, hashed and salted passwords, and full names.

Also on Raid Forums, a full database belonging to a Chinese oil and energy firm, DAHAI group, was listed for sale. The data ranges from 2017 to April 2020, according to the vendor, who is asking 0.02 BTC (about $150) for the full database. Organisations in the oil and energy sector should exercise caution surrounding this data breach.

FRAUD

An unknown hacker group has been attacking ad servers for the past nine months in a campaign, dubbed Tag Barnakle, dedicated to injecting malicious ads into the usual stream. The attacks are believed to have started in August 2019 and target expired versions of Revive, an open-source ad server; these are used to deliver malicious adverts to a legitimate site. Malicious code redirects the visitor to a site created by the threat actors which offers malicious versions of well-known software, often Adobe Flash Player updates.

Two spear-phishing campaigns are pushing the AgentTesla information-stealing malware. The campaigns have targeted the oil and gas industry in various countries, including Malaysia, the USA, Iran, South Africa, Oman and Turkey. 

Vulnerabilities

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Microsoft has addressed six high-severity vulnerabilities in the Autodesk FBX software development kit (SDK) which could lead to code execution or denial of service conditions. 
  • Two 0day vulnerabilities in the Apple Mail application on current and older versions of iOS are being actively exploited: this can lead to remote code execution (RCE). As noted by the researchers, however, these bugs alone cannot cause harm to iOS users. The attackers would have to combine these with both an information leakage bug and a kernel bug for full control of the target device. 
  • A security update has been released to address a high-severity vulnerability in OpenSSL, tracked as CVE-2020-1967. This flaw can be used by attackers to cause a Denial-of-Service condition. 
  • IBM has issued a security advisory for a recent update surrounding its enterprise security information and event management (SIEM) product, QRadar. If successfully exploited, these vulnerabilities could lead to local privilege escalation, authentication bypass, information disclosure, web injection, XSS, CSRF, SSRF, and reduced security.
  • A security researcher has publicly disclosed four 0day vulnerabilities in IBM Data Risk Manager, an enterprise security appliance. PedroRiberio, from AgileSecurity, claims that the vulnerabilities can achieve remote code execution (RCE) with root privileges and can allow an unauthenticated attacker to download arbitrary files from an affected system.
  • ZeroScience Lab has publicly disclosed a 0day vulnerability in the FNIP-8x16A 8 Channel Ethernet Relay Switch. The company has also made proof-of-concept (PoC) exploit code available for the switch, which is manufactured by P5.
  • Tenable has issued a security advisory for multiple vulnerabilities in the webserver used by Cisco IP phones. Successful exploitation can lead to buffer overflow and denial of service.
  • AusCERT has issued a security advisory for three new vulnerabilities found in Ansible, published by FreeBSD. If successfully exploited, the vulnerabilities could lead to the modification of arbitrary files and unauthorised access to confidential data.
  • WordPress has recently disclosed multiple vulnerabilities for two plugins which, if successfully exploited, could lead to remote code execution, and reflected cross-site scripting (XSS) attacks.
  • US CISA has issued multiple security warnings surrounding publicly disclosed vulnerabilities in Siemens industrial control systems. The most critical vulnerabilities can lead to remote code execution, remote denial of service, and the ability to locally execute code with system privileges. Manufacturing, water management, energy, and critical infrastructure sectors are affected.
  • Sophos has released an emergency security update to patch a 0day vulnerability in its XG enterprise firewall product. This product is being abused by threat actors in the wild.

 

APT Activity and Malware Campaigns

APT ACITVITY

A new APT group has been found in the ShadowBrokers leak of classified NSA documents from 2017. Inside the leak was another file called “sigs.py”, believed to be a malware scanner that the NSA used to search for the presence of APTs. An attribution previously made to a Chinese APT known as IronTiger is now thought to belong to an Iranian group, dubbed Nazar.

The group’s activity dates to 2008, although it appears to have been more active between 2010 and 2013. Devices were discovered that are still currently infected with Nazar malware with victims still beaconing out of Iran, which may indicate Nazar is backed by the Iranian government.

QuoIntelligence has reported on recent activity related to the Chinese industrial espionage group known as Winnti (also known as @APT41, @Barium, and @Blackfly). The report focuses on December 2019 to February 2020. Key findings include:

  • Previously unreported Winnti attacks on a German chemical company in January 2020.
  • The malware used in the attacks was believed to be created in 2015 and was used for the first time in 2020.
  • A new undisclosed C&C server communication technique was associated with Winnti but was never previously linked to other toolkits.
  • A previously unknown stolen digital certificate was used to digitally sign Winnti-related attack components.
  • New unreported malware attacks targeting South Korean video game company, Ragnarok Online.
  • Winnti continues to display sophisticated and innovative attack techniques to target a plethora of different industry sectors in Europe and South Asia.

A new APT, dubbed Chimera, recently targeted Taiwanese manufacturers of superconductors in Operation Skeleton Key, which took place between in twelve months to late-2019. The main objective of the attacks was the theft of intellectual property, including documents concerning integrated circuits (IC), software development kits, IC designs, and source code.

New analysis of the MMCore RAT, used by South Asian cyber-espionage APTs has revealed attacks across China, Pakistan, Afghanistan, and Nepal. The African continent and the US also experienced incidents in which MMCore was detected. The main targets include the military, media, and universities. Several indicators from these attacks are linked to two Indian cyber-espionage APTs tracked as BITTER and DoNotTeam. The latest MMCore attacks were attributed to two other groups, called Confucius and WhiteElephants, both of which are also Indian cyber-espionage APT groups.

MALWARE

Security researchers have shared various Anubis Android banking Trojan samples being used in the wild. Some of the fake apps Anubis hides include free mobile data giveaways, Google updates, and social networks. Before the coronavirus pandemic, Anubis was upgraded to version 2.5. A Cyjax investigation found an offline C&C server for Anubis 2.5 that targeted several Japanese and UK banks. Another C&C target list included European financial institutions.

A new variant of the downloader used to deliver the Dridex banking Trojan has been reported. The malware is now active in the wild and was compiled on 16 April. Dridex was recently found leveraging VNC capabilities stolen from an older banking Trojan called Carberp. Using VNC, Dridex can take remote control of an infected device to bypass anti-fraud measures and login from the victim’s IP address.

A new phishing campaign is targeting employees with fake customer complaints from the company’s ‘Corporate Lawyer’. A link in the email leads to the installation of a previously unknown backdoor, dubbed bazaloader which ultimately gives full access to the compromised device and facilitates the compromise of the rest of the network.

The Lockbit ransomware has begun infiltrating enterprise networks in China via RDP brute-forcing attacks. The malware has been fine-tuned to encrypt files as quickly as possible in an attempt to prevent interception from network defenders. Shadow copies and backups are also deleted, making it impossible to recover the disk.

A new Trojan is targeting Android devices with overlay attacks in an attempt to steal their banking credentials and steal accounts. The malware was distributed in messages targeting Spanish and Portuguese speakers in South America and Europe. The messages lead to a fake domain asking visitors to download the most recent version of a security app that is required for mobile banking.

Darknet

Much like the rest of the world, the darknet remains severely impacted by COVID-19. Users, however, are beginning to adapt to this new situation by purchasing from domestic vendors, simply because they are currently more reliable. There is also a broad acceptance that deliveries will likely take far longer due to postal service delays. Inevitably, there are vendors who have attempted to scam buyers, but this has not been as widespread as expected, suggesting that vendors understand this situation may last some time and ought to be used as an opportunity to grow their customer base. 

The Sodinokibi (REvil) ransomware operators are seeking three new partners to join them. This could be an indication that the group intends to ramp up its operation by increasing the number of victims targeted. See ‘Data Leaks’ section for further information on the victims of this, and other, ransomware groups.

The threat-actors behind a COVID-19 infection tracking map first distributed in mid-March have announced that they are selling copies of their malware. This version can be customised to include different themes beyond COVID-19. Given the heatmap’s original success, it is likely this threat will proliferate. 


COVID-19 Geopolitical Threats and Impacts

Americas

This week saw an escalation in political tension in the US surrounding the coronavirus, with protesters gathering in state capitals across the country and two lawsuits filed against China for its alleged culpability for the pandemic.

On 19 April, approximately 2,500 people gathered in Olympia, Washington to call for a loosening of measures to counter COVID-19; protests were also held in the state capitals of Arizona, Colorado, and Montana. The day before, protesters had gathered in Indiana, Maryland, and Texas, among other states. There is a high likelihood of further protests across the US in the one-week outlook, mostly from residents demanding a re-opening of their state’s economy. Protesters have received encouragement from President Donald Trump, who has said restrictions for COVID-19 in some states are ‘too tough’ and has tweeted calling for the ‘liberation’ of several states.

China’s handling of the initial outbreak, and the effect that this is having on US citizens and the country’s politics, have raised the political temperature further. On 21 April, Missouri’s Attorney General filed a lawsuit against the Chinese government alleging, among other things, that the Chinese government had suppressed information and denied the contagious nature of the virus. The state of Mississippi announced that it, too, will file a similar lawsuit against China.

The lawsuits have almost no likelihood of being successfully argued in US courts due to the legal doctrine of sovereign immunity. Their filing is, however, a symbolic political action demonstrating anger among some US politicians, particularly in the Republican Party, over China’s response to the virus. The lawsuits further worsen Sino-US ties at a political and diplomatic level, following two years of a damaging trade war. In response to the filing, Chinese foreign ministry spokesman Geng Shuang labelled the claims ‘very absurd’.

President Donald Trump this week announced that applications for green cards, granting foreign nationals’ permanent residence in the US, will be suspended for 60 days as part of his pledge to ‘temporarily suspend’ immigration into the country amid the coronavirus (COVID-19) pandemic. Trump said that there could be some exemptions from the suspension, although did not specify what these might be. The suspension was initially mooted in a tweet sent late at night on 20 April stating that the move was intended to protect American jobs. The policy measure is, however, significantly less wide-ranging than it appeared when first announced: it merely prevents foreign nationals in the US from converting their existing legal status to that of a permanent resident. Workers in speciality occupations (H-1B visas) and temporary agricultural workers (H-2A) are not affected.

Protests were held in major cities in Brazil and the Colombian capital, Bogotá, in the past week amid anger over governments’ responses to the coronavirus (COVID-19) pandemic. Protests have also taken place in Chilean capital Santiago related to the protest movement which began there in October 2019. These protests echo those held in the US amid opposition to mandatory state-wide quarantines and the closure of businesses deemed non-essential. There is a high likelihood of further protests in major cities across Latin America in the one-week, particularly in Brazil. Companies with staff and assets in major cities across Latin America should monitor local updates and instruct staff to continue to follow social distancing guidelines and other restrictions related to COVID-19.

The US government has banned US-based oil major Chevron from drilling, bartering, or selling oil or petroleum products under its joint ventures with Venezuelan state-owned oil company PDVSA as of 21 April. The measures also apply to four US-based oilfield services companies operating in Venezuela: Halliburton, Schlumberger, Baker Hughes, and Weatherford International. This latest measure seeks to further reduce oil output in Venezuela and build pressure on President Nicolás Maduro’s embattled administration – the US government ceased to recognise Maduro as Venezuela’s legitimate leader in January 2019.

In a blog post published on 16 April, the IMF’s director for the western hemisphere, Alejandro Werner, warned that the region faces another ‘lost decade’ of economic growth, exacerbated by COVID-19. Werner wrote that under current modelling of a sharp decline in economic activity in 2020 followed by a quick recovery, the GDP of Latin America and the Caribbean in 2025 would still be lower than in 2015.  

APAC

China’s National Bureau of Statistics reported the country’s economy had contracted by almost 7 per cent in the first quarter of 2020, due to the impact of COVID-19. This is the first time economic activity has declined since 1992 and growth was far below the 6 per cent recorded in the last quarter of 2019. Facilitating economic growth and raising living standards form the basis of the ruling communist party’s legitimacy for many of China’s citizens, with failure to do so reflected in a usually muted but often profound loss of trust and support for the leadership. The party and government are well aware of this and are likely to seek means, such as externalising the source of the crisis, while trying to resume economic activity at any cost in order to retain what they view as their mandate.

Underlining the political pressure that the Chinese administration will be under in 2020 are the ongoing pro-democracy protests in Hong Kong. On 18 April, the Hong Kong police arrested 15 prominent pro-democracy activists, charging them with organising and participating in anti-government protests in 2019. The arrests are viewed both locally and internationally as an indication of China’s desire to impose its own standards of political compliance on Hong Kong, regardless of the territory’s semi-autonomous status. The timing of the arrests is also viewed as using the coronavirus pandemic’s legal and social strictures of social distancing and self-isolation to prevent, or at least mute, protests over the police action. Many foreign and local companies will view China’s growing and overt interference in Hong Kong with mounting concern while assessing the implications for their future operations and interests in the territory.

Locally based economists forecast that Singapore faces a deep recession with high levels of unemployment following the government’s decision on 21 April to extend coronavirus control measures, referred to as the ‘circuit breaker,’ until 1 June. The forecasts, of between -4 per cent and -8.5 per cent growth for 2020, collectively point to an unprecedented period in Singapore’s experience as an independent nation and for a resident population that has almost exclusively experienced growing prosperity and rising living standards.

One forecast estimated the first four weeks of the circuit breaker could result in between 150,000 to 200,000 lost jobs for the whole of 2020, with no indication of how many would resume at pre-COVID levels of pay or conditions. Singapore’s high level of dependence on low-cost labour from neighbouring countries or South Asia is also likely to be challenged politically and economically as a result of the pandemic. Foreign companies operating in Singapore should expect the government to swiftly reassess its economic priorities as it seeks new strategies to ensure social and political stability.

Reports on 21 April that North Korea’s leader Kim Jong Un may be seriously ill or otherwise incapacitated have unsettled the region. The reports from South Korean sources followed the failure of Kim to attend a number of events where his presence would normally be considered essential. There is reason to believe that on this occasion there is a credible reason for concern over Kim’s absence in terms of regime stability in North Korea.

Virgin Australia Airlines has filed for voluntary administration due to the heavy impact coronavirus-related travel restrictions have had. Deloitte will assume control of the company as it seeks new investors. Virgin Australia had accumulated debt of more than USD3.2 billion even by the end of 2019, but with the onset of COVID-19 the airline’s debt crisis only accelerated. Other regional airlines are in dire need of financial assistance, including Air China, ANA, Asiana Airlines, Cathay Pacific, China Eastern, China Southern, Indigo, Juneyao Ailrines, Korean Airlines, Shanghai Airlines, Shenzhen Airlines, Thai Airways and Xiamen Airlines. Broader shocks should be expected to the commercial aviation and aerospace sector as government-imposed restrictions effectively halt global travel.  

Europe

Growing opposition towards allowing Chinese telecommunications firm Huawei a role in building 5G infrastructure in the UK threatens to imperil Prime Minister Boris Johnson’s approach. While a government spokesman said on 16 April that the country’s position remained unchanged, a leading member of the ruling Conservative party said that the ‘mood in the parliamentary party has hardened’. This indicates that the government will face a significant challenge in passing relevant legislation formalising its policy on Huawei. Moreover, growing division among Conservative Party lawmakers could lead to an effort towards explicitly banning Huawei from playing any role in developing 5G infrastructure for the UK. Such a scenario would have a considerable impact on major telecommunications firms currently relying on Huawei equipment.

UKE, Poland’s telecommunications regulator, has delayed the first auction for 5G frequencies due to the coronavirus (COVID-19) pandemic. The auction, covering spectrum in the 3480-3800 MHz band, was initially scheduled for 23 April. It is unclear when the auction will take place.

On 21 April, Greece condemned Turkey’s decision to continue drilling for hydrocarbons in Cyprus’ exclusive economic zone (EEZ), calling it a provocation and violation of international law. In response, a spokesman for Turkey’s foreign ministry said that the ‘maximalist and uncompromising attitude’ of Greece and Cyprus was a ‘threat to peace and stability in the Eastern Mediterranean’. Continued acts of aggression by the Turkish navy will carry operational constraints for international energy firms with interests in the region and test their risk appetite.

The European Commission (EC) is seeking to protect EU-based companies from foreign takeovers amid an economic downturn during the ongoing pandemic. In particular, the EU is concerned that foreign state-owned firms will take advantage of the devastating economic impact from COVID-19 to acquire companies in sectors such as defence and technology. New foreign direct investment screening regulations were adopted in March 2019 and will be fully applied from October 2020. EU member states could seek to formalise a mechanism, which includes more robust screening of proposed takeovers, through legislation. Limits on foreign ownership of firms in sensitive sectors will probably also come under review. Significantly, companies seeking new sources of financing from non-EU firms will see new regulation as an additional challenge to potential longer term expansion plans.

The EU is considering efforts to guard against a sudden influx of cheap steel that could flood into the bloc once the coronavirus (COVID-19) pandemic subsides. EU countries are legitimately concerned that key exporting countries, including China, are stockpiling unsold steel before selling it at cheap prices after trading conditions improve. EU countries are legitimately concerned that key exporting countries, including China, are stockpiling unsold steel before selling it at cheap prices after trading conditions improve. Eurofer, a trade organisation representing European steel producers, has requested a reduction of 75 per cent in EU quotas for imported steel. Companies importing steel from abroad should anticipate a likely move to restrict imports and factor this into sourcing and strategic plans.

MENA and Central Asia

The UN has called for restraint at the Lebanon-Israel border following a series of incidents including the sabotage of parts of the border fence by Hezbollah fighters, and alleged Israeli airstrikes against a passenger car carrying Hezbollah members in a Syrian town near the border with Lebanon. Damascus’ air defence system also reportedly intercepted Israeli missiles allegedly targeting Iran’s Islamic Revolutionary Guard Corps (IRGC) personnel near Palmyra on 20 April. Tensions are likely to remain high in the coming days and weeks at the Israel-Lebanon border, though the likelihood for outright conflict is low.

Both sides are more focused on domestic issues including the COVID-19 pandemic, anti-government protests in Lebanon, and the recently agreed unity government deal in Israel. In Lebanon, hundreds of people protested on 17 April in the capital Beirut and the cities of Tripoli and Sidon to voice their discontent at what they perceive as economic mismanagement and government inefficiency. While in Israel, Prime Minister Benjamin Netanyahu and his main rival Benny Gantz agreed to establish a unity government whereby Netanyahu will remain as prime minister for 18 months, after which Gantz will take the post in October 2021.

Iran has issued a warning that its Navy has increased patrols in response to US military activities in the Gulf. Tehran said it would ‘respond decisively’ to any US mistakes in the Gulf. The statement came after an incident on 15 April in which the US claims that 11 Iranian IRGC vessels conducted ‘harassing’ approaches towards six of its ships in international waters. In the latest statement, the IRGC Navy denied the claims and said the US had acted ‘unprofessionally’. It also accused American forces of blocking Iranian warships on 6 April and 7 April.

While the number and severity of incidents such as this have decreased in recent months, probably due to a shift in focus to the ongoing coronavirus pandemic, tensions remain high. It is highly unlikely that Iran intends to start an actual maritime conflict; rather, Tehran likely intends to remind Washington of its continued presence. Further low-level incidents in the Gulf are likely in the coming weeks and months.

In the Yemeni civil war, the Iran-backed Houthi rebels claim the Saudi-led coalition carried out dozens of airstrikes in violation of the ceasefire that was announced on 9 April. It was not immediately clear whether there were any casualties or damages in the strikes. The Saudi-led ceasefire has not been adhered to by either side, with both the Houthis and the Saudi-led coalition accusing the other of violations. Despite the continuation of fighting, the UN special envoy for Yemen, Martin Griffiths, said on 16 April that he expects the two sides to agree on a lasting ceasefire in the ‘immediate future’. A spokesman for the Houthis, however, noted that the current UN proposal rejects a key rebel demand to lift Saudi Arabia’s air-and-sea blockade. Without this demand being addressed, it is highly unlikely any new truce will be long lasting.  

Sub-Saharan Africa

South African president, Cyril Ramaphosa, outlined a ZAR500 billion (USD26.5bn) stimulus package for spending on healthcare, keeping small and medium-sized businesses afloat and providing low-income households access to cash. The spending package likely reflects the government’s serious concerns about civil unrest during the nationwide lockdown which has been extended until 30 April. Violent protests and looting have already occurred across South Africa since the lockdown was imposed on 26 March. The rescue package could momentarily reduce the risk of violent unrest. However, such anger is likely to translate into isolated but violent service-delivery protests should the payment systems for some of the social grants included in the package face technical difficulties. Based on previous experiences in South Africa, that is very likely to occur.

Consumer-goods manufacturer Unilever South Africa said on 22 April that it had closed its plant in Boksburg, Gauteng province, after 30 of its staff and 12 contractors tested positive for COVID-19. The company said it had implemented the National Institute for Communicable Diseases’ (NICD) recommendations to conduct contact tracing, and that it has now been cleared by the authorities to resume operations, although it is unclear when this will take place. Further such factory closures are likely in the one- to two-week outlook as COVID-19 continues to spread across the country. We advise companies with a large workforce, such as Unilever, to outline clear codes of conduct for staff which are in line with the NICD’s recommendations. They should also ensure their production lines can respect social-distancing recommendations.

On 20 April, six police officers were granted bail after allegedly stealing ZAR37,900 (USD1,993) from a car they had stopped at a roadblock in Pretoria. The incident is in line with our repeated warnings about the security risks stemming from the formal security forces and which come with flouting lockdown rules. Authorities extended a three-week lockdown on 16 April by two weeks; restrictions on mobility will likely remain in place after the lockdown is lifted. This suggests that the risk of bribe-solicitation and extortion by police is likely to remain elevated in the one-month outlook at least.

On 21 April, France-headquartered free speech advocacy NGO, Reporters Without Borders, published its annual World Press Freedom Index, an international comparison of press freedoms by country. Ghana has dropped three places to 30 out of 180 countries, mainly due to a surge in attacks and intimidation attempts of investigative journalists in the country. Although Ghana scores much higher than the regional average, this drop in its ranking reflects a deteriorating trend over the past two years, exemplified by the January 2019 murder of investigative journalist Ahmed Hussein-Suale.  The pressure on journalists from key political leaders is unlikely to ease this year, with general elections due to be held by the end of 2020; it is possible that the polls will be delayed due to complications in completing the electoral register amid recent COVID-19 lockdowns.