Geopolitical and Cybersecurity Risk Weekly Brief 27 July 2020
COVID-19 Cybersecurity Update
A study conducted by VMware Carbon Black has revealed that enterprises are reporting an increase in cyberattacks since restrictions on free movement have been implemented. There was a 92 per cent increase in COVID-19-inspired malware. Singapore saw a 43 per cent increase in the number of attacks; 67 per cent of them were more sophisticated than last year.
The SANS Internet Storm Center (ISC) also reported its latest statistics on coronavirus-related cyber-threats. In the US, there was a steady increase in Telnet and SSH exposure since the beginning of March 2020. There was also a significant fall in RDP at the beginning of the year that has remained constant since.
A new sample of the Cerberus Android banking Trojan is masquerading as a COVID-19 tracking map. The map targets English-speaking users and appears to have been reused from attacks that previously targeted Turkey. The malware is concealed in a file called ‘CovidTracker.apk’ and is distributed via watering hole sites.
The US Department of Justice (DoJ) has charged two Chinese threat actors with stealing trade secrets from technology and biotech companies, including firms working on COVID-19-related treatment, testing and vaccines. The accused were reportedly working with the Chinese Ministry of State Security (MSS), to whom they were also supplying information about Chinese dissidents. The hacking campaign allegedly spanned more than 10 years to July 2020 and included targets in the US, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the UK. Most recently, organisations developing COVID-19 vaccines, treatments, and testing technologies were targeted. The threat actors also previously attempted to extort cryptocurrency from victims, by threatening to leak stolen source code.
Attacks and cybersecurity news
On 18 July, Telecom Argentina, one of the country’s largest internet service providers (ISP), was hit by the REvil ransomware. This is one of the biggest cyberattacks in Argentinian history. A USD7.5 million ransom is being demanded in return for decryption keys to unlock the encrypted files. REvil’s point of entry is believed to have been a phishing email sent to a Telecom Argentina employee. Over 18,000 workstations have reportedly been locked but the incident did not cause internet connectivity outages for customers. While telephony and cable TV services were also unaffected, many of Telecom Argentina’s official websites have been offline since the attack.
Threat group GhostSquadHackers has claimed responsibility for attacking and defacing a European Space Agency (ESA) subdomain (space4rail[.]esa[.]int/sites/). This is the second GSH attack on the ESA in a week. As in the previous case, this defacement was claimed to be "for lulz nothing more". While these attackers often do minimal damage with their defacements, exposing an existing flaw in the ESA systems could allow more sophisticated attackers, such as ransomware operators or APTs, to gain access to the network.
Attacks against Israeli water facilities are continuing. The Israeli Water Authority recently confirmed that another cyberattack had targeted two Israeli water infrastructure facilities. These were aimed at agricultural water pumps in Upper Galilee and infrastructure in the centre of the country. The authorities claim that no damage was caused and that these attacks had "no real effect". The attack was not attributed to any specific threat actor or nation, but it is believed to be linked to previous attacks by Iran. Attacks like these were first reported in late-April.
The Emotet botnet has recently returned to spread malicious emails either with documents containing macros or URLs that drop the payload. As was the case previously, the Trickbot Trojan was the main payload being distributed by Emotet; within days, however Trickbot had been replaced with the Qbot banking Trojan. TA542, the group behind the botnet, is targeting multiple verticals across the US and UK with malicious Word documents. Cyjax analysis of Emotet IOCs revealed some notable owners of compromised sites: the governments of Mongolia and Albania, as well as universities from Indonesia, Nigeria, Mexico, and Vietnam.
Latterly, an unknown vigilante has been actively sabotaging the Emotet botnet operations by replacing the malware payloads with GIFs and images to prevent victims from being infected. Because Emotet’s distribution relies on compromised websites to deliver malware, removing the payloads will cause significant disruption to their operations.
A new automated search and destroy attack, dubbed 'meow', is targeting unsecured databases exposed to the internet. Both Elasticsearch and MongoDB instances are being hit, with the attackers leaving no explanation or ransom note. Instead, the attack overwrites and deletes the data, replacing it with the word "meow" and a random string of numbers. The ZoomEye search index shows more than 6,000 Elasticsearch services that have been attacked by the meow bot. One security researcher claimed that it is not just Elasticsearch and MongoDB databases being "meowed", but that the attacks are also targeting Redis and Cassandra datasets. Bleeping Computer suggested this could be the work of a vigilante attempting to teach administrators a lesson in security by destroying their unsecured databases.
Data breaches, fraud, and vulnerabilities
Over one million records containing the personal data of online students have been leaked after cloud misconfigurations in five e-learning platforms. Four of these were misconfigured and unencrypted AWS S3 buckets; one was an unsecured Elasticsearch server. The sites were two US companies - Playground Sessions and Square Panda; Brazilian site, Escola Digital; MyTopDog, a South African site; and the Kazakh, Okoo. Most of the data belongs to school-aged children. Predatory behaviour is a common online threat, but the exposure of children's contact details, as well as residence and school details, presents an offline risk to affected children.
DNA analysis site, GEDmatch, was taken offline on 19 July while its parent company, Verogen, investigated how users' DNA profile data had been made available to law enforcement. The police appear to have accessed and used the site's database without the company's knowledge. Following a similar incident in 2018, GEDmatch introduced security controls to allow users to opt-in for their DNA to be included in police searches. Despite this, these settings appeared to have been changed without users' permission and DNA profiles were available to law enforcement. GEDmatch has now confirmed that the permissions change on user profiles was caused by a breach.
Later in the week, a US tech company which manages the popular genealogy software, "Family Tree Maker", exposed tens of thousands of its users’ personal information online. A misconfigured Elasticsearch cloud server exposed 25GB of data, which has since been secured. As well as putting exposed users at risk of fraud, the leaking of technical details about the system's backend could aid the threat actor in conducting more sophisticated attacks against the company. If an attacker gained further access to the system, they could deploy malware or attempt to take control of parts of the network.
Confidential data from Western Australia's Department of Health was made publicly available online after being distributed via a third-party paging service operated by Vodafone. According to official reports, this data contained thousands of state government communications, including information about people suspected to have coronavirus infections, their phone numbers, and addresses. Also impacted were St John's Ambulance, the Department of Fire and Emergency Services, and Department of Justice. The department is investigating whether staff using the system knew that it was not encrypted. This may indicate that employees were not well trained - a serious issue, particularly for a government department that deals with highly sensitive data.
This week saw a significant uptick in the numbers of companies being reported on ransomware leaks blogs. The Netwalker operators revealed they had hit several major companies, including Regatta, a UK outdoor clothing manufacturer. Nefilim was also active. And both DoppelPaymer and REvil, two of the most dangerous ransomware threats of 2020, added victims from Europe and North America to their blogs.
The WastedLocker ransomware is steadily improving its capabilities and becoming more sophisticated. It is increasingly being used in attacks against high-value targets across numerous industries. WastedLocker is believed to have been developed and distributed by Russian threat group, EvilCorp, which is also connected to the notorious Dridex banking Trojan. WastedLocker has only been active since May 2020, but the ransomware has already targeted numerous high-profile organisations, including some in the US Fortune 500. The ransoms demanded of victims are in the millions of dollars, with some exceeding USD10 million. Most recently, WastedLocker was believed to have been the ransomware used in an attack on GPS technology manufacturer, Garmin.
Maze ransomware, however, remains the most serious threat. This week, at least 21 victims were added to the group’s ransomware leaks blog: among them were a US realtor, Japanese manufacturer, Canadian food technology company, a Norwegian technology company, and a plethora of other American firms. The group pioneered the theft of data prior to encrypting victims’ systems and looks set to continue in this vein. Elsewhere, an active attack server leveraged by a Maze affiliate known as SNOW was discovered this week. SNOW is known to specifically target law firms, distributors, and resellers.
Security researchers have uncovered a Telegram group which provides credentials for online banking accounts for use in brute-forcing attacks. The threat actor is selling accounts from multiple banks including Hills Bank, Citadel Banking, Community First Credit Union, Firstmark Credit Union, LA Financial Credit Union, Campus Credit Union, Banner Bank, Bank of America, Citizens Bank, Fifth Third Bank, and Capital One Bank. The Telegram channel operator is selling the accounts for between USD15 and USD90 with account balances between USD500 and USD45,000. The tools used are reportedly able to compromise 200 accounts per minute.
A credential harvesting campaign has recently targeted a Cyjax member of staff. The emails arrive from SendGrid, an email marketing service, and masquerade as alerts stating "mail storage capacity is full" from the target’s employer. Our analysis of the domain revealed that nine organisations have been targeted already. Alongside Cyjax, the other firms are Trend Micro, Sophos, eFront, Yodel, Sandford Health, Eurosport, Noble Corporation, and DNV GL. This appears to be the start of a targeted phishing campaign with emails specifically tailored to each recipient.
The AgentTesla infostealer has been observed using an email address and C&C domain masquerading as The Pentagon, the headquarters of the US Department of Defense. The credentials AgentTesla steals are often sold on darknet marketplaces, such as Genesis, or reused in other targeted attack campaigns. If this campaign is targeting credentials from US DoD members, this attack veers away from typical cybercrime towards cyber-espionage. Military personnel are often targeted by cybercriminals and APT actors, alike. Recently, researchers uncovered several phishing websites targeting the information of US military personnel. The sites masquerade as a ‘US Military Welfare’ organisation that supposedly provides "healthcare, travelling, and communication". The website requests soldier ID, military documents, and other forms of identification.
The 0patch platform has released a micropatch for the SIGRed vulnerability – a critical, wormable remote code execution (RCE) vulnerability in the Windows DNS Server – for its customers using Windows Server 2008. While patches for SIGRed have been released by Microsoft, Windows Server 2008 has reached end-of-life, meaning that it no longer receives support and did not get the official patch. The SIGRed flaw was so serious that days after its release the US CISA gave all federal executive branch departments 24 hours to patch their systems.
A security advisory and proof-of-concept (PoC) exploit for an RCE vulnerability in Microsoft SharePoint Server have been released. The issue was fixed after Microsoft's Patch Tuesday for July 2020. The vulnerability, tracked as CVE-2020-1147, has been rated with an “exploitability index of 1” meaning that it is highly likely to be exploited if it is not patched soon. The exploit could also be used against several applications built with the .NET framework: even if an organisation does not utilise SharePoint Server, it is still impacted by this bug.
Purdue University has released new research into a vulnerability affecting many Internet of Things (IoT) devices running on Bluetooth Low Energy, the most widely used communication protocol across all mobile and IoT devices. Successful exploitation can lead to injection of keystrokes and commands or provide malicious information. The vulnerability lies in the reconnection stages of previously paired BLE devices. This bug could affect more than one billion BLE devices and over 16,000 BLE apps.
Last week we reported on a 0day being sold on the darknet affecting various FortiMail and FortiVoiceEnterprise versions. The threat actor behind this, frankknox, is now selling direct access to email servers compromised using this 0day exploit. A list of compromised email servers available for purchase includes a UK utility company and a UK government email server related to a specific urban municipality.
We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:
- Unit42 has issued a security advisory for three vulnerabilities in AvertX IP cameras running the latest firmware. Successful exploitation can lead to user enumeration, account compromise, unauthorised access, and information disclosure.
- Apple has released patches for multiple vulnerabilities found in its macOS software. Some of these can lead to malware infections via remote code execution, or executing code with the highest possible privileges.
- PenTestPartners uncovered a new remote command execution vulnerability in Citrix Workspace products. The issue lies in the automatic update service of the Citrix Workspace app for Windows.
- Adobe has released out-of-band updates to address twelve critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge, all of which could allow attackers to execute arbitrary code on Windows devices.
- D-Link has disclosed five severe vulnerabilities in its routers that could result in a severe network compromise. Some devices affected by these flaws have reached end-of-life and will, therefore, not be receiving patches.
- ASUS has released patches for two vulnerabilities in the RT-AC1900P router firmware update functionality. These could allow a threat actor to completely compromise the router and capture the traffic passing through it.
- US CISA has issued a security advisory for multiple vulnerabilities uncovered in Schneider Electric Triconex Tristation and Tricon ICS products. Successful exploitation can give access to clear text data on the network, trigger a denial of service condition, and allow unauthorised access.
APT Activity and Malware Campaigns
A threat analyst has uncovered a malicious decoy document which they believe is being used by Indian state-sponsored threat group, SideWinder. The researcher suggests that the document is being deployed against targets in Pakistan. It is disguised as the 2020 "Hajj Policy & Plan" from the Government of Pakistan's Ministry of Religious Affairs and Interfaith Harmony. The researcher claims that other Indian APTs, such as Patchwork, have leveraged the same type of lure in the past, with fake "Hajj Policy and Plan" documents also being used to target Pakistan in 2017/18.
The Golden Chickens Malware-as-a-Service (MaaS) platform continues to offer a popular and lucrative affiliate program. Researchers have observed four attacks leveraging various tools from the MaaS throughout March and April 2020. BadBullzvenom, the Golden Chickens operator, has regularly pushed updates and improvements for malware offered through the MaaS. These latest attacks have been attributed to three groups, one of which is the notorious financially motivated Russian APT, FIN6. Golden Chickens will continue to serve the top-tier cybercriminal ecosystem in the short- to medium-term as it proves its success and profitability. Organisations in finance, retail, and chemical sectors need to remain vigilant for these targeted, sophisticated threats.
A new malware campaign has been linked to the Lazarus group, a well-known North Korean APT. The malware framework used in this campaign is dubbed MATA and features several components, such as a loader, an orchestrator, and plugins. MATA is cross-platform compatible and targets all three major operating systems: Windows, Linux, and macOS. It has been used to infiltrate enterprises around the world: victims were found in Poland, Germany, Turkey, South Korea, Japan and India. Organisations from various industries were compromised, including software development, eCommerce, and an internet service provider (ISP).
A malware campaign conducted by a previously unknown Chinese APT is targeting government agencies in India and residents of Hong Kong. The threat actors are targeting sensitive information. Malwarebytes analysis has revealed that the APT responsible for these attacks has been active since at least 2014. Spear-phishing emails are used to drop variants of Cobalt Strike and the MgBot malware. MgBot establishes a connection to a remote C&C server, recording keystrokes, taking screenshots, and managing files and processes.
Russian GRU threat group FancyBear (also known as @APT28) has been attacking US networks. Targeted organisations include state and federal government agencies, critical infrastructure (US energy sector), and educational institutions, according to a breach notification sent to victims by the FBI in May. These attacks primarily attempted to compromise victims' mail servers, Microsoft O365 accounts, other email accounts, and VPN servers. They are thought to have been geared towards cyber-espionage, as has been the case with previous FancyBear attacks. The attackers gained access to target networks using spear-phishing tactics, password-spraying, and brute-force attacks.
Tencent has issued a security advisory concerning a new ransomware family called Tellyouthepass. The ransomware leverages a kernel privilege escalation vulnerability and the EternalBlue exploit to worm through vulnerable networks. It has targeted networks in China. EternalBlue is a well-known, high-risk vulnerability that was disclosed nearly three years ago and for which patches have been in circulation for some time. Despite this, many newly developed cryptocurrency-mining malware and ransomware still leverage it to spread laterally within networks, demonstrating that it is clearly still effective.
The SANS ISC reports that there has been an increase in scanning activity and exploitation of ZeroShell Linux routers in the wild. Several RCE vulnerabilities have been disclosed for these products; most recently, CVE-2019-12725 has been the main target. The attackers exploit the RCE vulnerability to download multiple shell scripts from their C&C server to establish persistence and control over the device. The malware installed on the devices is detected as a variant of Gafgyt which is used by multiple botnets. An active Gafgyt botnets campaign is attempting to infect as many Linux devices as possible. These botnets are used to launch DDoS attacks. 31 other malware campaigns linked to Gafgyt botnets have also updated their TTPs recently. New exploits and attack methods continue to be detected in the wild.
A cryptocurrency mining campaign involving the WatchBogMiner Trojan has compromised tens of thousands of vulnerable Linux servers. The Trojan reportedly uses multiple remote code execution (RCE) exploits to attack servers running unpatched software. WatchBogMiner is an emerging threat that has compromised many devices by exploiting older vulnerabilities. By now, these exploits will be freely available and open source. Malware such as WatchBogMiner highlights the importance of keeping software up-to-date and replacing End-of-Life (EoL) software.
Prometei botnet, currently being used in a new cryptocurrency mining campaign, uses several techniques to evade detection and covertly mine Monero. The adversaries have been running the operation since March 2020. They have also implemented new custom tools to increase the number of systems participating in the Monero-mining pool. The threat actor behind Prometei is believed to be a professional software developer based in Eastern Europe. This is informed by the threat actor’s TTPs and their ability to integrate SMB exploits into existing open-source code, such as Mimikatz and FreeRDP. By collecting and changing administrator passwords the adversary can lock victims out of their own systems. Organisations that detect Prometei on their networks should act immediately to remove it and reset credentials in case they were exfiltrated to the C&C server prior to detection.
A new malicious campaign is spreading through apps on the Google Play Store. Twenty-nine malicious apps with a combined 3.5 million downloads were found: they were targeting users with out-of-context ads instead of functioning as advertised. The campaign has been dubbed "ChartreuseBlur", partly because most of the apps include the word blur in their package name. Many of them also pose as photo editors which allow users to blur parts of an image.
The Empire market admins have announced the creation of a new independent forum, Empire Forum. The admins also recently announced they will no longer be responding to support tickets on the Empire subDread, so this new forum will now serve as the primary venue for resolving disputes. Currently, user activity on Empire Forum is low, but this will likely increase as more support tickers are opened.
A new Ransomware-as-a-Service (RaaS) has also appeared for sale on the darknet. The operators of the RaaS, known as Exorcist Ransomware, are currently attempting to recruit affiliates. This ransomware is being distributed via Pastebin. Currently, we are unaware of any publicly declared incidents involving the Exorcist Ransomware.
There has also been a further update on the DataViper breach: NightLion, the threat actor selling the data on the darknet, has offered to sell the entire DataViper dataset to one buyer for around €35,000. However, multiple databases linked to the DataViper breach, such as Verifications[.]io and Bitmax, are already being freely traded in multiple forums. More databases connected to the DataViper breach will likely emerge over time.
Geopolitical Threats and Impacts
Three Chinese researchers have been arrested in the US in the past three weeks and charged with visa fraud for allegedly lying about their links to China’s military, the People's Liberation Army (PLA). These arrests further heighten tensions between Washington and Beijing. US prosecutors have alleged that the Chinese government is seeking to ‘take advantage’ of the US’s open society and ‘exploit’ its academic institutions to advance its own interests. The arrests come shortly after Washington ordered the closure of China’s consulate in Houston, Texas, prompting Beijing to take reciprocal action and close the US consulate in Chengdu, Sichuan province. A Chinese foreign ministry spokesman said China was given 72 hours to close the diplomatic mission; this has not been confirmed by Washington.
The arrests and charges elevate the likelihood of similar action taken against US and western researchers and visitors in China, particularly those with undeclared military affiliations or erroneous visa applications or documents. Retaliation for the closure of the Houston consulate was swift, with Beijing ordering the closure of the US consulate in Chengdu. Operations must cease at the consulate by 27 July: this is viewed as commensurate to Washington’s in severity. Organisations with interests in Sino-US ties should monitor updates and potential retaliatory actions from Beijing, and adjust planning to account for worsening relations and travel risks to staff.
On Monday (20 July), Brazilian aerospace giant Embraer announced that it had delivered four commercial aircraft and 13 executive jets in the second quarter of this year. These figures were down quarter-on-quarter from 26 and 25, respectively, during the second quarter of 2019. Embraer’s announcement offers further evidence of the disruptive impact of the COVID-19 pandemic on the aviation industry. Airlines globally have cut routes, while US aerospace company Boeing and European rival Airbus have also seen their plane deliveries collapse. Companies with interests in Embraer’s performance and supply chain, as well as other companies in the aviation sector, should anticipate continued disruption throughout the industry in the short-to-medium term outlooks, particularly while passenger numbers remain depressed.
On Friday (24 July), Singaporean man Yeo Jun Wei, also known as Dickson Yeo, pleaded guilty in a US federal court to working as an illegal agent of the Chinese government between 2015 and 2019. Yeo established a political consultancy in the US in 2018 and recruited US officials with high levels of security clearance over social media networks, thought to include professional networking platform LinkedIn, to write reports for ostensibly private clients. The reports would then be provided to Chinese intelligence services, according to the US Department of Justice. On Monday (27 July), Chinese foreign ministry spokesman Wang Wenbin denied knowledge of Yeo’s prosecution and accused the US of reaching a ‘state of extreme suspicion’.
While espionage between superpowers such as the US and China is far from new, Yeo’s case is particularly noteworthy for two reasons. Firstly, his guilty plea comes amid tense and worsening Sino-US ties, amid a host of bilateral and international disputes, including over culpability for the novel coronavirus pandemic, Hong Kong’s political status, the treatment of China’s ethnic Uighur population, and China’s trading practices. Secondly, his case highlights the use of largely-public professional social media platforms such as LinkedIn for espionage activities masquerading as legitimate private business matters. Officials in the fields of intelligence, security, and foreign policy, as well as private individuals with prior government experience now operating in the private sector, are likely targets of such efforts. Organisations and individuals operating in such fields, particularly those with a background in government or the military, should exercise caution when contacted by unknown individuals on professional networking platforms. This includes carrying out due diligence checks on unknown individuals or organisations, including corroborating personal and professional information via other reliable sources.
The US Department of Commerce has blacklisted 11 Chinese companies over alleged human rights violations against the Uighur ethnic minority in China’s Xinjiang region. The department accused the firms of involvement in using forced labour by Uighurs and other Muslim minorities. The blacklisted companies are unable to purchase parts from US firms without prior permission from Washington. This marks the third time the US government has taken such a move, adding to 37 businesses that are already impacted over alleged involvement in repression of minorities in Xinjiang. US businesses with interests in China should conduct rigorous due diligence before engaging with suppliers to avoid reputational, legal, and financial risks, and ensure sanctions compliance.
A number of low key and generally peaceful rallies were held on 21 July in the New Territories, Hong Kong, to mark the first anniversary of an incident in Yuen Long where the police were accused of colluding with organised criminal groups who attacked pro-democracy protesters at a mass transit rail (MTR) station. The low turnout for the 21 July anniversary is certain to reflect concern among the public and many activists over the consequences of protesting following the introduction of China’s national security law at the beginning of July. The anniversary, an iconic moment for the protest movement, was seen as representing a test of resolve and commitment by activists and an indication of how successful the new law is at suppressing dissent. In this instance the latter, reinforced by a large police presence at Yuen Long and other locations in the New Territories, appeared effective. A concern for many foreign companies is whether other forms of protest, including violent acts carried out by small groups against targets they identify as pro-local and central government, will replace mass demonstrations. This is likely to become evident within the three-month outlook.
Beijing issued draft regulations tightening oversight over foreign teachers. These teachers could be dismissed over violations including damaging the country’s sovereignty, as well as illegal preaching or engagement in religious education. The regulations have been submitted for public comments until 21 August before becoming official. Scrutiny over foreign teachers has been mounting as China has been conducting a patriotic education campaign aimed at expunging perceived immoral foreign influences, which has led to an increasing number of arrests of foreign teachers since 2019. The developments have likely been spurred on by an ideological clampdown linked to the destabilising impacts of the COVID-19 pandemic and related economic fallout, as well as tense international relations.
The Cyberspace Administration of China (CAC), the country’s internet regulator, on 23 July announced it is launching a crackdown on the social media accounts of independent news providers and strengthening monitoring over news applications. It will target misinformation, clickbait pieces, and other sensationalised content, according to the CAC. It will also target social media accounts and commercial websites that repost news items from non-compliant sources and that unlawfully write and edit news items. This underscores Beijing's efforts to increase oversight of sources of information on the internet deemed a threat to the stability and security of the state, particularly against the Chinese Communist Party. Companies should ensure compliance with local regulatory requirements to maintain their licence to operate in the country.
The Hong Kong authorities on Monday (27 July) announced new regulations intended to prevent merchant ships’ crew, who had previously been exempt from most movement controls, from spreading COVID-19 in the territory. With effect from Wednesday (29 July) only vessels with cargoes destined for Hong Kong will be able to change crews in the territory on condition the seamen either travel directly from their vessel to the airport or stay in a designated quarantine venue. The new regulations were anticipated due to a surge in new COVID-19 cases that some public health specialists have linked to exemptions granted by the government to what they identify as ‘essential personnel’ entering the territory without undergoing the 14-day quarantine period mandated for other arrivals. The exemptions related mainly to ship and air crew, as well as drivers of vehicles bringing key supplies into Hong Kong from China. It is now likely that drivers, who through necessity travel widely throughout Hong Kong delivering imported goods, may also be subject to greater scrutiny if the present surge in new virus cases continues to increase over the one-month period. Any disruption of imports from China, notably food and other basic goods, would greatly increase local concerns and heighten the sense of crisis, and would therefore only be imposed selectively and as a last resort.
Europe and Russia
On Tuesday (21 July), French finance minister Bruno Le Maire said that Chinese telecommunications giant Huawei will not face a ‘blanket ban’ from investing in the country’s 5G network. Le Maire noted, however, that sensitive locations and national security interests would be protected. Le Maire’s comments come exactly a week after the UK government ordered the removal of all Huawei equipment from its 5G network by 2027. London’s decision followed intense pressure from the US government, which has been calling on third countries to ban Huawei from their 5G networks due to potential espionage risks. Following the UK’s decision, the US is likely to increase pressure on other allies, particularly in regions of strategic importance such as Europe and Latin America, to ban Huawei equipment from their 5G networks. In this context, Le Maire’s comments signal that the US has yet to persuade France to enact a similar policy, potentially leading other European countries to adopt compromise positions comparable to that of Paris. Companies with interests in France’s telecoms sector should monitor government updates and assess the impact on procurement, operations, and investments.
German Chancellor Angela Merkel has called on Greece and Turkey to quickly de-escalate tensions after Turkey announced plans to conduct seismic research in areas that fall under Greece’s continental shelf. This comes after Turkey converted the former Orthodox cathedral Hagia Sophia into a Mosque earlier this month, triggering condemnation from countries, including Greece and Russia. While tensions in the Aegean Sea are not particularly new, current circumstances suggest that there is an increased risk of accidental clashes, which will in turn escalate a fragile situation. Relations have steadily worsened since Ankara openly encouraged migrants to cross into Greece via the Evros border crossing in February. Turkish drilling for hydrocarbons off the coast of Cyprus aimed at undermining the island’s territorial integrity has also deteriorated ties.
It is within this broader context, that the timing of the Hagia Sophia decision is especially important. Deflecting from domestic troubles by adopting an aggressive expansionist posture and nationalist rhetoric is a common political tactic. Facing a dire economic outlook and increasing unpopularity, President Recep Tayyip Erdoğan has sought to galvanise religious conservative sentiment. As we have previously noted, the prospect of a major conflict is presently unlikely, but accidental clashes will lead to significant military mobilisation on both sides. Moreover, a lack of diplomatic dialogue and political engagement will make further escalatory events more probable.
The Guardian newspaper warned on 21 July that the UK government could face a series of lawsuits after Parliamentary Under Secretary of State (Minister for Exports) John Stuart confirmed government plans to help finance the development of offshore natural gas projects in northern Mozambique’s Cabo Delgado province. While the report did not include any statement by any campaigner threatening lawsuits, nor did any of the links provided in the article provide any such threats, the claim is credible based on ongoing campaigns by advocacy groups, such as Friends of the Earth and Global Witness. Furthermore, attention surrounding the ongoing development of liquefied natural gas (LNG) operations in Cabo Delgado is also likely to fuel more opposition to such moves, due to increasing demand for less fossil fuel investments in the UK. In addition, intensified campaigning by more militant environmentalist groups, such as Extinction Rebellion, over the past two years indicates a growing security risk to companies part-taking in the LNG projects, as well as financial institutions funding them. Corporate security managers and communications departments should factor this into their longer-term strategies, to mitigate reputational harm and possible attacks on their business facilities.
The offices of vehicle manufacturers Fiat Chrysler and Iveco in Germany, Switzerland, and Italy were searched on Wednesday (22 July) as part of a wider probe into allegations that diesel emissions have been illegally manipulated. the fallout from the 2015 ‘dieselgate’ scandal continues to impact carmakers. Thus far, German automaker Volkswagen (VW) has been faced with a cost of USD30 billion in refits, fines, and provisions after US regulators found that VW had installed illegal software on cars to deceive regulators. The latest probe focuses on engines used by the Alfa Romeo, Fiat, and Jeep brands. Iveco trucks, popular heavy goods transport vehicles, are also under examination. Companies supplying components to companies currently facing diesel emissions probes should assess the impact these may have on operations and client production volumes.
European aerospace company Airbus has reached an agreement with the French and Spanish governments to change some contracts to resolve a long-running dispute at the World Trade Organization (WTO). Airbus representatives said the move ‘removes any justification for US tariffs’, which were imposed amid US-EU trade tensions. In particular, A350 Repayable Launch Investment, contracts will be changed to abide by parameters the WTO views as appropriate. As a result, interest rates on funds given to help develop the A350 long-haul jet will be raised. The move has renewed hopes that Washington will lift billions of euros worth of tariffs on a range of European products, including wine, cheese, olives, and aircraft. European firms affected by the tariffs should scenario-plan, accounting for the possibility of a prolongation of the tariffs or a removal of the duties altogether in the coming weeks.
Middle East, North Africa and Central Asia
On 20 July, Egyptian President Abdel-Fattah al-Sisi was authorised to move ahead with a possible military intervention in Libya after a unanimous parliamentary vote approved the deployment of armed forces abroad to ‘fight terrorist groups and militias’. The vote comes after Sisi asserted last week that Egypt would react with military force if there became a viable national security threat ‘on the strategic western front’ to the country. The deployment of Egyptian ground troops to Libya would mark a significant escalation of tensions in the region and could bring Turkey and Libya into direct confrontation. The decision likely comes as a result of Turkey’s ramped up military support for the Government of National Accord (GNA) in recent months. It is likely that Sisi will now want to provide military backup to the LNA in defending against vulnerable strategic areas. The conflict risk between Turkish and Libyan forces in this region is now deviating upwards; however, Turkey will likely be reluctant for this to happen, underlined by an agreement on Wednesday 22 July with Russia to progress towards a ceasefire agreement in the country. Egypt has voiced support for ceasefire proposals in recent months, so there is a possibility that discussions could now be held between the three powers in the short-medium term outlook.
Algerian Finance minister Aymen Benaderahmane stated on 18 July that losses across the public sector caused by the impact of COVID-19 and lockdown measures that have been in place since March, are now totalling over USD1 billion. The civil aviation sector has been deeply affected. President Abdelmadjid Tebboune underlined on 18 July that all land, sea and air borders would remain closed until the end of the health crisis. The rate of infection continues to rise with record numbers in the past week; Algeria remains the worst affected country in North Africa. A combination of COVID-19 and the steep fall in oil prices following a breakdown in OPEC negotiations has significantly weakened the macroeconomic stability of Algeria. The budget deficit was already high entering into the recent crisis’, sitting at around 10 per cent of the country’s GDP in 2019. This will likely significantly rise in 2020. While President Tebboune ruled out IMF assistance on 18 July on account of endangering national sovereignty, there is a strong possibility that financial aid will be sought in the medium-long term outlooks, particularly if the country witnesses a second COVID wave. A commission was established on 18 July to assess the impact of COVID-19. It is likely this commission will recommend further cuts to public spending and suspension of various investment projects. Businesses should continue to monitor developments and prepare for project delays and cancellations.
On Friday (17 July), Standard and Poor’s Global Ratings index changed its outlook on Kuwait from ‘stable’ to ‘negative’, highlighting that the general reserve fund was now too low an amount to cover deficits that have further risen due to the economic impact of COVID-19. This comes after the government submitted a public debt law to parliament on 12 July, which would allow the country to borrow USD65 billion across 30 years. Even if the public debt law is approved by parliament, it will likely take a further three to four months for a debt sale to be prepared for international markets. Further delays to the law’s approval are likely given the country’s resistance to extensive economic reform plans over the past decade.
The Lebanese government announced on 21 July that consultancy firm Alvarez & Marsal had been hired to carry out a financial audit of the country’s central bank, Bank du Liban. Confirmation was also given that further financial audits will be undertaken by KPMG and Oliver Wyman. Negotiations with bondholders over a debt restructuring have been ongoing since March after the government defaulted on a USD1.2 billion Eurobond on 9 March. This is a small but significant sign of progress towards establishing the amount of debt and losses that have been accumulated by Banque du Liban. The bank has repeatedly rejected an assessment in June from the IMF that they accumulated losses of USD49 billion, meaning negotiations for financial aid have stalled over recent months as divisions mount between the government and financial sector over the scale of financial losses. The results from the financial audits will likely take several months, meaning talks between Lebanon and the IMF will not be impacted by them in the short-term outlook. A member of the Lebanese negotiation team anonymously reported on 11 July that negotiations have been suspended altogether given the deadlock over reforms and disputes on financial losses. Widespread protests across the country will likely continue in the coming month with a growing possibility that Prime Minister Hassan Diab’s government will collapse due to rising anger over Diab’s failure to secure economic security via an agreement with the IMF.
The World Bank announced on 21 July a USD700 million finance package for the Tunisian government. The money will be provided from a number of international institutions and sent as a reform package, specifically aimed at supporting the Tunisian government as it responds to the economic fallout from the COVID-19 crisis. The announcement comes as the country’s economy struggles to stabilise itself following the combined impact of COVID-19 and drop in oil prices. The World Bank’s financial package could provide a means of buffering against further economic instability, however, the current political crisis means that any viable progress towards establishing a comprehensive reform programme to deal with the crisis is unlikely to take place in the short-term outlook. Given the level of political dispute, there is a high probability that agreement over a new head of government will not be reached. This will lead to another extended period of political paralysis as parliament will then be dissolved and new elections will be called.
On Wednesday (22 July), the Israeli Knesset passed a ‘Grand Corona Law’, further extending powers under the state of emergency declared on 7 July. The government will now be permitted to implement restrictions, including full scale lockdown measures immediately, with lawmakers able to review the decisions within 24 hours. The law also enables the cabinet to bypass the Knesset completely for ‘urgent’ anti-coronavirus measures. The criteria for what is considered ‘urgent’ was not specified. Under the law, the emergency protocols can be extended as many times as warranted by the cabinet until June 2021. The law comes amid a record surge in new COVID-19 infections, with 1,977 cases recorded on 22 July by the health ministry. Most lockdown measures were lifted in June after the daily number in cases dropped below 20. It is now highly likely that lockdown measures will be reimposed in the coming weeks. Growing suspicion over the lack of transparency surrounding COVID-19 policy amid rising public anger over Netanyahu’s handling of the crisis so far are only likely to increase. Staff based in the country should continue to closely monitor government updates, adhering to all restrictions.
Four West African heads of state are expected in the Malian capital Bamako on 23 July to mediate talks between embattled President Ibrahim Boubacar Keïta and the broad-based anti-government movement M5-RFP. This comes after Mahmoud Dicko, the leader of the M5-RFP movement, said he was still open for dialogue after receiving visits from ambassadors of France and the US, as well as representatives of the European Union. Meanwhile, about a dozen protests erupted in several suburbs of Bamako, with demonstrators setting up roadblocks with debris and burning tyres. The high-level meetings come after mediation talks led by former Nigerian president Goodluck Jonathan collapsed, when the M5-RFP rejected recommendations by the Economic Community of West African States. Operations managers should closely monitor announcements by the involved stakeholders and assess the likely impact on security and operations over the coming week.
On 22 July, police in Nigeria’s south-eastern Cross River state confirmed that four Chinese workers had been abducted by unidentified gunmen the night before. The incident follows a major abduction incident on 20 July, when unidentified gunmen stormed two communities in the north of Niger State, in the centre of the country, and abducted 16 people as well as livestock. Both incidents underscore the high kidnap-for-ransom risk in Nigeria, particularly in northern and south-eastern states. Operations managers with assets and personnel in those areas should ensure that security provisions are commensurate with the current threat profile. Staff should also be trained in anti-kidnap techniques as part course on operational and travel security awareness pre-deployment.
On Thursday (23 July), South African President Cyril Ramaphosa promised to tackle corruption in the healthcare sector and better oversee resources aimed at responding to the COVID-19 outbreak. Ramaphosa said that while social and economic assistance was given to affected communities, there was concern that funds were stolen or misused. This stems from allegations relating to fraudulent Unemployment Insurance Fund (UIF) claims, violations of procurement regulations, as well as possible collusion between officials and service providers. There have also been accusations that fake non-governmental organisations (NGOs) have been created to access relief funding. The government is also examining ways to prohibit unjustified price rises and ensure that essential goods are available.
The statement follows a report published by Corruption Watch, a South African anti-corruption NGO, which stated that corruption has been especially widespread in the healthcare sector during the pandemic. Ramaphosa said that since mid-March the country’s competition commission investigated over 800 complaints relating to excessive pricing, reaching settlements with 28 firms, while also imposing fines of over R16 million (around USD950,000). Corruption is a key risk facing businesses and NGOs in South Africa and by some estimates is responsible for billions of dollars being lost from state budgets every year. Companies operating in South Africa should ensure full compliance with domestic regulations and laws. Guidelines for accessing government assistance and relief should also be strictly followed.