Geopolitical and Cybersecurity Risk Weekly Brief 29 June 2020

29 June 2020

COVID-19 Cybersecurity Update

Coronavirus-themed attacks are decreasing, with a 24 per cent reduction in June compared to May. This is due to other news items gaining traction: Black Lives Matter is a case in point. It should be noted that these attack topics will not disappear as long as there is sufficient interest in the pandemic.

Malware such as banking Trojans and infostealers are being circulated in malspam. Subjects include ‘FMLA Instructions’ (referring to the Family and Medical Leave Act), World Health Organization COVID-19 information-themed documents, PPE, virus alerts, and one that masqueraded as the National Post Company of Iran. Many documents have contained exploits for well-known Microsoft Office vulnerabilities, such as CVE-2017-11882. Fake ‘free mobile data due to COVID-19’ Android package files (APK) have continued to be detected in Turkey. These are being used to deliver the Anubis or Cerberus Android banking Trojans.

TrickBot continues to target the US in malspam. This wave of phishing emails informs users they may be eligible for a ‘Standard Pandemic Paycheck’ and that they should open the attached file and fill out their details to claim the paycheck. If opened, the TrickBot banking Trojan is downloaded onto the device. Other TrickBot attacks leverage a fake COVID-19 tracking map that is attached to phishing emails. If a user opens the malicious file, the World Health Organization webpage is launched and TrickBot is executed in the background.

Threat researchers uncovered two fake COVID-19 contact tracing apps being distributed by separate sites masquerading as the Government of Canada. The apps, named ‘covid19tracer.apk’ and ‘tracershield.apk’, contain the Crydroid ransomware. Elsewhere, a new fake coronavirus-related Android app called ‘V-LERT’ was found to contain the Cerberus banking Trojan. The app has been downloaded 4,413 times.

Cyjax analysts uncovered a number of other ‘virus alerts’ and fake WHO-themed Android apps. The Android package files (APK) are called ‘covid-19 apps’, ‘v-lert’, and ‘v-alert covid-19’. All contain Android banking Trojans such as Nautilus, Anubis, and Cerberus.

The FBI has issued an alert to K-12 schools about a potential increase in ransomware attacks during the pandemic. Many of these schools have transitioned to distance learning, leading to the creation of RDP accounts on internal school systems. Since many ransomware groups use brute force attacks or RDP vulnerabilities to breach corporate networks, these school networks could be prime target for attacks.

 

Attacks and cybersecurity news

Akamai recently mitigated the largest packet per second DDoS attack ever recorded on its platform. The attack generated 809 million packets per second (Mpps) and targeted a large European bank (which has not been named). Threat researchers believe this is the largest DDoS attack in history and over double the size of the previous record observed by Akamai. It was reportedly engineered specifically to overwhelm the DDoS mitigation system.

Twitter recently informed its business customers that their information may have been compromised in a security incident. This affected advertisers, among others, rather than non-commercial Twitter account holders. Twitter states that business users’ billing information was inadvertently stored in the browser’s cache and that it was, therefore, technically possible that others could have accessed it. There is no indication that the information was accessed, however.

Amnesty International has revealed more attacks using NSO Group’s Pegasus spyware: a Moroccan journalist, Omar Radi, was targeted between January 2019 and the end of January 2020. Amnesty International found the spyware on Radi's phone: it was still active at the time. These findings are especially significant as the attacks were conducted just three days after NSO Group released its human rights policy.

Customers of multiple ConnectWise partners have been hit with ransomware due to a vulnerability revealed by the company last week in its Automate software. An MSP was successfully attacked via the same vulnerability in May, prompting the company to release a hotfix and notify its users. ConnectWise is working to determine the severity and impact of each attack with the "small number of partners" that were affected. The company is also instructing all on-premises partners on how to install the hotfix if they have not already done so.

A new malicious cryptocurrency mining campaign is leveraging Azure-themed Trojanised Docker images masquerading as the official Microsoft Docker Hub account. Researchers identified over two million pull requests from the related Docker Hub account. The wallet ID, that is currently still active, has received 525.38 XMR (worth around USD36,000) from the infected Docker images.

A series of web skimming attacks leveraging legitimate Google Analytics services are harvesting data from online shoppers. Once a site has been compromised, injected code collects information about visitors and exfiltrates it via Google Analytics. 24 sites are known to have been infected with this type of web skimmer. The victims were online stores selling a range of products dispersed across Europe and North and South America.

Adobe is beginning to prompt users to uninstall Flash Player as the application will be reaching end-of-life (EoL) on 31 December 2020. After this date, Adobe will stop updates for Flash Player, remove it from download links on its website, and block Flash-based content from running in Adobe Flash Player.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

The operators of many major ransomware families now steal data and use it as leverage to extort ransom payments from their victims. This was first introduced into the mainstream by Maze in late-2019 but has been adopted since by multiple threat actors. Many of these malware are sold as Ransomware-as-a-Service (RaaS), meaning that the ransomware is distributed by vendors from a central hub and then deployed by threat actors against targets of their choosing. As a result, victims are found across the globe.

This week saw organisations infected with Clop ransomware in India; Sodinokibi in Australia, USA, Colombia; Sekhmet in USA; Nefilim in Brazil; DoppelPaymer in Germany and Japan; and Maze in USA and South Korea. Many of these companies were subsequently listed on the various groups’ data leaks blogs and data uploaded to prove the compromise.

The most notable victim this week was South Korean electronics company, LG. The Maze operators claim that they stole 40GB of source code from the company which they will publish if LG fails to pay the ransom.

On 12 June, Magellan Health issued another notice regarding the cyberattack and data breach that occurred in mid-May. The company notified users that protected health information had been included in the breach. PII was accompanied by a combination of treatment information, health insurance account information, member ID, other health-related data, email addresses, phone numbers and physical addresses.

Threat actor KelvinSecTeam is selling a database comprising 384,319 customer records from BMW.com The data may have been stolen from an unsecured internet-facing server; however this has not been confirmed. It is unclear If anyone has bought the data. Earlier in the week KelvinSecTeam also listed a database from US business consulting firm Frost & Sullivan for sale. This was also on Raid Forums. The database reportedly contains information on 6,000 customers and 6,146 employees.

Over 1.3 million user records from around 136,000 players of popular MMO game, Stalker Online, are being sold on darknet forums. It appears that the threat actor compromised a Stalker Online web server and stole the user data, posting a link on the official website as proof.

Leaked information includes usernames, passwords, email addresses, phone numbers, and IP addresses. The passwords were MD5 hashed, one of the least secure hashing algorithms.

BlueKai, a subsidiary of Oracle, which amassed one of the largest caches of web tracking data outside the US federal government, recently exposed this data online. The data included names, home addresses, email addresses, and other personally identifiable data. It also revealed a user's web browsing activity, including purchases and subscriptions.

A collection of data, dubbed BlueLeaks, has been leaked online by Distributed Denial of Secrets (DDoSecrets). The 270GB database comprises hundreds of thousands of potentially sensitive police files from across the US. This data was stolen from Texan web design and hosting company, Netsential, which maintains multiple state law enforcement data-sharing portals. DDoSecrets claims that the leak contains ten years'-worth of data from over 200 different police departments but in its confirmation of the leak, the National Fusion Center Association (NFCA) noted that the files actually span more than 24 years, from August 1996 to June 2020.

Fraud

Threat actors are using a fake email from LinkedIn to steal user login credentials. The email pretends to be a notification from LinkedIn relating to a potential business partnership. The payload links in the emails all lead to a compromised section of a legitimate sporting goods website. This phishing domain looks like the login page for the LinkedIn platform.

Cyjax analysts recently uncovered a malicious IP address that hosted 16 different phishing pages masquerading as various banks from around the world. The countries targeted include Japan, Nigeria, Australia, the UK, the US, Malaysia, Switzerland, the UAE, Spain, France, and the Netherlands. Most of the phishing pages masqueraded as login pages for the banks; some included fake account registration forms; and others purported to be sign-up forms for mobile banking apps.

Twenty malicious Android package files (APK) masquerading as various Japanese parcel delivery services were uncovered by Cyjax analysts. The files are detected as Android banking Trojans and enable 25 malicious permissions to harvest information from the victim’s device. Brands impersonated by this campaign include Sagawa Express, Japan Post, Yamato Transport, and Japan Net Bank. Analysis of the TTPs shows that the apps are likely to be a part of an ongoing coordinated attack campaign against Japan, linked to the Roaming Mantis botnet.

Vulnerabilities

AMD has released patches fixing one high-severity vulnerability affecting its client and embedded processors. Two more remain which will be patched in late June. The flaws exist in AMD’s Accelerated Processing Unit (APU) microprocessors, which are designed to act as both a CPU and GPU.

Security researchers have found that nearly 300 executables in the Windows System32 folder are vulnerable to relative path DLL hijacking. A simple VBScript could allow someone to gain administrative privileges and bypass UAC on Windows 10.

GeoVision, a Taiwanese manufacturer of video surveillance systems and IP cameras, has patched three critical vulnerabilities in its systems. These impact its card and fingerprint scanners, which could have allowed attackers to intercept network traffic and stage man-in-the-middle attacks. These flaws affect at least six device families, with over 2,500 vulnerable devices discovered online. Most of these are in Brazil, the US, Germany, Taiwan and Japan.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Cross-site scripting (XSS) vulnerability in YTH WooCommerce AJAX Product Filter. There are reportedly over 100,000 sites that currently run the vulnerable software.
  • CISA issued an advisory for six vulnerable Baxter IoT medical devices. These vulnerabilities could provide access to patient data.
  • Bug in OSIsoft PI System (CVE-2020-12021) can facilitate phishing, privilege escalation, and other attacks on critical infrastructure facilities.
  • Mitsubishi Electric and its subsidiary ICONICS have patched five critical and high-severity flaws found in ICONICS. These impacted Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz. The same vulnerabilities also impact Mitsubishi’s MC Works64 and MC Works32 SCADA software.
  • Bitdefender has fixed a vulnerability (CVE-2020-8102) in its Safepay browser component.
  • Multiple vulnerabilities in Tenda powerline extenders. Successful exploitation of these IoT devices can lead to denial of service, remote code or command execution, privilege escalation and unauthorised access.
  • Multiple vulnerabilities have been disclosed in QRadar, IBM’s threat intelligence platform.
  • Denial of service (DoS) vulnerability in NVIDIA drivers (CVE-2020-5965). Successful exploitation can disrupt processes for virtual machines running on VMware.
  • VMware has released a security update to patch multiple vulnerabilities in VMware ESXi, Workstation, and Fusion.
  • An exploit for a high-risk vulnerability in the Trend Micro Password Manager has been disclosed. Successful exploitation can lead to SYSTEM-level privileges on Windows devices.
  • Multiple vulnerabilities in various Cisco products. Successful exploitation can lead to remote code execution (RCE).
  • Multiple security issues in Cisco Systems involving a well-known Telnet vulnerability. Successful exploitation can lead to arbitrary code execution, denial of service, and unauthorised access.
  • Multiple high-risk vulnerabilities for Magento products. Successful exploitation could lead to arbitrary code execution and information disclosure.

 

APT Activity and Malware Campaigns

APT activity

Russian organised cybercrime gang, EvilCorp, has returned with a new ransomware family dubbed WastedLocker. While the malware is built on a new custom-made code base, it also shares a small amount of code with BitPaymer and has a visually similar ransom note. It has been active since May 2020. Reportedly, the WastedLocker ransoms are in the millions of dollars; more than USD10 million in some instances. Researchers have reported that the WastedLocker ransomware has been used against 31 organisations in the US to date, eight of which were Fortune 500 companies. The manufacturing sector was the most targeted, followed by IT, media and telecommunications.

EvilCorp is best known for its Dridex banking Trojan malware. The group has been active since 2007 when several members previously involved with the ZeuS banking Trojan created a splinter group. Dridex has since become one of the largest malware and spam botnets on the internet that generates millions of dollars for its operators.

FIN7 (also known as Carbanak) has been using a point-of-sale malware, known as Pillowmint, in its campaigns against the hospitality and restaurant industry for the past three years.

Pillowmint is installed using malicious shim databases, which can then be used to leverage the Windows Application Compatibility Framework and establish persistence on a device. Shim databases being used to maintain persistence is seen with malware, demonstrating FIN7’s creativity. Other sophisticated methods used by the group recently have involved targeting businesses with malicious USB devices which act as a keyboard with a set of preloaded keystrokes to download the Griffon malware.

A new cyber-espionage campaign is targeting diplomatic entities. It has been linked to an APT known as Microcin. The malware deployed in the campaign had been developed from scratch. Microcin specialises in targeting diplomatic entities and leverages steganography to deliver configuration data and additional modules from hosting services such as ‘cloudinary.com’. Interestingly, one of the images used for steganography was also related to GitLab’s hiring ban on Russian and Chinese citizens. The attackers dedicated significant development time to improving the anti-detection and anti-analysis capabilities of their malware.

Germany's Bundesamt fur Verfassungsschutz (BfV) has issued a security advisory regarding recent cyberattacks on German industrial and political institutions linked to the Ke3chang APT. The warning states that it is part of an ongoing campaign that has been targeting Germany for the past 10 years but has surged in activity since mid-2019. The BfV shared its Indicators of Compromise (IOCs) of recent attacks involving Ke3chang's Ketrican malware.

APT30 has reportedly returned with updated TTPs and new versions of its BACKSPACE and NETEAGLE backdoors. According to PT Security, APT30 (also known as Naikon) went unreported for over five years while still being active. This was until recently when researchers at Checkpoint and Kaspersky released their findings. This APT is a sophisticated Chinese cyber-espionage group that has targeted almost every country around the South China Sea.

A new cyber-espionage campaign has been uncovered that is targeting organisations based in Myanmar; it began in March 2020. Spear-phishing emails have been connected to a China-based APT group and targeted the Myanmar Police Force (MPF) and the Office of Chief of Military Security Affairs (OCMSA), among others. Chinese state-sponsored APT groups are known to target countries in which the Chinese government is investing as part of its Belt and Road Initiative. Myanmar has received significant Chinese funding, accounting for a quarter of all investment; China is also Myanmar’s largest export partner. In January 2020, President Xi Jinping visited Myanmar and State Counsellor Aung San Suu Kyi signed 33 agreements concerning projects as part of the Belt and Road Initiative.

A malware campaign is using military-themed malicious Microsoft Office documents to spread CobaltStrike malware. This gave full remote control and backdoor access to the threat actors behind the campaign. The malicious documents were distributed in malspam to multiple military and government organisations around South Asia. When one of these documents is opened a modular dropper, dubbed IndigoDrop, is deployed which delivers the final stage CobaltStrike payload.

Malware

A low-volume, email-based Hakbit ransomware campaign has been targeting organisations in Austria, Switzerland, and Germany. This campaign uses malicious Microsoft Excel attachments delivered from a free email provider (GMX) that primarily serves a European client base. Mid-level employees in the pharmaceutical, legal, financial, business service, retail, telecommunication, and healthcare sectors were targeted. German telecommunications company 1&1 was one of the organisations targeted in these campaigns.

Exposed Docker servers are being targeted in a Linux botnet malware campaign. The most prevalent samples are known as XORDDoS and Kaiji DDoS. The attackers are scanning for open ports such as Port 22 (SSH) and Port 23 (Telnet), as well as Docker-specific ports such as Port 2375. These attacks highlight the importance of making sure Docker servers are secured with a password or not directly exposed to the internet.

Researchers recently disclosed a Remote Access Trojan (RAT) dubbed DarkVision. This malware is highly modular and is sold on well-known cybercrime and hacking-related forums. It also has a dedicated website for its Malware-as-a-Service business model. DarkVision RAT is neatly packaged into a kit and sold at USD40 per user and reportedly marketed for its nice set of features, cost-effectiveness, and quick deployment. The malware developers also offer “lifetime support” and free or discounted upgrades to future versions on request.

A new malware family, dubbed GoldenSpy, has been observed embedded in tax payment software which companies are required to use by Chinese banks. The software is designed for facilitating payment of local taxes and conducting business operations in China. The malware was discovered after it infiltrated a UK-based technology company using this software. The name of the company has not been disclosed but is known to be a vendor for significant government businesses in the UK, US, Australia, and China. Several variations of the backdoor were discovered, dating back to at least 2016.

Lucifer, a previously undetected cryptomining malware, has been linked to the mass exploitation of CVE-2019-9081 in the wild. Lucifer is also capable of conducting DDoS attacks and is equipped with various Windows exploits. Once the malware has breached a system, it drops the XMRig Monero mining program, self-propagating through the exploitation of vulnerabilities and brute-forcing credentials. It will also drop and run EternalBlue, EternalRomance, and the DoublePulsar backdoor against vulnerable targets inside an intranet.

Darknet

The admin behind the now-defunct Evolution market have allegedly been doxed by a darknet user. Evolution was launched in early 2014 and became one of the most popular darknet markets. However, in March 2015, the market suddenly went offline. Soon afterwards, it was discovered that the Evolution admin had exit scammed – stealing an estimated USD12 million in Bitcoin. This latest dox allegedly contains the full name, country of residence and other personal details of the main Evolution admin, Verto. While the claims made in this dox cannot be confirmed, this information may potentially prove useful for both law enforcement and darknet users whose funds were stolen.

Three new darknet markets have been announced. The first, FraudBay, is intended to be a market devoted solely to fraud related products. This is noteworthy because darknet markets generally focus more on drugs. FraudBay is not yet online, and no timeframe has yet been provided by the admin as to when it would be active. The second new market is called Hyper and is now online. The market is still in its infancy, with fewer than 100 listings, but it received positive attention upon its launch. It is unclear if this will translate into a large customer base.

The third new market is Cartel Market, a classic market in terms of its offerings: drugs and fraud are the primary products. The market is very small at present, and admins are attempting to generate users through advertisement campaigns on Dread, as well as applying to link repositories such as Dark.Fail. New markets launching are now a regular occurrence on the darknet, but few last for any significant length of time. It remains to be seen whether any of these markets succeed in making a significant impact on the wider market landscape.

Finally, BlueLeaks has become of significant interest to darknet users. Many forum posts have cited BlueLeaks in recent days, showing police methods on the darknet including interaction between online agents. It has solidified what many users previously suspected to be true: that anyone they speak to could be a law enforcement officer. A lot of the interest has been placed on Europol and their past takedowns of markets, combined with their engagement policies on forums.


Geopolitical Threats and Impacts

Americas

On 27 June, a man was fatally shot during a ‘Black Lives Matter’ (BLM) protest at Jefferson Square Park, Louisville, Kentucky. There was a second shooting incident in the vicinity of the Hall of Justice, which is across the street from the park; that victim suffered non-life-threatening injuries and was taken to a hospital for treatment. Video posted on social media show an unidentified man dressed in civilian clothing firing into a crowd of protesters at the park. Jefferson Square Park has been the main focal point of protests in response to the police shooting death of a local area resident identified as Breonna Taylor. The situation is potentially volatile, especially if the gunman is identified as a white supremacist or having political leanings antithetical to that of the BLM’s.

Telecoms giant Verizon has announced that it will boycott advertising on Facebook until the latter creates an ‘acceptable solution’ to counter hate speech on its platform. Verizon is the first major telecoms company to join the #StopHateForProfit campaign, launched on 17 June, which calls for companies to boycott advertising on Facebook in July over hate speech on the social media giant’s platform. Other major companies to announce their participation include Ben and Jerry's, messaging service Viber, and outdoor clothing retailers Patagonia, REI, and The North Face. In the one-week outlook, there is a high likelihood that more companies join the boycott amid pressure from customers and civil society groups, particularly via social media. Companies, especially well-known retail brands, should anticipate calls to participate in the boycott.

On 25 June, the US Senate unanimously approved the Hong Kong Autonomy Act which, if it becomes law, would impose sanctions on businesses and individuals assessed to be helping China restrict Hong Kong’s present autonomy. The bill is a bipartisan effort to punish China for the imposition of new national security laws on Hong Kong. The proposed legislation – which was approved together with a condemnatory resolution – will now move to the House of Representatives for consideration. Given the bill’s bipartisan support in the Senate, it is highly likely to gain swift approval from the House and would then move to the desk of President Donald Trump for his signature. The legislation paves the way for potential US sanctions against financial institutions transacting with Chinese officials involved in the national security law. The US measures, in combination with the new national security law and ongoing unrest within Hong Kong, contribute to greater uncertainty surrounding the territory’s long-term future as a global financial hub. Companies providing financial services in the territory should monitor updates on the passage of the bill and assess its immediate and long-term impact on operations and strategy.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on 24 June imposed sanctions on five Iranian tanker captains for their role in transporting gasoline to Venezuela since April. All five men are captains of ships used by Iranian shipping companies – Islamic Republic of Iran Shipping Lines (IRISL) and National Iranian Tanker Company (NITC) – already facing US sanctions. These are the US government’s latest attempt to deter foreign involvement in Venezuela’s beleaguered oil industry, following similar measures against vessels which have lifted Venezuelan crude. Companies with interests in Venezuela’s oil industry should regularly monitor sanctions updates from OFAC and anticipate new measures against companies, vessels, and their crew involved in the oil trade.

In a televised speech on 24 June, Peruvian President Martín Vizcarra threatened to temporarily take over Peru’s private healthcare clinics if no agreement is reached within 48 hours over compensation for their treatment of COVID-19 patients. Vizcarra said that if no deal is struck, he will invoke Article 70 of the constitution which allows the expropriation of private property for national security purposes. Vizcarra’s government and private clinics have been negotiating over fees for treating COVID-19 patients for three weeks, however no deal has yet been reached. Companies with interests in Peru, particularly in the private healthcare sector, should monitor updates on negotiations and assess their impact on operations, finances and strategy.

A multinational group of 29 investment firms managing USD3.7 trillion worth of assets wrote to Brazilian embassies around the world to seek meetings with diplomats amid growing concern over deforestation of the Amazon rainforest. The letter, which was reported by multiple media outlets on 23 June, stated that deforestation and federal government environmental and human rights policies are creating ‘widespread uncertainty’ for investors. The group was led by Norway’s Storebrand Asset Management and includes the UK’s Legal & General Investment Management (LGIM), US’s Domini Impact Investment, and Japan’s Sumitomo Mitsui Trust Asset Management, among other signatories.  The letter highlights growing corporate awareness and activism over environmental issues globally, amid widespread calls from civil society groups for meaningful action to halt environmental degradation. Companies with interests in Brazil, particularly in the Amazon, should anticipate heightened scrutiny from shareholders and civil society groups over the federal government’s environmental record.

APAC

Vietnam’s Prime Minister Nguyen Xuan Phuc, current chair of the Association of Southeast Asian Nations (ASEAN), has warned that the coronavirus pandemic ‘has swept away the successes of recent years … threatening the lives of millions of people.’ Phuc, while opening ASEAN’s 36th annual summit he is virtually hosting from Hanoi, also indirectly accused China of taking advantage of the pandemic to further its territorial claims in the South China Sea. Phuc’s warning over the long-term impact of COVID-19 on Southeast Asian economies follows similar forecasts from the World Bank, Asian Development Bank, International Monetary Fund and credit rating agencies. However, ASEAN lacks the capability to address the issue as a bloc, leaving individual member countries to prioritise their own policies and interests. The emerging economic crisis will place the association under unprecedented stress while raising questions over the group’s purpose and future among the poorer or more exposed nations. The main beneficiary of any erosion of the bloc’s solidarity will primarily benefit China and its preference for bilateral diplomatic and economic relationships.

The Thai government announced on 24 June that around 50,000 foreign nationals from specific groups and sectors will be permitted to enter the country from 1 July as the number of coronavirus cases hold steady in the country. Priority will be given to business personnel from Japan, the largest single source of foreign investment in Thailand, with up to 100 individuals allowed to enter the country each day. The announcements were made the same day the central Bank of Thailand (BOT) warned the economy would contract by 8.1 per cent in 2020 due to the impact of the pandemic, the steepest decline in the country’s history. The six-month outlook is dominated by the impact of widespread loss of employment, growing anti-government sentiment and the possible intervention of the military. Foreign companies should assess their vulnerability to all these factors occurring singly and in combination.

Local media reported on 22 June that the Indian government had given troops deployed along the country’s Himalayan border with China permission to use firearms under new ‘rules of engagement.’ Under a 1996 agreement intended to reduce the potential for escalation in the event of a confrontation between Indian and Chinese troops, both sides agreed that their forces patrolling the disputed border would not carry military weapons. In a clash on 16 June in the Ladakh region at least 20 Indian soldiers were killed in close quarter combat with Chinese troops, who are also believed to have incurred numerous deaths and injuries. Permitting the use of firearms greatly increases the potential for a major clash between the two countries’ armed forces in the remote border region. The Indian government’s decision, which is certain to be matched by China, reflects the high degree of anger in the country over the clash, which was the most serious military confrontation between the two nations since the 1962 border war.

Also, on 22 June, officials in India’s western state of Maharashtra said that they are reviewing more than USD600 million in deals with Chinese companies following recent deadly border clashes between Indian and Chinese forces. Maharashtra’s industry minister, Subhash Desai, said that the state is awaiting guidance from the national government on the business climate and policies with regards to deals with Chinese firms. The announcement highlights the far-reaching commercial implications of the recent border clashes, and the very real impact of military and diplomatic disputes on planned investments and trade. It comes as some Chinese imports have reportedly been held up at Indian ports since 22 June, ostensibly due to the recurrence of novel coronavirus (COVID-19) cases in China. This is despite China’s infection rate being vastly lower than those in India. It also comes in the context of anti-Chinese protests and some Indian business organisations calling for a boycott of Chinese products. Companies with interests in Sino-India trade and investment should monitor updates and engage with local stakeholders to ascertain the impact of the border dispute on operations and planned investments. Staff of Chinese origin based in India should exercise elevated caution amid rising tensions and reports in the Chinese press of a spike in harassment.

North Korea’s state-run news agency announced on 22 June that 3,000 balloons carrying 12 million leaflets will be sent over the border into South Korea in retaliation for similar, if far smaller, propaganda efforts conducted by opponents of the North’s regime. The leaflets are reported to be critical of the South Korean government and form part of a retaliatory campaign closely linked with North Korean leader Kim Jong-un’s sister Kim Yo-jong, leading to speculation over her brother’s health or political status. The principal concern among the South Korean and US military forces stationed in the country over any attempt to launch thousands of balloons is their potential impact on air traffic, radar surveillance and power lines. The move will likely result in a major military mobilisation of South Korea and US forces, increasing the potential for miscalculation on both sides. Companies in South Korea should be aware of this threat and amend their contingency plans accordingly.

Hong Kong media reported that China is expected to impose new national security laws on Hong Kong on or before 1 July, the 23rd anniversary of the end of colonial rule and the territory’s reversion to Chinese sovereignty. According to the reports China will establish an office in Hong Kong to collect intelligence and deal with offences deemed as threats to national security. In another move, China’s state-run Xinhua news agency reported that Hong Kong’s Chief Executive Carrie Lam will appoint specific judges to hear national security cases. China’s manifest intention to impose its national security laws on Hong Kong, supported by its own personnel, is a fait accompli with only the formal announcement remaining to complete the process. Many companies and individuals in the territory are now assessing their response to the rapidly changing legal environment and its implications for their business interests, and in some cases their personal security. This process is certain to intensify in the immediate outlook as more information regarding the new laws, notably regarding extradition and retroactivity, becomes available.

Europe

President Alexander Lukashenko of Belarus has accused Russian and Polish forces of interfering in the upcoming presidential election due to be held on 9 August. Lukashenko said the claims were aimed at discrediting him and would be discussed with his Russian counterpart Vladimir Putin at an unspecified date. Russian government spokesman Dmitry Peskov denied the allegations. A series of rare and relatively well-attended protests have broken out across Belarus in recent weeks. Last week, Viktor Babariko, a leading opposition candidate, was arrested and questioned on money laundering and tax evasion allegations. The former banker has been denied access to his lawyers due to the coronavirus, and his detention has prompted a new series of protests.

The accusations against unspecified foreign actors may serve multiple purposes; on the one hand, they could be interpreted as an effort by Lukashenko to distance his government from Moscow and appeal to broader national sovereignty in Belarus. The relationship between traditionally close allies has slightly worsened after Russia reduced financial support for Belarus. The presidential election, usually a foregone conclusion due to a weak and divided opposition, is the most uncertain poll since Lukashenko assumed power in 1994. A further crackdown on political opposition is likely, while the tense political climate will signify a heightened risk of unrest ahead of the 9 August election.

The German cabinet has agreed to ban the sale of single-use plastics, including straws, cotton buds, and food containers from 3 July 2021. The move is in line with the EU ‘Single-Use Plastics Directive’, which was adopted in 2019 and calls on member states to reduce plastic waste. Under the EU directive, plastic bottles are required to contain at least 30 per cent recycled content by 2030 and 25 per cent by 2025. Major retailers currently relying on plastics for packaging should tailor products for more environmentally conscious consumers and factor this trend into marketing initiatives. More EU countries will likely implement similar bans on plastic products and companies should identify more environmentally sustainable alternatives.

Germany’s interior ministry has banned an allegedly neo-Nazi group called Nordadler (the Northern Eagles). The group operates mainly online, however, its alleged founder told public broadcaster NDR in 2018 that attacks against politicians were being considered. Nordadler was also planning a national socialist settlement project in rural areas. The designation marks the twentieth occasion that authorities enforced a ban on a right-wing extremist organisation. It is the third such ban this year. An increased state of alertness has likely led to increased online monitoring of far-right and extremist groups. Areas associated with ethnic or religious minorities, particularly Jewish and Muslim communities are at a higher risk of such incidents. Security managers responsible for client sites in such locations should regularly review existing measures considering the heightened risk.

On 23 June, the Karlsruhe Federal Court of Justice agreed with a 2019 decision by regulators that Facebook was abusing its dominant market position after overruling an earlier court decision. According to Bundeskartellamt, the federal cartel office, Facebook’s terms of use forces users to share data from other apps owned by the company such as WhatsApp and Instagram through the ‘Like’ and ‘Share’ functions. The body ordered Facebook to stop collecting data without user consent. Facebook had appealed that decision and a court in Düsseldorf ruled that the firm did not have to comply with the orders. The ruling effectively forces Facebook to comply with federal regulators and is a clear blow to the firm. Importantly, it demonstrates increased regulatory and political pressure on major technology firms over how user data is collected and processed as well as concerns over anti-competitive behaviours. In Germany, this is especially acute as the government views privacy protection as a key priority. Technology firms should ensure full compliance with national anti-competition rules to mitigate any potential regulatory and reputational risk.

MENA and Central Asia

On 25 June, the US treasury department unveiled sanctions against Iran’s metallurgical sector. As part of the move, the Office of Foreign Assets Control blacklisted a number of Iran-based metal companies, including South Aluminum Company, Sirjan Jahan Steel Complex and Iran Central Iron Ore Company. Five subsidiaries of Iran's Mobarakeh Steel Company, which Treasury said generates one percent of the country's GDP, were also blacklisted. The sanctions, which freeze any US assets held by the companies and generally prohibit Americans from dealing with them, are the latest manifestation of US President Donald Trump’s ‘maximum pressure’ campaign against Iran. Domestically, the sanctions are causing commodity prices to spike and deepening the Iran’s endemic poverty. Companies in the metallurgical sector or with interests in Iran should carry out due diligence on business and operational practices to ensure they are in compliance with US sanctions law.

On 19 June, Egypt asked the UN Security Council to prevent Ethiopia from starting to fill its large, newly built hydroelectric dam on the Blue Nile, a significant tributary of the Nile that contributes more than half of the river's streamflow. The news came after Ethiopian foreign minister Gedu Andargachew said the same day his country will proceed with filling the USD4.6 billion Grand Ethiopian Renaissance Dam when the rainy season begins in July, even without an agreement. Ethiopia intends the hydroelectric dam to make it Africa’s largest electricity exporter and increase the percentage of its population with access to electricity; Cairo, on the other hand, is concerned that the dam will threaten water supplies and affect the country’s agriculture and economy. Despite fear that the situation could escalate into military conflict, the Egyptian government has not threatened military action and will likely continue to seek a political solution, especially as more significant security matters in neighbouring Libya are prioritised. Companies with ties to the Grand Ethiopian Renaissance Dam project should monitor the situation for updates and factor potential delays into the timetable given the ongoing dispute.

Thousands of Palestinians protested in the West Bank town of Jericho on 21 June to denounce plans by the Israeli government to annex parts of the territory. Dozens of foreign diplomats attended the event, including the United Nations peace envoy for the Middle East, Nickolay Mladenov, and the European Union's representative, Sven Kühn von Burgsdorff. The rally passed without incident.

On 23 June, Palestinian attempted to drive his vehicle into a group of border police at the Wadi al-Nar checkpoint, on the road between Bethlehem and Abu Dis, lightly injuring one officer. The police opened fire, killing the assailant.

The protest and the alleged attack come amid elevated tensions as Israel’s new unity government can from 1 July initiate moves to implement US President Donald Trump’s controversial peace plan for the Israeli-Palestinian conflict. The plan, which has been rejected by the Palestinians, gives the green light from Washington for Israel to annex Jewish settlements and other territory in the West Bank. The Palestinian Authority (PA) has called for peaceful resistance to the move, and additional protest activity is likely in the coming three to six weeks by Palestinians and Israelis denouncing the plan. Additional low-level acts of militancy targeting Israeli military personnel and posts in addition to settlements are also likely during this period. There is a realistic probability that militants in the Gaza Strip will increase rocket fire into southern Israel in response to any confirmed annexation plans.

Authorities said on 22 June that this year’s annual Hajj pilgrimage, scheduled between 28 July and 2 August, will be limited to a small number of people of various nationalities already in the kingdom. The decision to limit the number of people attending the event comes amid ongoing concern over the novel coronavirus (COVID-19), with authorities dealing with a spike in infections after the country began a phased easing of stringent lockdown measures in late May. On 21 June, the Kingdom ended a nationwide curfew and lifted restrictions on businesses. Holding a reduced Hajj will appease many Muslims who had feared it would be cancelled for the first time in modern history, but it also means Saudi will experience a significant loss of revenue; together, Hajj and the Umrah (which can be performed at any time of the year) pilgrimages account for USD12 billion of annual revenue, or seven per cent of GDP. However, holding a reduced Hajj will represent a potential source of contagion due to the difficulties in enforcing social-distancing measures at congested religious sites. Security managers should monitor the situation and prepare for the potential re-imposition of lockdown measures should the spike in cases continue to increase.

Sub-Saharan Africa

Ghanaian President Nana Akufo-Addo reportedly apologised on 24 June to his Nigerian counterpart, Muhammadu Buhari, after the demolition of a building under construction belonging to the Nigerian High Commission in the Ghanaian capital, Accra. Akufo-Addo allegedly gave assurances that a full investigation was underway, and several arrests had been made. According to Ghanaian news reports, the rights to the land have been contested by the Osu Stool, a traditional council in the capital. In response to the incident, Nigerian senators have called on the government to reciprocate, while no specific action has been outlined. The case underscores issues over land rights in Ghana, where deeds need to be acquired in consultation with both formal and informal authorities, such as traditional and paramount chiefs. While it is likely that the diplomatic row will be given priority by both governments, anti-Ghana protests in Nigeria and vice versa are likely in the one-month outlook. Personnel in both countries should monitor protest activity and increase their vigilance around diplomatic missions.

On 18 June, Islamist militant group al Qaeda in the Islamic Maghreb (AQIM) recognised the death of its leader, Abdelmalek Droukdel who was killed by French special forces with support of US intelligence on 3 June. Three other senior AQIM commanders were also killed in the raid, including AQIM’s head of propaganda and co-ordination, Toufik Chaïb. AQIM pledged to continue its armed operations but did not name a new leader. Although AQIM’s recognition of Droukdel’s death is symbolic, the failure to announce a new leader suggests the group is weakened and could precede an internal power struggle over the coming months. To remain relevant, AQIM may indeed attempt more high-impact attacks on commercial centres in North Africa, including in Tunisia where the group has conducted several such attacks on targets frequented by foreign visitors. Attacks are also probable in West African littoral states, such as Côte d'Ivoire as well as Senegal; although the group has not carried out attacks in Senegal to date, it has explicitly threatened the country’s government due to its support of regional counter-intelligence operations.

Nigerien humanitarian NGO, Action et programme d’impact au Sahel (Action and Impact Programme in the Sahel, APIS), has confirmed that at least 10 of its workers had been abducted by unidentified gunmen. According to APIS, which is a partner organisation of the World Food Programme (WFP), the workers were distributing food aid at the time of the incident when several assailants entered the village on motorcycles. Two 4x4 vehicles used by APIS were also stolen. While kidnap for ransom remains a high risk to organisations working in this area, where Islamic State in the Greater Sahara has an established presence, the large number of victims in the most recent attack is unprecedented, which could signal a growing threat to such organisations. According to APIS, the organisation has worked in the area over the past year without any problem, which could also indicate a shift in tactics by ISGS. Indeed, the group has demonstrated increased kinetic capabilities over the past two years and has increased its K&R operations and targeted killings of traditional chiefs over the past year. The theft of vehicles used by humanitarian vehicles, which have then been used in attacks against civilians and security forces, also appears to be growing.