Geopolitical and Cybersecurity Risk Weekly Brief 3 August 2020

3 August 2020

Attacks and cybersecurity news 

A new vulnerability, dubbed BootHole, has recently been discovered in the GRUB2 bootloader. It impacts most Linux systems worldwide. Successful exploitation can lead to arbitrary code execution during the boot process, even when Secure Boot is enabled. This issue impacts every system using Secure Boot because almost all signed versions of GRUB2 are vulnerable. This means that most laptops, desktops, servers, and workstations are affected, alongside network appliances and other special-purpose equipment used in industrial, healthcare, financial and other industries. While BootHole is a major security concern, it requires attackers to achieve system administrator privileges before exploitation, making it a technically taxing vulnerability. Once administrator privileges have been achieved, however, due to the weakness in the way GRUB2 parses its configuration file, it can be exploited to execute arbitrary code that bypasses signature verification.

As we noted last week, a new automated search and destroy attack, dubbed 'meow', is targeting unsecured databases exposed to the public web. Both Elasticsearch and MongoDB instances are being hit, with the attackers leaving no explanation or ransom note. Instead, the attack overwrites and deletes the data, replacing it with the word ‘meow’ and a random string of numbers. Many victims appear to be concentrated in the educational sector. One large Elasticsearch cluster, destroyed with a meow attack, contained contact details for over 5 million students from various educational institutions including Oxford, Nirma, IIM, Hobsons, and Griffdom. Another, exposed student details from exposed from a QS Top Universities (Top Unis) repository, a QS matching tool.

Attacks continue from the Emotet botnet, one of the most potent threats of 2020. Early in the week, a wave of spam emails targeted English-, Italian-, and Polish-speaking users. In Italy, the domain belonging to the Ministry of Cultural Heritage was compromised and leveraged to distribute Emotet for over four days. Japanese and South Korean users were targeted with English language lures towards the middle of the week. The botnet’s TTPs were identified as having changed once again. Cofense Labs identified spam emails containing Emotet using not only stolen email bodies but also stolen attachments, making them more authentic and convincing. Large volumes of Emotet spam emails this week were directed towards Spanish-speaking countries, namely Mexico, Ecuador, Argentina, and Spain; the United Arab Emirates was also affected. The Qbot banking Trojan (also known as Qakbot) continues to be the main payload that is dropped following a successful Emotet infection. The botnet’s C&C domains - many of them WordPress sites – were hit by GIF replacement attacks and their numbers were reduced. It is unclear what the motivation for this attack is, or when it will end. 

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released a joint security alert about the QSnatch malware, which has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP. QSnatch attacks have intensified over the last year: the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in June 2020. CISA and NCSC are urging companies to patch QNAP NAS devices to the most recent update available. QNAP has disputed the number of infected devices and blamed ‘a misinterpretation of reports from different authorities.’

As a result of misconfigurations in their infrastructure, source code from the repositories of more than 50 companies across various verticals has been made publicly available. These verticals include technology, finance, retail, food, e-commerce, and manufacturing, with some large companies such as Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, and Disney being involved. The repositories were collected from various sources, and some contain ‘exconfidential’ or ‘confidential & proprietary’ information. While these exposures appear severe at first, the researcher actively complies with takedown requests, and has already removed the repositories for Lenovo, Daimler AG, and Mercedes-Benz. Additionally, many companies make these repositories public themselves, and others had not been updated for a long time, meaning that they would be of little use for any type of exploitation by threat actors.

A new variant of the Mirai botnet malware is exploiting devices vulnerable to the recently disclosed F5 BIG-IP vulnerability, tracked as CVE-2020-5902. Exposed BIG-IP devices are compromised and incorporated into a botnet. Threat actors have leveraged proof-of-exploit code made available soon after CVE-2020-5902 was disclosed in early July. This has been used against a large number of unpatched systems because administrators had not yet been able to apply the fix. F5 Networks’ products are used by many Fortune 500 enterprises. BIG-IP is one of the most popular products in use by governments and companies. The vulnerability in BIG-IP, therefore, is a severe risk to all organisations that have not yet applied the patch.

Mandiant Threat Intelligence has discovered several operations that they believe are part of a broader influence campaign which has been ongoing since at least March 2017. This campaign, which has been dubbed Ghostwriter, appears to be aligned with Russian security interests. The attacks have mainly targeted users in Lithuania, Latvia, and Poland with lures mainly relating to NATO's presence in Eastern Europe and occasionally leveraging other themes such as anti-US and coronavirus-related stories. The Ghostwriter operation has used compromised websites to publish false content including legitimate news and media sites, some of which included fabricated documents and falsified official correspondence.

 

COVID-19 Cybersecurity Update

Researchers have discovered another coronavirus-related lure being used in a phishing campaign promising the recipient a government-funded tax cut. The email claims to come from the UK ‘Government Digital Service Team’, and offers a tax rebate of GBP385.50. This rebate will supposedly be transferred directly to the recipient's credit or debit card. This scam is designed to steal recipients' personal and financial information.

Numerous victims have been reported of an aggressive business ID theft ring. A security researcher claims that these attackers have spent years targeting small businesses across the US and are now using coronavirus pandemic assistance loans and unemployment benefits as a lure. Since so many small enterprises are either going out of business or sitting dormant during the COVID-19 pandemic, organised fraud rings have seen it as an opportunity to find more targets. Data analytics company Dun & Bradstreet estimate an over 258 per cent spike in business identity theft crimes in 2020, with over 4,700 tips and leads where business identity theft or malfeasance is suspected.

 

 

Data breaches, fraud, and vulnerabilities

 

Data Breaches

A misconfigured cloud server at global cosmetics brand Avon has exposed 19 million records, including personal information and technical logs. The Elasticsearch database was found on an Azure server with no password protection or encryption - meaning it could be found by anyone in possession of the server's IP address. The database was exposed for nine days before being discovered on 12 June. It contains personally identifiable information about customers and, potentially, also employees. 

UnderTheBreach reports that a known threat actor is selling the database of Timehop which, it is claimed, contains 21.9 million users' data. The breach itself was announced in 2018 and contains personally identifiable information (PII) such as emails, phone numbers, passwords, social media profiles, geographic locations, genders, and dates of birth. The post referenced by UnderTheBreach has since been deleted from Raid Forums. The reason for this is unclear. As noted, the Timehop breach was announced in 2018 and the data had not surfaced publicly until this actor made the post. 

Cryptocurrency hardware wallet maker, Ledger, has announced that on 14 July it was notified that its eCommerce and marketing database was breached and leaked. Ledger immediately remediated the issue and identified that unauthorised access had been gained by a third party and the database contents exfiltrated. The data stolen in the breach included contact and order details. This includes email addresses, full names, phone numbers, and shipping addresses. Payment information, credentials or virtual funds were not impacted by the breach.

Cyjax has identified a new leak posted by ShinyHunters, allegedly taken from liveauctioneers[.]com, containing 2.9 million email addresses and plaintext passwords. Live Auctioneers is an online auction website, based in the US. Live Auctioneers was breached earlier this month by a different user on the RAID forums. Data that was released after that leak included 3.4 million credentials, with more data, such as phone numbers, emails, shipping addresses, and encrypted passwords. Not all the data was available in each entry. Currently, it is unclear whether the ShinyHunters post is the same breach as the previous one. It is interesting, however, that this company has been exposed twice in less than a month. 

The Vermont Department of Taxes has revealed that many of the state's taxpayers’ private information was exposed due to a security issue affecting the online filing portal. The breach occurred on 2 July 2020. All those registered in Vermont who filed their Property Transfer Tax returns electronically between February 2017 and July 2020 is at risk of exposure.

 Health officials in Argentina have exposed a database containing the personal information of 115,281 coronavirus quarantine exemption applicants. The database is believed to belong to the San Juan, Argentina government and the Ministry of Public Health. Exposed information in this database included full names, DNI numbers (Argentinian national ID numbers), CUIL numbers (Argentinian tax ID numbers), genders, dates of birth, photographs, phone numbers, and email addresses. 

This week there has been an uptick in the number of breaches listed by the operators of various ransomware. A breach at CWT Company (thought to be Carlson Wagonlit Travel in the US) is one of the best examples of how profitable these operations now are. Early in the week reports appeared illustrating that CWT’s internal network had been encrypted and data exfiltrated. The ransom note indicates that the stolen data includes customer billing information, insurance case details, financial reports, business audits, and bank account details, alongside details of CWT’s clients. Further investigation into the wallet address of the RagnarLocker gang revealed that nearly 414 Bitcoin (USD4.5 million) was received and transferred on 28 July 2020 indicating that the ransom had clearly been paid. Elsewhere, companies in Germany, Australia, India, France, the UK, Italy, and the USA, were all targeted. The size of the organisation does not appear to be a driving factor, with firms from SME to enterprise all falling victim to these attacks. 

Fraud

Sucuri has uncovered a new type of web skimmer that targets the WooCommerce plugin in the checkout pages of WordPress eCommerce sites. Instead of infecting the WooCommerce files directly, however, the attackers are using an alternative technique to infect other plugins unrelated to the checkout process to stealthily skim credit cards. It is recommended that WordPress users put their websites behind firewalls, disable file editing from ‘wp-admin’, enforce account security such as complex passwords and MFA. Most importantly, admins must keep plugins and themes updated with the most recent versions.

The Wall Street Journal reports that SEI Investments has fallen victim to a ransomware attack through a third-party vendor. The company is the fund administrator for Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group, Centerbridge Partners, and Pacific Investment Management Co. (Pimco). Some of SEI Investments’ clients alerted their investors of the breach earlier this month after SEI notified them. The attack itself happened in May and exposed the personal information of investors in roughly 100 of the fund administrator’s clients.

Cyjax analysts reported that the M.J. Brunner leak had been released on the Maze ransomware operators' site. However, the RagnarLocker ransomware operators have also claimed responsibility for the attack. The data was exposed on the group’s leaks site on 28 May 2020. This was in retaliation for M.J. Brunner refusing to pay the ransom to the attackers.

A new wave of phishing attacks is attempting to steal payment card information and credentials for the Netflix streaming service. This campaign uses a functioning CAPTCHA page to bypass email security controls. The danger here lies in the fact that the techniques used in this campaign can easily be adapted to target other streaming sites, such as Amazon Prime Video or Disney+, giving threat actors a larger attack surface. 

Vulnerabilities

On 24 July, Cisco issued a security advisory regarding a high-risk path traversal vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Successful exploitation can be achieved by accessing arbitrary files within the web services file system on the targeted device. Since the announcement of this vulnerability, and the public release of exploit code, more attacks have targeted vulnerable versions of the software. Rapid7 recently found 85,000 internet-accessible ASA/FTD devices. 398 of those were deployed in numerous Fortune 500 companies. Since the patch was issued, only 10 per cent of vulnerable internet-facing devices have been patched; only 27 of the 398 vulnerable devices in Fortune 500 organisations have been rebooted.

A vulnerability has been disclosed in the Dell EMC iDRAC remote access controller technology embedded within the latest versions of Dell PowerEdge servers. This flaw can allow remote attackers to take over control of server operations. Public search engines have already discovered several internet-accessible connections to iDRAC which could be exploited, as well as 500 controllers available for access using SNMP. This flaw was fixed in early July. It is only exploitable if iDRAC is connected to the internet, which is not recommended by Dell. By not connecting iDRAC to the internet, users can mitigate the chances of exploitation.

Vulnerabilities have been found in virtual private network (VPN) implementations used by industrial control systems (ICS). Threat actors could use these flaws to execute arbitrary code, breach the network environment, and cause damage by connecting to field devices and programmable logic controllers (PLCs).

After discovering and reporting a critical vulnerability (CVE-2020-14511) in Moxa EDR-G902 and EDR-G903 series routers, researchers discovered that products from Secomea and HMS Networks also had severe flaws that could be used to gain full access to the internal network without authentication. Another flaw was found in HMS eWon, CVE-2020-14498. This is a critical stack-buffer overflow issue which can be exploited for remote code execution with the highest privileges by visiting a malicious website or opening a malicious email containing specially crafted HTML code.

AusCERT has issued a security advisory for multiple vulnerabilities in Magento Commerce products. Successful exploitation can lead to executing arbitrary code and commands, cross-site scripting (XSS), and reduced account security. The critical vulnerability, tracked as CVE-2020-9689, is a path traversal bug which could allow attackers with administrative privileges to execute arbitrary code. There are currently no known exploits for these vulnerabilities

 

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  •  Unit 42 has issued a security advisory concerning a recently disclosed vulnerability in Kubernetes. Successful exploitation can lead to unauthenticated attackers gaining complete control over the cluster.
  • Tencent has issued a security advisory over an important update for the Elastic Stack. Successful exploitation of unpatched systems can lead to stored XSS, information disclosure, and denial of service via CPU exhaustion.
  • A critical vulnerability has been discovered in the wpDiscuz WordPress plugin installed on over 80,000 WordPress sites. This flaw can allow an attacker to remotely execute code after uploading arbitrary files to servers hosting vulnerable sites.
  • Cisco has released security updates to patch three critical vulnerabilities affecting Cisco Data Center Network Manager (DCNM) and multiple Cisco SD-WAN software products. Updates were also released for eight high and medium severity flaws.
  • Multiple vulnerabilities have been disclosed in Mitsubishi, Philips, and Inductive Automation ICS products, warns US CISA. Successful exploitation can lead to denial of service, arbitrary code execution, unauthorised access, information disclosure, and provide misleading information.

 

 

APT Activity and Malware Campaigns

 

APT activity

Researchers have reported four distinct malware families being used by North Korean APT Lazarus to target Apple's macOS platform. These included previously observed malware such as the DaclsRAT which is believed to be a part of the recently disclosed MATA framework, also used by Lazarus. Sentinel One claims that all of these samples have appeared in the last eight to ten weeks, which shows that Lazarus is still highly active.

MATA is cross-platform compatible and targets all three major operating systems: Windows, Linux, and macOS. Since its first detection in April 2018, MATA has been used to infiltrate enterprises around the world. Victims were found in Poland, Germany, Turkey, South Korea, Japan, and India. Organisations from various industries were compromised, including software development, eCommerce, and an internet service provider (ISP). 

Kaspersky has uncovered a new family of ransomware, dubbed VHD, that has been attributed to North Korea’s Lazarus group. The first detections involving VHD ransomware occurred in Europe and involved a spreading technique reminiscent of numerous other APT groups. The ransomware propagates laterally around networks via a list of administrative credentials and IP addresses specific to the victim. Once a system is compromised, VHD is copied and executed through Windows Management Instrumentation (WMI) calls. This tactic has been used in other high-profile attacks such as those against Sony Pictures Entertainment, Shamoon, and OlympicDestroyer. VHD ransomware and the MATA framework were both custom-built by the Lazarus group.

In more Lazarus-related news, the group was observed targeting the US aerospace and defence sector in a campaign dubbed Operation North Star. These attacks used common spear-phishing emails posing as a potential job opportunity. McAfee was not able to retrieve a copy of the emails, so the companies that were targeted in these attacks are unknown. These lures were used to install malware through malicious DLLs onto a target's device, with the attacks specifically focused on cyber-espionage and intelligence-gathering efforts. This campaign bears a striking resemblance to Operation Interception, also conducted by Lazarus, which targeted European and Middle Eastern aerospace and military companies. Both campaigns use similar bogus job offer lures. McAfee claims that these are definitely two distinct campaigns, however, due to the use of different implants and lure documents.

Kaspersky’s Q2 2020 APT trends report was published this week. One of the most interesting findings was the disclosure of a new group called the Deceptikons linked to a cyber-espionage campaign providing mercenary services for almost a decade. It is not particularly technically sophisticated and has not deployed 0day exploits to its knowledge. The Deceptikons repeatedly target commercial and non-governmental organisations. This includes spear-phishing European law firms and deploying PowerShell scripts. It is thought to be motivated by financial information, details of negotiations and the law firms’ clientele.

Malware 

A new Android SMS worm is circulating disguised as TikTok Pro. Once a user installs the app, it sends an SMS to all the contacts on the device with a link to the malicious app. When the app is launched, it requires the device owner to log into TikTok. Interestingly, however, these credentials are not stolen. The purpose of the Android SMS worm appears to be to make users watch monetised adverts while logging into a fake TikTok. Cybercriminals are seeking to exploit the current situation in India as the government recently banned TikTok, preventing users registered in the country from accessing their accounts. This is a common tactic. As soon as something is made unavailable in one country, threat actors quickly produce a fake version to lure unsuspecting users into downloading and installing their malware. 

Researchers detected a spike in activity linked to cryptocurrency mining attacks targeting vulnerable MS-SQL servers. After investigating the attacker’s HTTP File Server (HFS) it was found that tens of thousands of MS-SQL servers have been infected with a Monero mining Trojan.

MS-SQL servers are valuable targets to compromise: not only do they have significant CPU power that can be repurposed for cryptocurrency mining; they also contain databases with sensitive information such as credit card numbers, credentials, and other PII. Organisations can protect themselves by enforcing strong password protection policies and multi-factor authentication; it is also advised that database servers are put behind a firewall.

A previously unknown Linux malware is targeting Docker servers. This threat, dubbed Doki, went undetected on VirusTotal for nearly six months. Docker has been repeatedly targeted by cryptocurrency mining malware. In previous campaigns, threat actors have repeatedly exploited open ports, including those associated with Docker API, to deploy malware. Organisations running Docker should ensure their API ports are not exposed to the internet. They should also monitor for unexpected or excessive use of computing resources, which could potentially indicate the presence of cryptocurrency mining malware. 

Ensiko is a new webshell that targets various platforms such as Windows, Linux, and macOS or any other system with PHP installed. It is deployed via exploited vulnerabilities in web applications or by gaining access to one previously compromised. Ensiko also has a PHP ransomware module that encrypts files on an infected web server using the RIJNDAEL encryption algorithm. This threat is worth monitoring: it is sophisticated and appears to have been written from scratch by skilled malware developers.

The FBI has issued a security alert concerning the Netwalker (Mailto) ransomware. Its operators are targeting US and foreign government organisations and the FBI advises victims not to pay the ransom but report the incident to their local FBI field office instead. Netwalker began to be delivered to the target organisations in June 2020, according to the FBI, after successful attacks on an Australian transportation and logistics company and a US public health organisation. The threat actors behind Netwalker have used the ongoing coronavirus pandemic as a lure in their campaigns since March.

Researchers have identified the WastedLocker ransomware sample used in the attack on Garmin. WastedLocker samples are tailored for each target; the sample the researchers identified was found to generate the same ransom note and encrypted files as seen during the attack. As of 27 July, Garmin’s services appeared to be coming back online, having been down since late 22 July. Parts of the app are still reporting that server maintenance is underway. The BBC reports that the company has been asked to pay USD10 million (GBP7.79m) to get its systems back online. Garmin has yet to officially comment on those claims, or say what was behind the outage. However, subsequent reports asserted that Garmin had paid the ransom demands through a third party in order to avoid sanction under the US Treasury rules that ‘US persons are generally prohibited from engaging in transactions’ with the cybercriminals.

Darknet

The operators of Cerberus have announced that they are selling the entire project, including source code, servers, and customer base. This comes after the public representative of Cerberus claimed that they are the only member of the team left, and that running the malware on their own is not possible. Cerberus customers have been complaining, for some time, that the malware is no longer functioning as expected, so this latest development is possibly an attempt to avoid having to compensate customers. The Cerberus operators also previously sold the source code to Cerberus v1 to raise funds for the completion of Cerberus v2. This potentially indicates that the problems may have been present in the cybercriminal outfit for a while. There is currently no indication that Cerberus v2 has been sold.

Multiple 0day vulnerabilities for Tor have been disclosed by well-known computer forensics researcher, Dr Neal Krawetz. Dr Krawetz claims he first discovered some of these bugs as far back as 2012 and that, despite having reported them to the Tor Project, they all remain unptached. These vulnerabilities potentially enable the tracking and detection of any connection to Tor nodes. The Tor Project has not yet commented on the disclosure of these vulnerabilities.

 

 

Geopolitical Threats and Impacts

 

Americas

Senior lawmakers from the ruling Republican Party have dismissed President Donald Trump’s suggestion that November’s presidential election could be delayed. Trump has claimed, with little reliable evidence, that postal voting – of growing importance due to the novel coronavirus (COVID-19) pandemic – is susceptible to fraud. Trump does not have the constitutional authority to postpone November’s election, meaning such a move would need to pass both the Republican-controlled Senate and the Democratic Party-controlled House of Representatives. The likelihood of the election being delayed is therefore minimal, barring a significant worsening of the COVID-19 pandemic. Trump’s comments are therefore more likely aimed at undermining the integrity of November’s ballot, a tactic he used during the 2016 presidential election. Organisations with interests in the US economy should scenario plan for either plausible outcome of November’s poll.

US ambassador to Brazil, Todd Chapman, warned in an interview that Brazil would face ‘consequences’ if it allows Chinese telecoms giant Huawei’s involvement in its 5G network. Chapman also claimed that allowing Huawei’s participation in 5G may discourage future foreign investment in Brazil. Chapman’s comments come as the US seeks to persuade countries across the world to ban or restrict Huawei’s involvement in their respective 5G networks. Washington has previously offered to help finance Brazilian telecoms providers’ acquisition of non-Huawei 5G equipment, and Chapman’s unsubstantiated comments seek to increase pressure on President Jair Bolsonaro’s administration to ban Huawei’s 5G participation. Any decision to restrict Huawei’s involvement could have major commercial implications for Brazil, given that China is its largest trading partner and may seek commercial retaliation. Companies with interests in Brazil’s telecoms sector should monitor local updates related to Huawei’s legal status, and scenario plans for multiple outcomes, including a full or partial ban on Huawei equipment in the country’s 5G network.

In a statement released on 2 August, Microsoft announced that it is continuing talks on the purchase of popular Chinese-owned video-sharing app TikTok’s US operations. Microsoft said it would conclude discussions with TikTok’s parent company, ByteDance, by no later than mid-September. A preliminary proposal also includes Microsoft securing the rights to own and operate TikTok in Canada, Australia, and New Zealand. Microsoft’s statement came after a call between its CEO, Satya Nadella, and US President Donald Trump. On 31 July, Trump had told reporters that TikTok would be banned in the US, however the White House later stated that its policy towards TikTok had yet to be decided. TikTok, which is particularly popular among teens and young adults, has generated concern among some US lawmakers and national security officials as to whether users’ data could be accessed by Chinese officials if it remains under Chinese ownership, thereby potentially posing a national security risk to the US. It comes amid a broader intensifying rivalry between Washington and Beijing over openness towards each other’s businesses and technologies, and comes as the US encourages other countries to ban Chinese telecoms giant Huawei from their 5G networks over similar concerns. Were Microsoft to conclude the purchase, it would allow TikTok to continue operating in the US, therefore preventing backlash from its approximately 80 million US users, while addressing US officials’ security concerns. Companies with interests in the Sino-US relationship, particularly related to trade and technological openness, should monitor updates related to TikTok and assess how it may impact operations and strategy.

The trial of ex-CEO of Mexican state-owned oil company Pemex, Emilio Lozoya, began on 28 July, with the accused denying allegations of corruption and pledging to ‘denounce’ those responsible for the crimes of which he is accused. Lozoya’s trial is the most significant anti-corruption development since President Andrés Manuel López Obrador was elected on an anti-graft platform in 2018. The case is of particular significance given Lozoya’s previous relationship with ex-president Enrique Peña Nieto – he worked as a strategist to Peña Nieto during the 2012 election – and other high-ranking members of the former government. Companies with interests in Mexico, particularly those who bid for or won public contracts under the Peña Nieto administration, should monitor local updates, anticipate heightened public and judicial scrutiny, and cooperate fully with the relevant authorities.

APAC

Hong Kong Legislative Council elections due to be held on 6 September are expected to be postponed for up to a year, ostensibly due to concerns over the impact of COVID-19 on the territory. The elections are widely seen as a direct challenge to pro-China and ‘establishment’ legislators from voters opposed to Beijing’s overt influence in Hong Kong. The suspension of the elections will increase tension in the territory and test pro-democracy activists’ willingness to defy China’s imposed national security law (NSL) that came into effect a month ago. Foreign companies viewed as supportive of China’s greatly expanded overt influence in Hong Kong may also come under pressure from activists and their home governments, particularly in the event any renewed protests in the territory lead to mass arrests or clear indications of excessive force by the police. The one-month outlook is critical in this respect as any local reaction is likely to be manifested in this timeframe.

Tokyo is tightening rules over access to sensitive technology for foreign researchers and students at universities and is threatening to hold back financial support to institutions that encounter leaks of sensitive data, especially information with potential military use. Under the new proposed rules, visa applications from foreign citizens that want to study at Japanese universities will be more carefully vetted, and researchers will need to disclose their overseas sources of funding when applying to run studies. The new regulations are widely viewed as targeting China. Tertiary educational institutions are advised to periodically conduct detection operations for insider threats, including behavioural analysis to identify any patterns of suspicious activity, and remind personnel to practice good operational security at all times.

Media reports on 29 July said pilots for US-based air cargo carrier FedEx had called on the company to suspend flights to Hong Kong due to the territory’s enhanced coronavirus testing regime that came into force today. The Air Line Pilots Association call for a suspension of FedEx services follows three of the company’s pilots being quarantined in Hong Kong government isolation facilities after testing positive for COVID-19 on arrival in the territory. The International Air Transport Association (IATA) has said aircrew should not be tested for the virus as a prerequisite for working as they can be readily isolated from the general population, despite evidence individuals have breached existing strictures on movement. The implications of FedEx ceasing operations on the availability of overall cargo space is minimal as other airlines can add capacity to cover any shortfall, but may be high in terms of the movement of business documentation, e-commerce and general mail the company specialises in carrying. Companies should assess their options regarding such movements, bearing in mind any mail or documents sent through China will be delayed due for security and other forms of search.

Malaysia’s former prime minister Najib Razak was found guilty of corruption by the country’s High Court for his role in a multi-billion-dollar scandal at state fund 1Malaysia Development Bhd (1MDB). Najib faced seven charges of criminal breach of trust, money laundering and abuse of power for allegedly illegally receiving nearly USD10 million from a former 1MDB unit. Najib, who pleaded not guilty to the charges and said he would appeal the verdict, faces a further 42 criminal charges over allegations he misappropriated more USD1 billion from 1MDB. The verdict will help assure many local and foreign interests over immediate concerns regarding the independence of the Malaysian judiciary in such a high profile and politically sensitive case. However, concerns remain over the appeal process, how the other cases proceed and sentencing. The verdict also increases the potential for a new general election, which would add to already heightened political volatility. Companies should factor a period of growing tension, including street protests by Najib supporters and their opponents, into their six-month outlook.

Europe

Russia’s economic development minister, Maxim Reshetnikov, warned that EU plans to introduce a carbon border adjustment mechanism (referred to as a carbon border tax) by 2023 will violate World Trade Organisation (WTO) rules. The carbon border tool, which is still being developed, would see additional levies being applied on imported goods manufactured unsustainably. The tax will reflect the amount of carbon emissions generated during the production of imported goods. This is aimed at encouraging non-EU exporters to prioritise environmental protection as well as bolster production within the bloc. While the exact details of how the carbon adjustment mechanism would function have not yet been finalised, the proposal is likely to have wide-ranging implications for both major exporters into the EU and importing firms. Companies with significant carbon footprints in sectors such as energy and chemicals will be significantly disadvantaged. Exporters should conduct comprehensive internal assessments to identify operations that may be readjusted to lower emissions.

On 27 July, the Ukrainian military accused pro-Russia separatists of violating a ceasefire shortly after it was initiated at midnight. The separatists denied the allegations. Mutual accusations of ceasefire violations have become a common feature of the conflict in Eastern Ukraine. Despite expectation that the latest ceasefire agreement signalled concrete commitment to de-escalate tensions from both sides, renewed clashes indicate that efforts to pacify the region face significant challenges. The latest developments indicate that for any meaningful de-escalation to occur, tangible steps should be taken by armed personnel on both sides, including respecting ceasefire agreements and fulfilling withdrawal commitments, to avoid further violence. Critics of Ukrainian President Volodymyr Zelenskyi in the meantime will amplify their opposition to his diplomatic approach and view this as confirmation that Kiev has already given too many concessions.

A court in the city of Strasbourg rejected a bid by Chinese conglomerate Jingye Group to acquire the Hayange factory in northern France that belonged to British Steel. The UK-based steelmaker avoided bankruptcy after being bought by Jingye last year. Hayange was not part of the transaction. The court decision awarded UK-based industrial firm Liberty House permission to acquire the site, deemed as strategically important by the French government. France’s finance ministry is expected to approve the deal. The current context makes the decision particularly notable. As Europe seeks to recover from the COVID-19 pandemic, governments have sought to protect national assets from takeovers by non-EU entities. This trend of targeted protectionism will likely continue to accelerate across the EU. The case of Hayage makes this clear. Under current circumstances there is little political appetite to greenlight acquisitions that could leave non-EU companies in control of assets of national importance. Heightened scrutiny on foreign investments will complicate plans for companies seeking to attract capital investment from non-EU investors.

London-based European Bank for Reconstruction and Development (EBRD) claimed on 29 July that several of its Twitter accounts were hacked. No further details were given but an EBRD representative said the organisation’s Twitter account was ‘compromised’. The EBRD finances infrastructure projects and businesses across Europe, Central Asia and the Middle East. While the extent of the hack has not been disclosed, it underscores the vulnerability of social media platforms such as Twitter to cyberattacks and follows the recent hijacking of the accounts of multiple US public figures, including former president Barack Obama and Bill Gates. Companies frequently using social media for communications campaigns should anticipate the potential impact a hack may have on operations. Precautionary actions should be taken, including regularly changing passwords and instructing relevant staff to exercise heightened caution, to mitigate the elevated cybersecurity threat. 

Belarusian President Aleksandr Lukashenko last week called an urgent meeting of the country’s security council after 33 alleged mercenaries belonging to the Wagner Group, a Russian military contracting firm, were arrested in Minsk. Critics believe the arrest may be used as an excuse to crack down on growing opposition protests or potentially hold off a presidential election slated for 9 August on the grounds of foreign interference. In separate but related developments, the political opposition is planning mass strikes at prominent state-owned firms set to begin the day after the election is concluded. Opposition figures have also established a platform through which they call on voters to state how they voted by uploading a picture of their ballot. The presence of Wagner Group operatives in Belarus raised several questions about their motives and potential operations. Allegations of foreign interference are not new, and the timing and background of the arrests lends credibility to the view that this may be used as a pretext to further crack down on the growing opposition movement. 

The EU on 30 July imposed sanctions on several individuals and organisations believed to have been involved in a series of major cyberattacks. The measures include asset freezes and travel bans on members of Russian military intelligence, two Chinese firms, including Haitai Technology Development, and Chosun Expo, a North Korean export firm. In particular, the Main Center for Special Technologies – a unit of Russia’s GRU military intelligence agency – was accused of carrying out the 2017 NotPetya attacks in Ukraine. The other entities targeted are suspected of also being responsible or supporting the WannaCry and Cloud Hopper attacks. Moreover, four alleged GRU agents were also sanctioned over an attempted cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW). The measures represent the first-ever sanctions imposed by the EU relating to cyber security. Importantly, the sanctions also lend credibility to claims that Russian military intelligence are involved in a sophisticated campaign targeting Western commercial and national interests. Organisations should regularly reassess their threat profile and review existing cyber security protocols to detect any potential vulnerabilities. Update security patches on a regular basis and instruct staff on ways to report phishing emails. It is also prudent to understand how geopolitical developments influence the cyber-threat landscape to strategically plan risk management measures.

MENA and Central Asia

The US imposed a second round of sanctions under the Caesar Act ruling that came into effect on 17 June, which aims to maximise pressure on the Syrian government for alleged war crimes against its citizens. This marks a significant ramping up of Washington’s maximum pressure strategy against the Syrian regime. It enables the US treasury to sanction a wider range of sectors and the ability to freeze the assets of anyone believed to be cooperating with Syria. Companies should factor the new sanctions into existing compliance programmes and ensure full adherence with any restrictive measures.

The Turkish parliament passed a new social media law on 29 July that will enable government authorities to remove online content that fails to comply with regulations rather than blocking it – which was the previous practice. A comprehensive list of regulations has been included in the bill; notably, foreign social media companies with over 1 million users are now required to have a local representative and store all domestic user data in Turkey. Failure to do so could result in USD1.5 million fines, bandwidth restrictions and advertising bans. Erdoğan’s approval at this stage is a formality. As of 30 July, major social media companies such as Twitter and Facebook have not publicly reacted to the decision. While it is unlikely these companies will pull out of the Turkish market, there remains a possibility that they could refuse to comply with the new regulations, which would cause significant domestic disruption. Companies using social media platforms for businesses or communication should continue to monitor developments and prepare contingency plans for the possible suspension of these sites in the short-medium term.

US secretary of state Mike Pompeo stated that sanctions against Iranian metals producers and traders would be undergoing a ‘major expansion’ to include 22 other metals that are believed to be used in the country’s nuclear, ballistic or military programmes. Under these sanctions, any company or individual believed to be transferring these materials including graphite, aluminium powder or raw and semi-finished metals to Iran will be blacklisted from the US on account of contributing to the Iranian state’s construction sector and facilitating their nuclear programmes. The expansion of sanctions is part of the US’ strategic calculus aimed at applying maximum pressure on the Iranian government to undermine the latter’s nuclear ambitions. The latest round of sanctions will likely cause commodity prices to inflate and destabilise the market, with plausible impacts on the labour force. Anti-government protests have been increasing in recent weeks amid worsening socio-economic conditions impacted by COVID-19. Companies in the construction or metallurgical sector and with interests in Iran should carry out due diligence on business and operational practices to ensure they comply with US sanctions law. 

Shipping data and industry sources indicate that Iraq’s crude oil exports have increased in July, implying that Iraq is failing to fulfil its commitment to the OPEC+ cuts that were extended in February until the end of 2020 to support volatile crude prices. This likely underlines Iraq’s growing economic instability and a need to bolster this with oil exports, which usually comprise around 90 per cent of the government’s revenues. In the coming weeks, the state is due to pay the next two months of salaries for around 4 million state employees alongside state beneficiaries. It is likely that the government is hoping to avoid delaying these payments, which could result in exacerbating protests that are recurring following a period of calm due to COVID-19 restrictions. A lack of compliance with oil output cuts will likely raise tensions in the fragile OPEC+ agreement, particularly with Russia which has been continuously reluctant to adhere to the restrictions. While Iraq’s failure to comply is unlikely to jeopardise the entire deal, there remains a realistic chance that further instances of missing output cut targets could occur in the coming months given the country’s economic crisis, which will likely escalate tensions between OPEC+ members and disincentivise others from adhering to cuts. This would likely lead to another spate in global oil price volatility, further compounded by COVID-19 in the medium-term outlook.

The Emirates Nuclear Energy Corporation (ENEC) announced on 1 August that operations in Unit 1 of Barakah power plant, situated in Abu Dhabi, have commenced. The nuclear plant is the first of its kind in the Arab world and has been slated by ENEC to have enough capability to provide up to 25 per cent of the UAE’s electricity needs once it becomes fully operational. The announcement is likely to escalate ongoing tensions with regional rival Qatar, who complained about the nuclear plant to the International Atomic Energy Agency (IAEA) in March 2019, warning that it was a ‘flagrant threat to regional peace and environment’. Qatar’s grievances will likely be further compounded by regional concern over the lack of safety measures installed in the plant. This was underlined in a 2019 report by the Nuclear Consulting Group, which concluded there was a serious lack of key safety features such as a core-catcher in Barakah. By comparison, core-catchers are standard requirement in all nuclear reactors in Europe. Without one, there is a higher likelihood of radiation pollution being released in the event of an accidental incident or deliberate attack. Targeted strikes against strategic facilities in the Gulf are a concern, underlined by attacks over the past year by the Yemeni-based Houthi rebels against Saudi oil refineries, and Barakah could be a potential target by various threat actors. Businesses in the region should factor these developments as well as the likelihood that the plant will stoke geopolitical tensions into security contingency plans. 

Sub-Saharan Africa 

South African Investigators are looking into 102 suppliers of personal protective equipment (PPE) in Gauteng province, after it was revealed that politically connected businesses had won lucrative tenders related to COVID-19 pandemic containment efforts. An audit had showed that there were indications of overpricing and poor quality. Khusela Diko, who serves as a spokeswoman for President Cyril Ramaphosa, took a leave of absence earlier this week following reports that her husband won R125 million worth of PPE contracts – the couple deny any wrongdoing. While authorities do not suspect all 102 firms of wrongdoing, the probe indicates intentions to scrutinise all PPE contracts. On 23 July, Ramaphosa pledged to tackle corruption in the healthcare sector due to concerns that funds distributed were stolen or misused. Tough measures, including fines and contract abrogation, will likely be imposed on organisations found violating rules. Companies operating in South Africa should ensure full compliance with rules and cooperate with the relevant authorities.

 The Financial Times reported on 28 July that Anglo-Australian mining group Rio Tinto was in discussion with the UK’s Serious Fraud Office (SFO) to obtain a deferred prosecution agreement (DPA) over suspected bribery committed when securing a major iron ore contract in Guinea. Neither Rio Tino nor the SFO have confirmed the negotiations. However, the SFO on 24 July 2017 confirmed an investigation into payments the company made to a consultant with close ties to President Alpha Condé, a few months after he took office in December 2010. This payment allegedly helped the company secure part of the Simandou mine, one of the world’s largest and richest untapped iron ore deposits. In 2008, the company was stripped of two out of four concessions it held by the former government of then-president Lansana Conté who died the same year. Under a DPA, which must be approved by a judge, the charged company agrees to make full reparation (including paying fines) for criminal behaviour but without the consequences of a criminal conviction and under strict further conditions. The reported DPA signals a possible solution to the legal battle surrounding the Simandou project, although this may still take several months to resolve. Nevertheless, the case underscores Guinea’s high corruption risk and a need for companies investing there to develop strong compliance programmes and codes of conduct for all their partners, including consultants. They also need to carry out thorough due diligence on local partners, including developing a deepened understanding of their political affiliations and attendant contract risks that may emerge in the event of a government change.

The South African Social Security Agency (SASSA) is warning companies about a fraudulent email being circulated, announcing a new tender. This comes after SASSA in Free State province on 22 July warned about criminals defrauding service providers through the agency’s Social Relief of Distress (SRD) vouchers, which are used by poor households to buy food. Relatedly, on Friday (24 July) officers from the Directorate for Priority Crime Investigation (locally known as the ‘Hawks’) arrested three individuals they suspect of planning to hack into SASSA’s system and gain access to beneficiary accounts. The series of reported acts targeting SASSA signals an elevated cybercrime risk for sub-contractors, such as cash transfer businesses and non-governmental organisations, distributing SASSA grants amid the COVID-19 outbreak in the country.