Geopolitical and Cybersecurity Risk Weekly Brief 6 July 2020
COVID-19 Cybersecurity Update
Cyjax analysts found three malicious documents named ‘CoVid_2019_Check_v9380.xls’ uploaded to the Any.Run malware submission site. These contain malicious macros that are reportedly similar to previous TA505 campaigns. TA505 is a Russian dangerous, financially-motivated cybercrime group. Cyjax analysts also uncovered a malware, known as Qulab, masquerading as the Johns Hopkins COVID-19 map. Qulab focuses on stealing information from victims' machines and aims to replace clipboard content with its own, such as cryptocurrency wallet addresses.
A new variation of a COVID-19-related HMRC phishing scam is targeting the passport, personal and banking details of the self-employed. A text imitating HMRC is sent to the target, informing them that they are due a tax refund. The recipient is redirected to a fake, HMRC-branded site entitled ‘Coronavirus (COVID-19) guidance and support’. Information entered on this page is stolen.
The FBI has warned about potential fraud schemes related to antibody tests for COVID-19. Scammers are advertising fake or unapproved coronavirus antibody tests, as well as potentially providing false results. These schemes also look to gather personal information, such as names, dates, of birth, Social Security numbers, personal health information, and health insurance information.
Malware such as the AgentTelsa infostealer, AveMaria RAT, and LokiBot Trojan continue to spread via virus- or pandemic-themed spam emails. Subjects have included: ‘COVID-19-Order-june-29-06-20-Quote’, ‘COVID-19 DELAY PURCHASE ORDER’ and ‘RE: Payment Assistance Due To Covid-19 Pandemic’. COVID-19-themed XLS documents have also been used to deliver the TrickBot banking Trojan. According to IBM, TrickBot is the most prolific malware spread via coronavirus-related documents and phishing emails.
Recent analysis of Android Trojan trends during the COVID-19 pandemic has revealed a significant increase in the number of Trojanised apps containing banking Trojans. Some of these can evade security checks in the Google Play Store and make their way onto devices undetected. The top banking Trojans have been masquerading as a ‘Coronavirus Tracker’, a ‘CoronaFinder’, and a ‘ Coronavirus Statistics’ app. These all aim to steal personal information.
Attacks and cybersecurity news
The number of attacks against RDP clients has increased since February 2020. The rise in attacks is a result of cybercriminals targeting organisations that are working remotely due to coronavirus. The highest number of attacks originated from the United States, China, Russia, Germany, and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil, and Hungary. The problem stems from organisations rapidly transitioning to remote working without implementing adequate security controls. Employees may use weak passwords with no additional layers of protection. This leaves their credentials open to brute-force attacks and account compromise. Consequently, RDP has become the most popular infection vector for ransomware operators.
The Brazilian federal police have reported that they are investigating AnonymousBrazil for exposing personal details of senior government officials including President Jair Bolsonaro. The leak reportedly contained information about Bolsonaro, his sons, assistants, and various ministers. Information such as assets owned by the individuals was leaked to a Twitter profile, but this was quickly deleted by moderators. The investigation found that the group obtained the data of over 200,000 members of the military, as well as government officials, allegedly with the aim of intimidation and embarrassment. There is also evidence of additional crimes perpetrated by the group, such as fraudulent online purchases. The investigation is still ongoing.
The Economic Times reports that the Jammu and Kashmir Power Development Department (JKPDD) in India recently experienced a cyber-related incident that led to four servers being compromised and denial of service conditions. No information regarding the type of attack has been released at this time. The statements provided could indicate a ransomware or wiper malware attack. Several cyberattacks were also reported by ZScaler and Indian media sources as a result of clashes between India and China in Ladakh's Galwan Valley. There is no evidence to suggest that the attack against the JKPDD is related.
Researchers have revealed four new Android tools used for the surveillance of ethnic minorities in China: the tools are dubbed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. Uyghur Muslims in Xinjiang province, China, were the primary group being targeted by this campaign; Tibetans were also surveilled to a lesser extent. The four tools are connected to a mobile surveillance campaign conducted by a Chinese state-backed ‘mobile advanced persistent threat’ (mAPT) group. Activity linked to these apps has been traced back as far as 2013: this is when the campaign is believed to have started.
The US Attorney's Office of Alaska has announced that one of the operators of the Satori botnet, Kenneth Currin Schuchman, has been sentenced to 13 months in prison. This was for his role in the development of distributed denial-of-service (DDoS) botnets. The Satori botnet, and later iterations of it, caused significant damage: over 800,000 devices in total were infected. It was based on the source code for the Mirai botnet, with added features. Schuchman pleaded guilty to one count of fraud and related activity in connection with computers. Schuchman and his associates, Aaron Sterritt and Logan Shwydiuk, were all caught and charged previously.
Iran’s Atomic Energy Organization has confirmed that a fire and possible explosion took place at the country’s Natanz nuclear plant on 2 July. While further details have not yet been revealed, some officials have told Reuters that the facility may have been targeted in a cyberattack. Natanz was the location of the highly damaging Stuxnet attack launched by the US and Israel in 2010.
Data breaches, fraud, and vulnerabilities
YourAnonNews has reported that Equifax Chile has allegedly been breached. The tweet claims that 10GB of internal transactions were released on the DDoSecrets website; this claim was accompanied by the tags #Anonymous and #OpChile. This data appears to comprise Equifax Chile e-invoices sent to various clients in Q3 and Q4 2019. There is 9.5GB of uncompressed data, with 115,633 files in total.
The largest bubble tea supplier in the US, Lollicupstore, has exposed over 112 million records of customer information and payment references online. These contain names, shipping information, email addresses, references to payment data, internal records, logs, emails, password tokens, IP addresses, ports, pathways, and storage information. The data also contained Magento eCommerce production logs. Security researchers sent three responsible disclosure notification emails, all of which were ignored by the organisation. The data was, however, secured.
American online learning platform, OneClass, has exposed a database containing 27GB of data – 8.9 million records, affecting over one million students. While OneClass quickly secured the database after disclosure, it claimed that the exposed server was a test instance that did not relate to any real individuals. vpnMentor, however, has disproved this. The researchers found the social media profiles of lecturers and other users on various platforms that matched the records in OneClass’s database. When disclosing this to the company, vpnMentor received no response.
A threat actor has left ransom notes on 22,900 MongoDB databases that are exposed online without a password. This constitutes around 47 per cent of all MongoDB databases currently accessible online. The attacker is using an automated script to scan for misconfigured databases and then wiping their content. A ransom note is left in its place asking for 0.015 Bitcoin (roughly USD140) for the return of the data. This campaign has been ongoing since at least April 2020.
Notable databases continue to be offered on Raid Forums. This week saw 17,000 entries from Northwestern Medicine's customer database, 980,000 entries from the trudoc24x7.com user database (a patient-doctor facilitator in partnership with the Dubai Health Authority), and databases containing user records from 68 different companies. All the vendors in these cases had solid reputations on the Forums, meaning that the provenance of the leaks is likely to be genuine.
As has been the case for the entirety of 2020, ransomware operators continue to steal data from victim companies prior to encrypting their databases and demanding a ransom. This technique has proved successful at forcing more ransom payments, as the malicious actors threaten to release data publicly if no money is received.
The operators of the Maze ransomware claimed responsibility this week for attacking and stealing data from four more companies, including an insurer in Canada. The threat actors in control of the Netwalker ransomware also claimed two more victims, one of which is a transportation service operating in Fort Worth, Texas. And the REvil (Sodinokibi) ransomware operators have finally announced the auction prices for 756GB of legal documents stolen from international entertainment and media law firm Grubman Shire Meiselas & Sacks (GSMLaw.com). GSMLaw is based in New York and represents several A-list celebrities that include Madonna, Lady Gaga, Elton John, Robert de Niro, and Nicki Minaj. Prices start at USD60,000 for an individual celebrity’s data and the full archive (750GB) has also been put up for auction with a minimum deposit of USD2,100,000, starting price of USD21,000,000, and Blitz price of USD42,000,000.
Cyjax analysts recently uncovered an ongoing Microsoft Office 365 credential harvesting campaign targeting a number of public and private sector organisations. The messages claim that the user has a ‘New Voice Message’ and must click a 'Play Voice Message' button to hear it. Cyjax analysis revealed that over 1,100 users have entered data into the form so far. The UK government health service NHS, and police, the Australian government, Boeing, and Oracle, have all been targeted.
Researchers have uncovered a new Cerberus Android banking malware campaign masquerading as a ‘vehicle inspection service’ that distributes Trojanised Android package files (APK). The attackers have set up a fake website that is likely to be distributed as phishing and SMiShing links in malicious spam campaigns. Cerberus, Anubis, and the Ginp mobile banking Trojans are all currently focusing on Turkish users. Interestingly, the C&C server in this campaign mimics the Turkey CERT website.
A new spam campaign purports to have been sent from WordPress. The fraudulent message claims that DNS security features will soon be added to the domain owned by the target. The recipient is instructed to visit an ‘update page’ to receive this upgrade. This update page constitutes a fake WordPress login site: any credentials entered into this page are sent to the attacker. 98 other brands are also being exploited in this campaign, including Akamai and Zen Cart.
An ongoing phishing campaign is pushing Ursnif malware to users and organisations in Italy. The phishing emails masquerade as the Argenzia delle Entrate (Italian Revenue Agency), the government department that enforces taxation. Threat actors continue to take advantage of the current employment crisis caused by coronavirus. Attackers have frequently targeted social security services and other employment programs. SmokeLoader masqueraded as the Spanish Tax Agency; TrickBot began sending spam emails to Americans, masquerading as the US Department of Labour. This is a trend that is likely to continue.
A multi-stage Bitcoin fraud campaign is using text messages that claim a celebrity has an investment secret which they used to increase their wealth. A URL is provided which, if clicked, opens a site imitating a trustworthy local news source. The URL to the dubious platform also includes the target's personal information, which is used to populate fields for setting up an account. It is currently unclear how this information is obtained but the scam exposed phone numbers, names, and email addresses. Researchers identified 248,926 unique URLs, each containing a specific set of PII. There are currently six active domains featuring the same suspicious Bitcoin investment platform, but operating under different names: Crypto Cash, Bitcoin Rejoin, Bitcoin Supreme and Banking on Blockchain. Most of the victims are from the UK and Australia, with others in South Africa, the US, Singapore, Malaysia, and Spain.
Abuse.ch has shared new samples of the NanoCore RAT being delivered in malspam masquerading as the Philippine Overseas Employment Administration (POEA). The subject of the spam emails is ‘POEA MEMORANDUM’ and comes from a ‘@poea.gov.ph’ email address.
Cyjax analysts have uncovered new samples of the LokiBot Trojan masquerading as shipping documents reportedly sent from Maersk’s head office in Shanghai. The attackers use a spoofed email, ‘email@example.com’ pretending to from ‘A.P. Moller - Maersk (Shanghai, Head Office)’. Maersk is a popular target for threat actors due to its international recognition and reach. It can be leveraged in phishing and spear-phishing campaigns as a trusted third-party that often sends emails to its partners.
F5 Networks has patched a critical vulnerability in its BIG-IP application delivery controller (ADC) which could allow a remote attacker to take complete control of the targeted system. The vulnerability, tracked as CVE-2020-5902, could result in remote code execution. BIG-IP is used by some of the world's biggest companies, including 48 firms from the Fortune 50, power cell carriers, banks, Fortune 500 companies, and governments. Threat actors soon started to launch attacks against F5 BIG-IP networking devices to steal administrator passwords from them. Exploits for CVE-2020-5902 have now been added to the Metasploit penetration testing framework and additional exploits are also now publicly available on GitHub. These latest developments elevate the severity of the threat. Clients with affected systems should patch as soon as possible.
Vulnerabilities have been discovered in the Windows drivers used in ATMs and PoS devices. Attackers could exploit these vulnerabilities to gain additional privileges, access information, and steal money or customer data. The example provided by the researchers is a flaw in a driver present on Diebold Nixdorf ATMs, but many others are believed to be at risk. Vulnerable drivers are a serious issue for many Windows-based devices, especially ATMs and PoS systems, as they run much older software and are seldom replaced. Attackers who gain access to this information can jackpot the ATM device or steal cardholder information.
The US Cybersecurity and Infrastructure Security Agency (CISA) has detailed an authentication bypass vulnerability (CVE-2020-14477) affecting Philips Ultrasound medical systems. An attacker could view or modify sensitive information from vulnerable devices. Models affected are Ultrasound ClearVue, Ultrasound CX, Ultrasound EPIQ/Affiniti, Ultrasound Sparq and Ultrasound Xperius devices.
- We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:
- High severity vulnerability, tracked as CVE-2020-6463, in Google Chrome. This flaw was patched by Google in April 2020. Users are recommended to upgrade to Chrome version 81.0.4044.122 or later. There is no indication that this vulnerability has been exploited in the wild.
- Multiple CERTs have issued a security advisory regarding a denial of service vulnerability in Apache Tomcat web servers. Successful exploitation can lead to denial of service (Apache Tomcat 10.0.0-M1~10.0.0-M5; Apache Tomcat 9.0.0.M1~9.0.35; Apache Tomcat 8.5.0 ~ 8.5.55)
- Multiple vulnerabilities in Fortinet products. Successful exploitation can lead to privilege escalation, arbitrary code or command execution, and unauthorised access. (FortiGuard FortiOS versions 6.2.0 to 6.2.2, 6.0.9 and below; FortiGuard FortiAnalyser, FortiManager versions 6.2.0 to 6.2.3, 6.0.8 and below)
- US CISA has issued a security advisory for high-risk vulnerabilities in Rockwell Automation FactoryTalk products.
- Critical vulnerability in Palo Alto Networks (PAN) products. This issue has been addressed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.
- Multiple vulnerabilities in Mitsubishi Electric Factory Automation Engineering Software products. Successful exploitation can allow a local attacker to send files outside the system, as well as cause a denial-of-service condition.
- Multiple vulnerabilities in Delta Industrial Automation software. Successful exploitation can allow an attacker to read and modify information, execute arbitrary code, or crash the application.
- Critical arbitrary code execution vulnerability in the FreeBSD operating system.
- Information disclosure vulnerability in Mozilla Firefox web browsers.
- Remote code execution vulnerability in LEADTOOLS toolkits.
APT Activity and Malware Campaigns
The PROMETHIUM APT (also known as StrongPity) has launched another global attack campaign, despite its operations having been exposed multiple times over the past four years. Researchers uncovered around 30 new C&C server domains that correspond to five peaks of activity. PROMETHIUM has reportedly expanded its StrongPity3 malware campaign to infect new targets across several countries including Colombia, India, Canada, and Vietnam. The initial infection vector is not known but is suspected to be watering-hole attacks. BitDefender Labs also recently analysed a similar StrongPity malware campaign targeting victims in Syria and Turkey. In these attacks, the group did use watering-hole tactics, as well as Trojanised apps, supporting the theory that they were also deployed in this latest campaign.
Threat researchers have uncovered new malicious typosquatting domains created by TA505 for its ongoing malware campaign. The domains masquerade as service providers such as Microsoft, Google, and other CDNs. The domains were recently weaponised to deliver malware and continue to leverage CAPTCHAs to prevent security researchers from easily collecting the payloads for analysis. The attacks are predominantly targeting the UK and Germany. The malware delivered includes Get2 Downloader and SDBbot RAT.
Security researchers have found new phishing lure samples which they have attributed to GazaCyberGang (also known as Molerats). The decoy document appears to be targeting the Palestinian territories: it is entitled ‘Urgent and important Hamas messages and actions’. In the past few years, GazaCyberGang has targeted Palestine in various campaigns, often using lures relating to current geopolitical tensions. GazaCyberGang is known to carry out cyber-espionage, meaning that the targets in this campaign may well be government, military or other high-ranking officials in Palestine. The group's continued focus on intelligence gathering in Palestine could indicate that it is working in the interests of a government entity in the Middle East, or another country with an interest in the region.
The Trickbot Trojan now checks a target's screen resolution to detect if it is being run on a virtual machine. If the screen resolution is found to be 800x600 or 1024x768, the malware will terminate in order to avoid analysis. These are the resolutions most often configured for malware analysis on virtual machines (VM). Abuse.ch has also discovered a new campaign which impersonates the US Department of Justice. A malicious email attachment claims to contain details of a subpoena; opening this document delivers Trickbot. This new detection evasion technique indicates that the malware is still being actively updated, with new campaigns appearing regularly. Consequently, Trickbot is likely to remain a critical threat to all organisations in the near term at least.
A new commodity remote access Trojan (RAT) has been uncovered. Dubbed Venom RAT, the malware is used to infect and control user machines for credential harvesting and other types of cybercrime. Venom RAT is currently being advertised on underground forums for USD150 and has its own Malware-as-a-Service website. Like most commodity malware, Venom RAT is built on top of pre-existing open-source malware that is simple to repackage and rebrand for quick sales. The main security issue stemming from Malware-as-a-Service platforms is that any aspiring cybercriminal can purchase access to, and deploy, the RAT at any time.
Threat researchers have uncovered a variant of the Ginp Android banking Trojan masquerading as Kaspersky security software. The attackers also hosted a typosquatting website to distribute the fake Kaspersky mobile antivirus APKs
A number of Thanatos cryptomining Trojan incidents are spreading via the BlueKeep vulnerability (CVE-2019-0708). The activity was detected after an increase in scans for vulnerable remote desktop services (RDS). The BlueKeep vulnerability affects devices running Microsoft Windows RDP (Remote Desktop Protocol) and was patched in mid-2019 by Microsoft. The first example of attackers weaponising the vulnerability came in November 2019. Unpatched products affected by the BlueKeep vulnerability include:
- Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003, and Windows XP.
- Windows 8 and Windows 10 and later versions are not affected
Security researcher Dinesh Devadoss has uncovered a new macOS ransomware impersonating a Google software update with zero detection ratings from all antivirus systems on VirusTotal. The malware has been dubbed OSX.EvilQuest. Ex-NSA reverse engineer, Patrick Wardle, noted that macOS ransomware is uncommon. OSX.EvilQuest's method of infection includes distribution inside well-known macOS software through popular torrent sites.
The GuLoader downloader Trojan continues to be distributed in malspam with archived attachments containing malware. It is one of the most prevalent downloaders of 2020 and frequently leverages cloud services to host its encrypted shellcode payloads. Both Google Drive and Microsoft OneDrive accounts, as well as attacker-controlled websites, are exploited by GuLoader. Organisations must remain vigilant for this threat as it is capable of bypassing corporate detection systems and delivers a wide array of malware such as RATs, infostealers, banking Trojans, and ransomware.
A Windows Point-of-Sale (PoS) malware, known as Alina, has added the ability to use the encoded Domain Name System (DNS) protocol to exfiltrate stolen credit cards to a remote. Four domains are being used by the malware to talk to the attacker's C&C server, three of which impersonate Akamai with typosquatted domains. The use of the encoded DNS protocol to exfiltrate data would make it easier to transfer data to the threat actors without the need for web services. The introduction of these new techniques is indicative of the constant evolution of PoS malware and is highly likely to be picked up by other threat groups in the short to medium term.
This week has seen a number of developments in the darknet market landscape. FraudBay has now officially been launched. Most darknet markets focus on drugs, whereas FraudBay is seeking to differentiate itself by focusing solely on fraud related products.
The DeepSea, Torrez and Televend marketplaces have all been added to Dark.Fail, one of the most credible onion link providers on the darknet. Of these markets, Televend is particularly interesting because it specialises in the creation of Telegram vendor bots. These vendor bots are automated Telegram accounts which buyers can message to receive a full list of products offered by each vendor. Buyers can then select and purchase products via an automated process on Telegram. The growing popularity of Telegram vendor bots is part of a broader trend of darknet criminals moving towards instant messaging apps.
This week also saw multiple arrests as part of a law enforcement operation targeting EncroChat users. EncroChat was a company selling customisable Android devices, with a strong focus on privacy and encryption. Consequently, EncroChat’s services made it exceptionally popular among organised crime. However, law enforcement successfully compromised EncroChat several months ago and were able to gather critical intelligence by intercepting messages. Despite EncroChat informing its customers that the platform had been compromised by law enforcement, the damage had been done and numerous high-profile organised crime figures were able to be arrested across Europe. There were over 100 arrests in the UK alone.
Geopolitical Threats and Impacts
On 2 June, social media giant Twitter announced that it will replace multiple programming terms, including ‘master’, ‘slave’, ‘blacklist’ and ‘whitelist’, with more inclusive language. Examples of proposed changes include replacing ‘whitelist’ with ‘allowlist’, and ‘master/slave’ with ‘leader/follower’. The announcement follows similar moves in the past month from investment bank JPMorgan and Microsoft-owned software development platform GitHub and comes in the context of heightened corporate social awareness and activism, particularly regarding racism and other forms of discrimination. Companies, particularly those in the IT industry, should monitor updates on the changes and consider modifying their use of language.
On 1 July, the US House of Representatives unanimously approved legislation imposing sanctions on banks which do business with Chinese officials involved in cracking down on pro-democracy protesters in Hong Kong. The Hong Kong Autonomy Act will be discussed in the Senate – its passing is likely to be a formality – before almost certainly being signed into law by President Donald Trump. The new measures will increase banks’ compliance burdens and are likely to prompt commercial or diplomatic retaliation from Beijing. Banks and other financial services companies set to be impacted by the legislation should monitor legislative updates and assess the law’s likely impact on the legality of operations, and medium-to-long term strategy.
These sanctions mark the latest measures by the US to penalise China for the imposition of new national security laws on Hong Kong. On 29 June, the US government had previously announced an end to exports of defence equipment and dual-use commercial-military technologies to Hong Kong over new national security laws imposed by Beijing. The suspensions took effect immediately.
Several multinationals have announced that they will halt paid advertising on Facebook and some other social media platforms, joining calls for action to tackle hate speech on social media. On 26 June, Coca-Cola announced that it will suspend advertising on social media globally for at least 30 days, demanding ‘greater accountability and transparency’ from social media platforms. Starbucks, Unilever, Levi’s, Diageo and Pepsi Co have announced similar measures. As of 2 July, Canada’s biggest banks – Scotiabank, RBC, CIBC, BMO, and TD – also announced that they will halt paid advertising on Facebook throughout July. The companies’ decisions highlight the snowballing international impact of the #StopHateForProfit movement, a US-based campaign calling on companies to halt marketing activity on Facebook in July over the social media giant’s perceived failure to address hate speech on its platform. More than 400 companies and brands have joined the campaign or enacted their own boycott.
On 1 July, the United States-Mexico-Canada Agreement (USMCA) formally came into force. The new regional trade pact replaces NAFTA. The agreement imposes new rules on the multiple sectors reliant on tariff-free trade across the bloc’s member countries. The automotive industry is particularly affected, and the pact also has significant implications for trade in agricultural products. In turn, these changes have significant consequences for operations, investments, and strategy for companies with integrated North American supply chains, while increasing their compliance burden. To avoid immediate disruption to supply chains, automakers have until the end of 2020 to certify their operations can comply with the new rules. Companies training across North America, particularly those with international supply chains, should ensure compliance with the new rules.
On 2 July, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) revoked sanctions on four foreign shipping companies after they committed to cease involvement in the Venezuelan oil industry while President Nicolás Maduro remains in power. Sanctions were also lifted on four tankers owned by the companies. The companies and their vessels were designated by OFAC last month for transporting Venezuelan oil in violation of US sanctions. OFAC’s swift action highlights how companies which pledge to adhere to the US measures will have sanctions lifted promptly. Foreign companies operating in Venezuela’s oil industry, particularly foreign firms lifting Venezuelan crude, should anticipate further US sanctions and assess the wide-ranging legal, financial, and reputational implications of operations in Venezuela.
Venezuelan state-owned oil giant PDVSA has abruptly rescinded the concessions of dozens of privately-operated fuel stations across the country without compensation, according to multiple press reports on 27 June. While PDVSA has not revealed why it has taken control of these fuel stations, their move is likely related to the government’s wider overhaul of the oil industry and attempts to increase state control over revenues generated by fuel sales. Private companies with interests in Venezuela’s oil industry should monitor updates and assess the impact of PDVSA’s decision on current operations and medium-to-long term strategy.
China’s national security laws became enforceable in Hong Kong on 30 June. The new laws cover four categories of offences – secession, subversion, terrorism and collusion with a foreign country or external elements that endanger national security. The maximum penalty for each crime is life imprisonment, with some undefined cases likely to be tried under China’s legal system. Further, Beijing’s law enforcement and related agencies are now permitted operate in Hong Kong without any reference to the local police. While the new laws are in line with expectations, their imposition on the 23rd anniversary of Hong Kong’s return to Chinese sovereignty is viewed by many as signalling Beijing’s virtually full resumption of control 27 years prior to the official 2047 deadline agreed with the UK. The likelihood this will lead to the emergence of extremist groups willing to use violence to promote their cause is low. The South China Morning Post provided a link to the full English-language text of the new laws which can be found here.
Taiwan on 1 July opened an office to aid people fleeing Hong Kong after China imposed a national security law on the territory. The law – which has been broadly criticised in Taiwan – penalises crimes of collusion with foreign forces, terrorism, subversion, and secession, with up to life in prison. Taiwan is also reviewing its rules in order to accommodate the movement of multinational firms’ headquarters to the island. Beijing has said that the new law would prevent Taiwan’s alleged interference in Hong Kong and has condemned Taiwan’s measures to assist those fleeing to the island. Businesses considering investment in Taiwan should factor these developments into their strategic planning.
On 1 July, China’s foreign ministry notified Associated Press, National Public Radio, CBS and United Press International that they had seven days to provide details on their staff members, finances, and property holdings in China. This follows the US government’s decision in June to declare four major Chinese state- or communist party-owned media outlets – China Central Television, China News Service, People’s Daily and Global Times - de facto foreign missions. While this move may accelerate the continuing escalation of measures and counter-measures between Beijing and a growing number of foreign powers and blocs, its impact is likely to be negligible as the US news organisations will have assumed their operations and personnel are well known to the Chinese authorities. Companies operating in China should update their contingency plans regarding the security of staff and commercially sensitive data in order to identify any vulnerabilities that may be compromised in the event details of corporate activities are demanded by the authorities.
On 29 June, Beijing had threatened visa restrictions on US citizens who had ‘behaved egregiously’ over Hong Kong. The announcement was made two days before Chinese lawmakers’ expected approval of a national security law for the territory that includes punitive measures for subversion and other violations (see above).
Indian authorities on 29 June banned 59 Chinese apps, most of them from Chinese firms, accusing the programs of threatening India’s security and sovereignty. The blacklisted apps include social media app WeChat, UC Browser developed by e-commerce company Alibaba, and ByteDance’s video-sharing platform TikTok. The ban is effective on all devices with internet access. Ministry of Information officials said they had received a number of reports alleging that some apps were ‘stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India.’ The move is likely in response to recent border clashes between India and China in the disputed Aksin Chai-Ladakh region. The ban also follows calls for boycotts of Chinese products and anti-Chinese protests across the country. Businesses with interests in India should factor increased regulatory scrutiny and further potential measures targeting Chinese businesses into their strategic planning.
China said on 2 July it would take ‘corresponding measures’ after the UK Prime Minister pledged to fulfil a promise to offer around 3 million Hong Kong residents, who have British National (Overseas) status (BNO), the right to settle in the UK. The UK move was prompted by the adoption of a new national security law for Hong Kong on 30 June; nearly 400 people were arrested in the former British colony during protests against the law. China’s ambassador to the UK, Liu Xiaoming, said the move would be a violation of bilateral agreements and called UK criticism of the national security law ‘irresponsible and unwarranted’. The UK’s decision is aimed at sending a strong message emphasizing its opposition to the new security law and showing solidarity with supporters of the pro-democracy movement. As we pointed out on 29 May, the change in status for BNO passport holders could be limited as it does not appear to apply for young Hong Kong residents, the instrumental group behind the pro-democracy protests. Ultimately, it underlines the limited set of options London has to pressure Beijing into reversing action and ease efforts to tighten control over Hong Kong. China will interpret the move as interference in its domestic affairs and will likely retaliate. Government entities could also seek to make it more difficult for UK firms to establish a presence or operate in the country.
On 29 June, the EU extended economic sanctions against Russia until 31 January 2021 over lack of progress in implementing a peace agreement with Ukraine. The economic measures target financial, energy, and defence sectors in Russia, while goods that could be used for civilian and military purposes are also included. The decision effectively limits access Russian banks and firms have to EU capital markets. For Russia-based energy firms, access to ‘sensitive’ technology that can be used in oil production is limited as well. With the sanctions remaining in place, firms with commercial interests in Russia will continue to face a heightened compliance burden. Companies with operations in Russia should factor the extension of the sanctions into internal compliance programs.
Zurich-based reinsurance company Swiss Re called on firms to produce ‘cyber resilience’ reports, outlining preparedness against potential attacks to customers, suppliers, and investors. Information included in reports could include summaries of cyber incidents, how cyber security is governed internally, and an outline of what protective measures are in place. An increasingly challenging cyber security landscape will translate into more investor pressure for firms to adopt new requirements. This may help firms leverage industry best practice and take concrete moves to strengthen cyber defences. Companies should monitor industry responses to calls for cyber resilience reporting and factor this into strategic planning.
MENA and Central Asia
A spokesman for the Atomic Energy Organization of Iran (AEOI) confirmed on 2 July that an incident took place at Iran’s Natanz nuclear enrichment facility, located some 250km south of the capital Tehran. Local officials have described the incident, which affected an industrial shed that was under construction, as a ‘fire’. There were no fatalities or reports of contamination. A previously unknown group calling itself the ‘Homeland Cheetahs’ claimed responsibility. The self-declared dissident group said its members were part of underground opposition within Iran's military and security apparatus. This is the third suspicious incident in Iran in a week. On 26 June, a large explosion occurred near the Parchin military complex 20km east of Tehran. While Iran claimed it was a gas tank explosion, there has been speculation the incident was caused by an Israeli cyberattack. On 30 June, a gas explosion at a private medical clinic killed 19 people.
Natanz is Iran's largest uranium enrichment facility. The building that was damaged is working on advanced centrifuges that allow for more rapid uranium enrichment. While Iran has insisted its operations are for civilian purposes, the US is concerned Tehran is trying to develop nuclear weapons. Given the strategic importance of the site, there is a high likelihood that an act of sabotage took place rather than an industrial incident and that it was supported by a foreign backer with the aim of setting back Iran’s ambitions. Security managers should monitor the situation for updates, while staff should take measures to avoid the area for the next 24 to 48 hours until the situation has stabilised.
Israel’s regional cooperation manager, Ofir Akunis, confirmed that annexation plans scheduled to be officially announced by Prime Minister Benjamin Netanyahu on 2 July were now delayed until later this month. Israel intends to annex areas across the West Bank, declaring sovereignty over parts of the territory. The confirmation follows growing speculation that postponement was likely. The move to declare sovereignty over the territory has been met with international condemnation that has significantly accelerated in the leadup to the annexation deadline. This has likely served to delay the willingness of the US President Donald Trump’s administration to officially commit itself to the annexation plans. Israel will heavily rely on coordination with the US to implement the process and protect their actions against charges of violating international law. On 2 July, the UK Prime Minister, Boris Johnson, stated his opposition to the annexation in an article published in a mass market Israeli newspaper, Yedioth Ahronoth. The move from a world leader who has previously been closely allied to both Trump and Netanyahu underlines the increasingly hostile environment toward the annexation plan.
On 29 June, Iran issued an arrest warrant for US President Donald Trump and 35 others whom Tehran accuses of helping to orchestrate the US drone strike that killed a top Iranian general in Baghdad in January. Tehran prosecutor Ali Alqasimehr said those sought face ‘murder and terrorism’ charges. Only Trump was identified by name, however. Iran asked for help from Interpol, the worldwide police co-operation organisation, requesting the body put out a notification for the warrant to be internationally enforced. The latter said it would not consider Iran’s request, saying its guidelines for notices forbids it from ‘any intervention or activities of a political nature’. Alqasimehr said Iran would continue to pursue Trump’s prosecution even after his presidency ends. The request underscores the ongoing tensions between Iran and the US that have been steadily growing since the US pulled out of the 2015 Iran nuclear deal in May 2018.
The immediate impact of the warrant will be most profoundly felt in Iraq. Tehran probably intends the warrant to act as propaganda and project power, likely with the aim of encouraging more attacks against US interests in Iraq. This is especially probable as Iraq’s newly appointed Prime Minister, Mustala Al-Kadhimi, is expected to visit Washington in July for the second round of talks on the gradual withdrawal of US troops; Shiite militias backed by Iran are almost certain to continue to stage rocket attacks against US military and diplomatic interests to push for an accelerated withdrawal.
Libyan Interior Minister Fathi Bashagha on 27 June denounced the presence of foreign mercenaries in the El Sharara oilfield, located in the southwestern Wadi Al-Hayaa district. According to Libya's National Oil Corporation (NOC), which is based in the capital Tripoli, the seat of the internationally recognised Government of National Accord (GNA), mercenaries from the Russian Wagner Group and the Sudanese Rapid Support Forces militia forcibly entered the oilfield. The groups are thought to be trying to prevent the resumption of oil production after a months-long blockade by forces loyal to General Khalifa Haftar and his eastern-based Libyan National Army (LNA). Oilfields and export facilities are mostly located in Libya’s east, which is controlled by the LNA. An international agreement says that oil can only be exported by the NOC, with payments going to the Central Bank of Libya, located in Tripoli. However, the distribution of oil revenue has been an issue, with Haftar’s eastern faction accusing the Central Bank of failing to hand over its fair share. A heightened security presence is expected in the area over the coming one to two-week period, and clashes between rival forces are highly probable.
Anti-corruption advocacy groups Global Witness and Platform to Protect Whistleblowers in Africa (PPLAAF) on 1 July allege in a new report that Israeli mining magnate Dan Gertler has evaded US sanctions through a complex money-laundering network of front companies and individuals, including allies of former president Joseph Kabila and the state-owned mining company Générale des Carrières et des Mines (Gécamines). While ERG, Sicomines, and Glencore have all denied doing business with Gertler, the latter company confirmed on 19 June it was under criminal investigation by the Office of the Attorney General of Switzerland on suspicion it failed to prevent alleged corruption in the DR Congo (DRC). The allegations, if confirmed, are in line with our corruption risk score for the DRC. The publication is likely to prompt further scrutiny and potential formal investigations in several jurisdictions where the allegedly implicated parties are based. In turn, this may lead to an expanding sanctions regime and a suspension of correspondent banking relationships with some of the named organisations. Compliance officers of companies involved in international value chains which may have been compromised should study the new report, conduct internal investigations, and self-report any potential impropriety to the relevant authorities.
The Gabon foreign ministry on 1 July reportedly instructed diplomatic missions to deny EU citizens tourist and business visas. This is in response to the EU’s ban the previous day on inward travel for most non-EU Schengen area nationals, including the US, amid the COVID-19 pandemic. Algeria, Morocco, Rwanda, and Tunisia are currently the only African countries whose citizens are allowed to travel to the EU. Gabon’s move is likely to be replicated by other African countries, raising the travel risk to nationals of EU countries over the coming month at least. Travel managers should increase their monitoring of similar announcements and anticipate a greater risk for travel disruption as countries across the region try to resume international flights over the coming two months. Against this backdrop, we are raising Gabon’s Aviation risk outlook from Positive to Negative.
According to Jeune Afrique, Benin authorities foiled a coup d’état which took place overnight on 25-26 June and arrested over a dozen soldiers, including Colonel Montan Kérékou, who is the son of former president Mathieu Kérékou. This is the second coup attempt which authorities have reportedly foiled this year. In March, Jeune Afrique reported that about 20 soldiers had been arrested. While the reports of the latest coup cannot be independently verified, the alleged attempts come ahead of planned presidential elections in February 2021. The incidents come against the backdrop of growing opposition toward President Patrice Talon, with critics accusing him of an authoritarian turn through legislative changes and the arrest of opposition activists, including former president Thomas Boni Yayi, in a bid to limit the opposition. Security managers of staff and assets in the country should anticipate an increased security presence in major cities over the coming week and a growing risk of violent unrest, particularly in opposition strongholds such as the central town of Tchaourou and the Cadjehoun area in the commercial hub Cotonou.
South Africa-headquartered petrochemicals group Sasol has hired South African financial services group Nedbank and global accounting group Deloitte to sell two major assets in Mozambique, according to Reuters news wire on 26 June. The first is a 50 per cent stake in Republic of Mozambique Pipeline Company; the second is a 49 per cent stake in the Central Termica de Ressano Garcia geothermal power plant. The reports come after the company on 18 June announced a restructuring of its operations to save costs. However, the Mozambican assets were not included in the initial announcement. The omission may indeed give rise to speculation about the company’s financial health as it tries to reduce debt obligations and avoid a rights issue worth up to USD2 billion.