Geopolitical and Cybersecurity Risk Weekly Brief 8 June 2020

6 JUNE 2020

COVID-19 Cybersecurity Update

A recent interview with a member of the US Cybersecurity and Infrastructure Security Agency (CISA) revealed that state-sponsored groups have focused on exploiting COVID-19 fears to deliver malware and steal data. Before the lockdown, aviation was the main priority for CISA, but healthcare and the supply chain for food are now facing the greatest cyber risks. The main threats CISA has been monitoring include destructive ransomware attacks against hospitals and information-gathering spear-phishing attacks targeting vaccine research institutions - the latter mainly coming from Chinese APT actors.

Throughout the coronavirus pandemic, threat actors have been leveraging SMS phishing attacks using COVID-19 as bait. These campaigns preyed on people's fears of the virus and potentially financial hardship. The latest notifications impersonated Scotiabank, TD Bank, and the UK government, offering COVID-19 benefits, an update on the bank situation, and informing the recipient of a payment of GBP458 to help with financial difficulties brought about by the pandemic.

CISO Mag reports that coronavirus-themed malware and ransomware has increased in volume recently. Dharma ransomware (also known as CrySis) has been delivered in spam emails as an attachment called ‘1covid.exe’. Other prominent RaaS services such as Maze, REvil, and NetWalker have all also taken full advantage of the pandemic to lure targets into clicking links to COVID-19 related content.

Other malware exploiting the pandemic includes CoronaLock ransomware, which displays a biohazard image with a contact email address for the data recovery process; an Android banking Trojan targeting Malaysia with COVID-19 lockdown-themed lures; and new samples of GuLoader Trojan found in COVID-19-themed emails, masquerading as the Institute of Health of Serbia (Institut za zdravstvo Srbije).


Attacks and cybersecurity news

#JusticeForGeorgeFloyd

The killing of George Floyd by a Minneapolis police office has sparked protests around the world. Cyber threat actors and hacktivists have also rallied around this cause. Early last week, the notorious – and nebulous – threat group, Anonymous announced operation #JusticeForGeorgeFloyd (also referred to as #OpGeorgeFloyd) which is intended to target law enforcement and related officials. Alongside an initiation video, the claim was made that Anonymous had already attacked the Minneapolis Police Department (MPD) website. Other Twitter users stated that the group had returned after three years to "shut down minneapolis pd’s website and expose donald trump for engaging in child sex trafficking and ordering the hit on jeffrey epstein". A large batch of email addresses and passwords supposedly belonging to the Minneapolis police were then ‘leaked’ by Anonymous. These were found to a collection of previously leaked and widely available credentials and were unlikely to be associated with the MPD. 

Despite the debateable claims of an Anonymous return, other threat actors have carried out attacks in support of this cause. One of the most prominent has been NamaTikure who, over the course of the last seven days, has reported DDoS attacks against the city of Minneapolis website, the Minnesota government and state portal, the Buffalo, New York government website, the Minnesota Bank & Trust (mnbankandtrust.com) and United Minnesota Bank in support of #OpGeorgeFloyd. He is also distributing a DDoS tool to encourage others to get involved in #OpMinneapolis

The US Department of Labor, the University of Washington, the official website of Sara Winter, a Brazilian politician, were all also targeted in DDoS attacks in support of #OpGeorgeFloyd. 

Threat actors have attempted to silence anti-racist organisations following the killing of George Floyd. Cloudflare detected a significant uptick in numbers of DDoS attacks targeting the websites of organisations whose role is to spread awareness and fight prejudice. In May, attacks on government, police and emergency services websites increased 1.8-fold; attacks on military websites saw a near four times increase. Advocacy groups, however, were by far the most targeted, with attacks increasing 1,120 times.


Other attacks and cybersecurity news

An internal report drafted by the European Council’s security committee has claimed most cyber-espionage operations targeting top EU institutions are state-sponsored. The report states that “the majority of discovered, successful compromises of information in the GSC are from threat source level Very High”. While the report does not cite specific examples, it does claim the most common intrusion method is phishing emails. Aside from the risk posed by foreign espionage operations, it is noteworthy that this report also acknowledges the significant risk from a potential insider. Targeting insiders who have privileged information or access is a staple of both cybercrime and more conventional espionage operations. 

Kent County Council (KCC) released a statement that foreign threat actors had successfully attacked Kent Commercial Services (KCS), wholly owned by KCC. Kent-based Commercial Services Group's (CSG) IT systems suffered a major failure on 2 April. The threat actors reportedly circumvented “3 levels of professional IT security” and managed to infect all of KCS’ systems. KCC is working with the Kent Police Cyber Crime Unit and the Eastern Regional Special Operations Unit (ERSOU) on the incident. The NCSC and ICO were informed at the time of the breach.

The operators of the Sekhmet ransomware have claimed responsibility for attacking and stealing data from Excis, a UK company which provides outsourcing to enterprise and medium-sized businesses. The group also claims that data from the company's clients, such as Mylan, Nissan, Philips, Mondelez, Fujitsu, and Avon were also compromised in this attack. Passwords for the leaked archive files were released by the group, indicating that Excis refused to pay the ransom.

Sky News has reported that some of the files stolen in a Maze ransomware attack on Westech International are likely to contain classified military information from Northrup Grumman, a US defence contractor which provides engineering and maintenance support for the Minuteman III intercontinental ballistic missiles. The files currently leaked include payroll information and emails, and could also contain sensitive correspondence. Westech confirmed the breach.

Threat actors have taken control of the local domain registrar for Japanese cryptocurrency exchange, Coincheck. They have also hijacked one of its domain names. Using this, the attackers subsequently contacted some of the exchange's customers. Around 200 customers are thought to have engaged with the attackers believing this was legitimate correspondence. While there is currently no evidence that this information has been used by the attackers, these details can be used later to log into accounts and steal funds.


Data breaches, fraud, and vulnerabilities

Data Breaches

The operators of the Maze ransomware are now teaming up with other ransomware operators to form a "cartel of ransomware operations to share resources and extort their victims." The group added files from numerous companies to its data leak site this week including two management consulting companies, a US energy company, a Hong Kong-based sports retailer, a South American Transport organisation, and Smith Group, a US architectural firm. The latter leak was different from other Maze leaks, however, as the victim had actually been attacked by the operators of the LockBit ransomware. Based on past success, this new collaborative technique may become a popular tactic adopted by other ransomware groups as well.

Sodinokibi added a new "Auction" feature to their leaks site, where other people can bid on data within a certain time frame. They have also included a "blitz price" which allows users to buy the dataset outright without having to bid. The operators of the ransomware claimed responsibility for attacking and leaking data from a UK high street fashion chain, a US law firm, and a South African ICT provider, among others.

Both the Netwalker and DoppelPaymer ransomware groups also continued releasing data from victims. The former hit three US universities in the last week, with one, Columbia College of Chicago having now paid the ransom to retrieve its data. DoppelPaymer was used to steal data from Digital Management, an American IT and cybersecurity service provider, and one of NASA's IT contractors. This organisation is used by several Fortune 100 companies and government agencies, as well as NASA.

The French Civic Services (Agence du Service Civique) exposed a 5GB database containing the details of 1.4 million users, including personally identifiable information (PII) of 19 to 25-year-old volunteers. No malicious intrusions were detected on the database.

The San Francisco Employees’ Retirement System (SFERS) announced a data breach in which a database containing around 74,000 members' information was accessed. The data is believed to date from 2018 and before.

Millions of financial records connected to India’s mobile payment app, Bharat Interface for Money (BHIM), are believed to have been exposed due to a marketing campaign that aimed to sign up users and business merchants to the app from communities across India. The number of records in the breach is estimated at 7.26 million.

Fraud

Microsoft Office 365 customers are being targeted in a phishing campaign. These emails purport to be from the recipient's employer's IT department telling them that the VPN configuration they are using while working from home needs to be updated. The phish spoofs the sender's email address. To date, 15,000 such emails have been observed in the wild.

New malware samples are being distributed from a sender masquerading as PricewaterhouseCoopers (PwC) - specifically as the multinational firm’s Bangladesh headquarters. A Word document attached to the email contains the MassLogger malware which aims to compromise the target system and log keystrokes from the user’s account.

A new report has highlighted the increase in phishing attacks targeting smartphones. There was a 37% increase in mobile phishing attacks worldwide between the last 3 months of 2019 and the first few months of 2020. In many cases, these attacks are designed to obtain an individual’s credentials for their employee accounts, so the attackers can then gain access to corporate networks.

Vulnerabilities

A proof-of-concept (PoC) for a wormable remote code execution (RCE) vulnerability for SMBv3.1.1, also known as SMBGhost, has been released. If a vulnerable Windows client or server is successfully exploited, it can lead to a remote and unauthenticated attacker executing arbitrary code. It is nearly three months since the disclosure of SMBGhost. According to Tencent’s monitoring, nearly one-third of affected systems worldwide have still not patched the vulnerability. It is a serious security risk that impacts government agencies, enterprises, and personal computers.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule.

  • High-risk vulnerability disclosed in IBM’s threat intelligence platform, QRadar.
  • Multiple security warnings regarding various vulnerabilities in ABB industrial control system products.
  • SAP has released patches for multiple vulnerabilities in its Adaptive Server Enterprise (ASE) product for Windows and Linux-based devices.
  • Two remote code execution (RCE) vulnerabilities in the Zoom video-conferencing application. These will have been updated on restart.
  • Cisco has patched a high severity vulnerability in its NX-OS software, the network operating system used by its Nexus-series Ethernet switches.
  • Multiple security issues found in various VMware products.
  • Unpatched 0day vulnerabilities for Cayin and Secure Computer products.


APT Activity and Malware Campaigns

APT activity

Two separate phishing campaigns have been observed targeting the campaign staff of the US 2020 presidential candidates Donald Trump and Joe Biden. A Chinese threat group, APT31 (also known as Zirconium) targeted Biden's campaign staff and an Iranian APT35 (also known as CharmingKitten) was targeting Trump staffers. Google has warned those working on campaigns in this election cycle that their personal accounts may have been targeted by these malicious actors. Specific details about the attacks have not been disclosed.

A new TA505 campaign uses ‘-downloads’ domains to push GraceWire malware. Interestingly, it was found that the email address used to register the attacker’s C&C domains had previously been used to register a large number of Office 365 phishing domains. TA505 is a Russian-speaking threat group that has targeted the financial, retail, and hospitality sectors since at least 2014. It has remained active throughout 2020.

Chinese threat group MustangPanda has been using DLL side-loading techniques with legitimate binaries to install the PlugX Trojan. MustangPanda is a cyber-espionage group, known to target organisations using politically themed lures. The group has recently exploited the ongoing coronavirus pandemic, to deliver malware.

Sandworm, a Russian malware, is using two other vulnerabilities affecting unpatched Exim servers in its attacks: CVE-2019-15846 and CVE-2019-16928. There are over 900,000 servers still vulnerable to these Exim flaws. There is currently no indication of the target other than that it may have been in Ukraine and Bulgaria. The large number of Google, Twitter, and Facebook subdomains suggests that the activity involves spoofing these services.

Kimsuky has been observed attacking South Korea in a new malspam campaign that used a variety of malicious attachments. North Korean threat actors, such as Kimsuky and Lazarus, have recently launched a spear-phishing campaign leveraging lure documents from several defence sector firms such as BAE Systems and Boeing. Both groups are targeting the defence sector worldwide. Firms in Israel, the US and UK, Russia, Turkey, India, South Korea, Ukraine, and Slovakia have all been referenced in spear-phishing attacks.

A new Lazarus campaign targeting cryptocurrency traders with fake virtual currency exchanges to deliver malware. Further investigation by Cyjax analysts found that the samples share similarities with the NukeSPED RAT. This is a malware that delivered the wiper used in the Lazarus attacks against Sony Pictures’ Entertainment in 2014.

Malware

Cyjax recently discovered that the threat actors behind the LockBit ransomware are seeking to expand their operations. The threat actors behind the malware have been announced as the sponsor of a competition on a popular Russian hacking forum. These competitions require users to write ‘articles’ showcasing their skills on relevant topics. While there is a cash prize for the winning articles, these competitions serve a more nefarious purpose by giving users a chance to pitch themselves to the cybercriminal sponsors. In December 2019, the operators of REvil hosted a similar operation, with the winners later being invited to join their team.

The IcedID banking Trojan is now using a steganography downloader to evade detection by security products. The malware usually only targets US banks but its target list has now evolved to encompass additional sectors including telecoms and retail. IcedID is now targeting Amazon, American Express, AT&T, Bank of America, Capital One, Chase, eBay, Halifax UK, JP Morgan, Lloyds Bank, PNC, RBC, T-Mobile, US Bank, Verizon Wireless, and Wells Fargo, among others.

A new Metamorfo banking Trojan campaign is using legitimate software components and trusted applications to run malware and compromise computers. Metamorfo has exploited software components from legitimate and respected manufacturers such as Avira, AVG and Avast, Daemon Tools, Steam, and NVIDIA.

Two apps containing the Joker Dropper malware were recently uploaded to the Google Play Store. The apps, ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined. Various other apps, also available through the Play Store, were found by Cyjax researchers.

The operators of eCh0raix ransomware have launched a new campaign targeting users of QNAP storage devices. Access is gained to the target QNAP devices either via known vulnerabilities or by brute-forcing weak passwords. In August 2019, a free decryptor for this ransomware was released. Since then, however, the developers have fixed the flaws in the code, and the decryptor no longer works with newer versions of the ransomware

A new campaign is using an aggressive brute-forcing tool, known as Stealthworker, to create a botnet which then targets popular web services and platforms. This version of the malware targets popular web services and platforms such as cPanel/WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP. These types of attack are easily preventable. By using unique credentials, attackers would not be able to brute force the password.

Darknet

The operators behind Cerberus have announced that they were “leaving in private”, and that the Trojan would no longer be publicly available to purchase. This announcement comes only weeks after Cerberus v2 was made fully available to purchase. While no reason was provided, the Cerberus operators have had difficulties with affiliates in recent weeks, including one who threatened to provide cybersecurity researchers with access to Cerberus v2. It is important to note that Cerberus is still continuing operations, with the operators simply limiting the number of affiliates. Therefore, Cerberus will likely continue to be a prominent threat.

This week also saw the launch of a new ransomware-as-a-service (RaaS) known as Avaddon. The operators made multiple posts advertising their service on well-known darknet Russian hacking forums. Cyjax has managed to locate the victim panel hosted on the darknet, which includes multiple language options and a Bitcoin address for the ransom. We are not currently aware of any publicly disclosed incidents involving this ransomware.


Geopolitical Threats and Impacts

Americas

Peaceful demonstrations linked to the ‘Black Lives Matter’ movement continued in major cities including Washington, DC, New York, and Los Angeles on 7 June. In Seattle, however, at least one person was injured when a man drove a car into anti-racism protesters before shooting and injuring one demonstrator. The perpetrator has been taken into police custody. Similar protests are likely in the coming days. While most marches are likely to remain peaceful, there is an elevated risk of localised fighting between hard-line activists and police. The risk of violence is likely to grow closer to the evening, when curfews across the country come into effect, but protesters have defied them over the past few days. It is possible other local government officials will follow suit over the coming week as officials take sides against President Donald Trump in a sign of growing division among local, state, and federal government officials on how to respond to the unrest.

The US Department of Transportation (DOT) granted final approval on 3 June to 15 US airlines to halt services to 75 domestic airports amid declining demand for passenger travel during the novel coronavirus (COVID-19) pandemic. Major carriers halting routes include Delta, United, Allegiant Air, and JetBlue. The DOT said that all of the impacted airports would continue to be served by at least one airline. While the announcement will allow US airlines to reduce their operational costs amid collapsed demand for commercial air travel, the decision is set to significantly hamper transport to and from many of the destinations impacted. These include Flint, Michigan; Chattanooga, Tennessee; and Bangor, Maine. Companies whose staff regularly use regional airports should anticipate reduced flight availability and assess the impact on staff mobility and operations.

Chinese state-owned firms bought at least three cargoes of US soybeans, despite the Chinese government reportedly instructing its state-owned businesses to halt large purchases of US soybeans, pork, corn, and cotton. Private Chinese importers, however, have not received a similar order to halt purchases. The purchases on 1 June were approximately five-times smaller than recent purchases, indicating that state-owned firms will continue to buy US produce at a small-scale despite this new order. Beijing’s instruction shortly followed the US government’s decision to begin eliminating Hong Kong’s trade privileges over new national security legislation it says erodes the territory’s autonomy. Potential beneficiaries from the Sino-US trade dispute are other major soybean and meat exporters, such as Argentina and Brazil.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on four shipping companies and vessels for transporting oil from Venezuela. The US’s measures build on a raft of previous sanctions imposed by Washington on the Venezuelan oil industry and officials in the government of President Nicolás Maduro in the past 18 months. While these have contributed to the worsening performance of state-owned oil company PDVSA, Washington’s actions have failed to remove Maduro or significantly alter the country’s internal political deadlock. Companies with interests in Venezuela’s oil sector should anticipate further US sanctions in the short-to-medium terms. In a separate development this week, export data revealed that Venezuelan oil exports fell to 451,935 barrels per day (bpd) in May, a 17-year low.

Bolivia’s supreme electoral tribunal (TSE) announced on 2 June that the general election delayed by COVID-19 will be rescheduled for 6 September, pending parliamentary approval. Providing September’s poll is not further delayed by the evolving COVID-19 pandemic, there is a high likelihood that the presidential election will become a two-way contest between leftist Evo Morales’s MAS party, and a moderate or centre-right unity candidate – potentially interim president Jeanine Añez. Companies with staff and assets in Bolivia should anticipate another closely fought presidential race and plan for the potential for a repeat of violent unrest in its aftermath.

APAC

Thousands of people attended a banned vigil in Hong Kong island’s Victoria Park on 4 June to mark the 31st anniversary of the Chinese government actions to clear activists from Beijing’s’ Tiananmen Square. The police, who had earlier warned they would prevent the gathering on health grounds, did not intervene except in a few isolated cases and the event was peaceful apart from a brief confrontation in Kowloon’s Mong Kok district. The forbearance of the police likely reflected a political decision not to create imagery that would undermine China’s use of unrest in the US in its political narrative rather than indicating any acceptance of the vigil. The rally came hours after the territory’s local legislative assembly passed a bill into law criminalising actions deemed to insult China’s national anthem. A series of other laws imposed by Beijing that will define the penalties for security-related offences involving sedition, subversion, treason, and foreign interference are expected to be enacted by mid-August. It is now likely that further protests attracting small numbers of activists will occur in the coming weeks to mark anniversaries on 12 June and 22 June of key events linked to last year’s demonstrations. Such events have the potential for violent confrontations between the police and activists and foreign companies and their staff should be aware of this threat.

India’s Home Ministry announced on 3 June that foreign businesspeople, engineers, and healthcare professionals can re-enter the country, provided that they receive new visas or their existing ones are re-validated at an overseas diplomatic mission, and that they enter the country on chartered flights. India suspended most visas in March in an effort to contain the transmission of COVID-19. While this is unlikely to prompt the immediate return of many foreign visitors – particularly as regular commercial flights to and from the country remain prohibited – this does mark the first step in the gradual resumption of international travel between India and the rest of the world.

More than 10,000 workers are reported to have staged a five-day strike at a Taiwan-owned shoe factory to the north of Ho Chi Minh City, Vietnam. The unrest, which has now ended, at a plant that makes footwear for adidas, was apparently triggered by the company warning in late May that a lack of orders resulting from the coronavirus pandemic meant it would close the factory on 1 June and pay the workers’ wages until the end of the month. According to workers interviewed by the media, other companies had pledged to support their employees until orders resumed, which is unlikely until August at the earliest.

This dispute is indicative of how the COVID-19 pandemic can create potentially dangerous and lasting friction for foreign companies operating in low-cost countries. Vietnam may be an exception due to the willingness of some of its workers to defy the authorities and risk detention, as they have shown in the past. Nevertheless, foreign companies either with operations in such countries or who source products from them should be aware of the potential reputational harm that can be done to a brand through a failure to support employees in often difficult times and under potentially hazardous conditions.

Europe

Tens of thousands of protesters gathered in central London on 7 June for a second consecutive day of ‘Black Lives Matter’ protests in commemoration of George Floyd and to denounce abuses by police.

In an opinion article for the South China Morning Post published on 3 June, UK Prime Minister Boris Johnson said that if China moves ahead with imposing a national security law on Hong Kong, the UK will respond by changing its immigration rules. Johnson said the law threatens to ‘curtail [Hong Kong’s] freedoms and dramatically erode its autonomy’. Under the changes, the UK will allow British National (Overseas) – (BNO) passport holders, issued for some Hong Kong residents, to remain in the country ‘for extendable periods of 12 months’. Around 350,000 people in the former UK colony hold a BNO, while an estimated 2.5 million are eligible to apply. As we indicated on 29 May, such a move by the UK will dramatically escalate bilateral tensions. Worsening diplomatic relations, accompanied by potentially aggressive rhetoric may fuel greater antipathy against UK commercial interests and trigger consumer boycotts of well-known British brands in mainland China.

The European Commission (EC) has proposed increasing scrutiny on foreign investments in member states to cover proposed projects in satellite communications, nuclear energy, and defence. The legal act will be adopted unless EU governments block it by 15 June. From 11 October, upon announcing foreign takeovers, EU states will need to share details with the EC in areas such as media, transport, and communications. Reviews will be expanded if the new proposal is adopted The new proposal reflects growing anxiety among EU policymakers that firms owned by or with close links to the Chinese government will seek to acquire companies in sensitive sectors and obtain valuable intellectual property amid the coronavirus (COVID-19) crisis. Several EU governments have sought to enhance their powers and lowered thresholds to trigger wider scrutiny of proposed acquisitions relating to domestic firms. This includes France, Germany, and Poland. More political and regulatory scrutiny will likely complicate efforts by companies seeking investors and attract capital investment from non-EU entities.

Czech Prime Minister Andrej Babiš said his country will re-open its borders with Austria and Germany, while also allowing travel to and from Hungary. The border with Slovakia was opened on 4 June and unrestricted entry from over 20 European states will be allowed from 15 June. Arrivals from countries with high coronavirus (COVID-19) infection rates will be required to provide negative tests or undergo quarantines. Meanwhile, in an attempt to revive its economy Italy also opened its borders to international visitors on 3 June. But neighbouring countries have not reciprocated despite signs that the country’s outbreak is under control. For instance, Austria has re-opened its borders with Germany, Liechtenstein, Switzerland, Slovakia, Slovenia but retains controls with Italy.

While developments this week indicate that cross-border mobility will improve, the return of travel to pre-crisis levels is still a long way ahead. The uneven re-opening of borders also creates scope for political and diplomatic tensions. Managers responsible for staff travel should assess whether host destinations have any specific conditions for travel and ensure travellers comply with relevant requirements.

Belarussian President Aleksandr Lukashenko has pledged to prevent widespread unrest similar to Ukraine’s 2013-2014 Euromaidan protests ahead of a presidential election on 9 August. This comes as prominent opposition figure Nikolai Statkevich was arrested on 1 June and handed a 15-day prison term for participating in a protest a day earlier in Minsk. In May, Lukashenko confirmed that the election would take place as planned despite the coronavirus (COVID-19) outbreak. The upcoming election is one of the most unpredictable in Belarus’ modern history. Recent protests underscore simmering public anger that has grown since the 29 May arrest of Sergei Tsikhanovski, a popular blogger who is critical of the authorities. The situation has become accentuated by a widespread COVID-19 outbreak. Political tensions will continue to grow ahead of the August election and further protests are highly likely.

The outgoing Kosovan government, led by Albin Kurti, has set new conditions for imported goods from Serbia, prompting criticism from Belgrade which considers them unacceptable. On 31 March, the reciprocal trade measures replaced the 100 per cent tax imposed on Serbian goods in November 2018. The move clearly undermines efforts to improve bilateral relations, which have been further complicated by political instability in Kosovo. The incoming prime minister has indicated that recent government decisions will be reversed under his administration. Logistics operators should ensure compliance with the new measures to ensure a reasonable level of business continuity. Regularly monitor government announcements for any new developments that may impact cross-border trade.

The Spanish government is to sue 17 airlines for failing to inform customers about their right to refunds for flights cancelled due to the coronavirus (COVID-19) pandemic. Firms included in the lawsuit include Air France, EasyJet, Eurowings, Iberia, Jet 2, KLM, Latam Airlines, Lufthansa, Ryanair, Scandinavian Airlines, and United Airlines. The legal action against a considerable number of airlines carries both reputational and financial implications. The widespread impact of COVID-19 on air travel has meant that airlines are struggling to offer refunds promptly, with many offering vouchers instead. The UK’s Civil Aviation Authority is also reviewing how firms are handling the refund issue. Further legal action by consumer protection bodies in other European countries is highly likely, adding further pressure on the aviation industry.

MENA and Central Asia

According to a report in The Times of Israel on 3 June, the US administration is ‘highly unlikely’ to back the Israeli plan to unilaterally annex parts of the West Bank by 1 July, as promised by Prime Minister Benjamin Netanyahu. The White House said the joint US-Israel mapping committee must conclude its work determining which parts of the region would fall under Israeli sovereignty before the US gives its support, something that may take several months. This suggests Washington is attempting to downplay enthusiasm for the deal amid a number of domestic concerns, including the COVID-19 pandemic and the ongoing protests surrounding police brutality and the death of George Floyd. US support for the deal is important: the coalition deal that Netanyahu signed with Benny Gantz’s Blue and White party on 20 April allows him to pursue his annexation plan only in full coordination with the White House. However, Netanyahu has reportedly said he intends to begin his plan on 1 July anyway, which would mark a significant break with the US.

Meanwhile, the Palestinian Authority (PA) has rejected the May tax payments, amounting to around USD190 million, collected on its behalf by Israel. A PA spokesperson said the decision was taken to ‘stop all forms of co-ordination with Israel’ to protest the annexation plan. The PA’s refusal of the taxes is its latest attempt to push Israel to reverse course on its annexation decisions.

Troops loyal to the UN-backed Libyan Government of National Accord (GNA) took control of Tripoli International Airport (TIP) from Field Marshal Khalifa Haftar on Wednesday (3 June). This followed days of clashes between forces loyal to the GNA and those from Haftar’s self-declared Libyan National Army (LNA) had been taking place in the Qasr bin Ghashir area, where the airport is located. There has been recent hope of a ceasefire, with several senior Libyan officials, including the GNA’s Deputy Prime Minister Ahmed Maetig, arriving in Moscow on 3 June for new ceasefire talks, although it is worth noting previous agreements have collapsed, sometimes within weeks. For now, the loss of TIP will seriously compromise the LNA’s supply routes and Haftar’s remaining positions in Tripoli, and there is a realistic probability LNA troops will be forced to withdraw southwards.

According to a report in the International Business Times on 31 May, Turkey has signed an agreement with the UN-backed government in Tripoli that will allow Ankara to build its own airbase in al-Watiya, located in Libya’s north-western Nuqat al-Khams district. This comes as Turkey is building up its military presence in Libya. The deployment of both Turkish and Russian military aircraft suggests that neither foreign backer has any intention of withdrawing from the region. Indeed, the likely aim is to gain future influence and access to Libya’s vast energy reserves. At present, both sides are likely counting on military deterrence to avoid a wider outbreak of conflict, and this could dictate a fresh negotiation process led by Turkey and Russia in the coming 1 to 2-month period.

Iranian Ministry of Health officials warned on 2 June of a spike in infections from the novel coronavirus (COVID-19). The death rate has also risen. Health minister Saeed Namaki also warned of a ‘second wave’ hitting the country. Authorities have been under intense public pressure to lift COVID-19-related movement restrictions and reopen the economy. Iran started easing its lockdown in April after a decrease in deaths. Government employees went back to work, shops and gyms re-opened, and mosques resumed daily prayers on 30 May as part of the relaxation of the lockdown. The spike in cases suggests this level of relaxation may have been too much too soon. This could have regional implications, especially as Iran reopened two border crossings with Iraq and the Kurdistan Region (KRI) on 4 May to both goods and people. Indeed, both Iraq and the KRI have reported increases in cases in recent days.

According to a report in Afrique Latribune on 1 June, Mohamed Ali Toumi, the Tunisian tourism and transport minister, has said the government has no plans to inject funds into struggling flag carrier Tunisair. The airline, on the verge of bankruptcy, has reportedly requested a rescue package of DT100 million (USD35 million). Companies with interests in Tunisia’s aviation sector should assess the impact of reduced flight availability on operations and strategy. Struggles in aviation could also have a knock-on effect on other key sectors such as tourism.

In Yemen, the rebel Houthi militias stated that they had received a medical shipment dispatched by the UN Children's Fund (UNICEF) to help curb the spread of the coronavirus (COVID-19) in the country. The UNICEF plane landed in the capital Sana’a and was carrying a range of medical supplies, including Personal Protective Equipment (PPE) items such as aprons, boots, face masks and gloves for frontline health workers. There is increasing concern over the rapid spread of COVID-19 in Yemen and the impact the virus will have on the war-torn country. As of 1 June, Yemen has only confirmed 323 cases and 80 deaths; however, the true number of cases is thought to be much higher. Experts from the World Health Organization (WHO) have said that Yemenis are dying from corona-like symptoms by the hundreds.

Sub-Saharan Africa

Uganda’s minister of trade and transport, Katumba Wamala, has reportedly written to his Kenyan counterpart, stating that the use of Naivasha Inland Container Depot (ICD) should be optional. The statement comes as a directive to truck drivers, mandating they use the Naivasha ICD when transporting goods between Kenya’s port of Mombasa and Uganda, came into effect on 1 June. His remarks follow growing opposition from freight forwarders and other companies reliant on transport operations, including warehouse owners, about the requirement which they deem damaging to their bottom lines and anti-competitive. This uncertainty is compounded by friction between countries in the region, including Kenya and Uganda, but also Rwanda and Tanzania, who are at odds over their respective responses to the COVID-19 pandemic.

The head of the Democratic Republic of Congo’s military prosecutor’s office in the central Kasaï Central province, Lieutenant-Colonel Jean-Blaise Bwamulundu Kuzola, confirmed on 30 May that authorities had arrested Trésor Mputu Kankonde, a local militia leader and key suspect in the murders of two UN experts in 2017. This is the most significant arrest since investigations were launched three years ago, underscoring the case’s slow progress which has fuelled accusations that some officials were involved in their killing and have tried to cover it up. The case has dealt a serious reputational blow to the Congolese law enforcement and judiciaries, placing doubt on their ability or willingness to conduct investigations to a minimum international standard. In the longer term, this lack of progress in the case is likely to concern companies considering market entry as political interference in legal proceedings cannot be discounted.

On 1 June, Zimbabwe’s government summoned the US ambassador to the country, Brian Nichols, after US National Security Adviser Robert O'Brien accused Zimbabwe of using the killing by police of unarmed African-American man George Floyd to interfere in US internal affairs, while qualifying Harare as a ‘foreign adversary’ along with other countries. In addition, several national governments and the African Union have issued statements, condemning the killing in unusually strong words. The summoning of Nichols and the statement by O’Brien, in parallel to several national governments upping their rhetoric towards the US, are likely to fuel grassroots anti-US sentiment across Sub-Saharan Africa. This is particularly so in countries with an established anti-colonial or anti-Western activist base, including Ghana, Kenya, Namibia, Nigeria, South Africa, as well as Zimbabwe.

In turn, such public moods are likely to generate demonstrations outside US diplomatic missions and organisations over the coming weeks, despite authorities attempting to enforce restrictions related to the COVID-19 pandemic. Such attempts raise the risk of violence in relation to such gatherings, which are likely to be relatively small, attracting up to a few hundred. Nevertheless, mobilisation could grow in response to inflammatory statements made by the US president or diplomatic officials stationed across the region. In-country staff in the aforementioned countries, especially those moving close to US diplomatic missions, should monitor protest announcements by local civil society organisations and adjust travel plans accordingly.

Local media have reported that queues of trucks are growing on the Tanzanian side of the Namanga border post, after Kenyan officials on 4 June allegedly refused to recognise certificates claiming the Tanzanian truck drivers had tested negative for COVID-19 at local facilities in Arusha. According to reports, the trucks number up to 100 or more. Kenyan officials demanded that the Tanzanian drivers be re-tested, which they refused to do. The incident comes despite an agreement between the countries’ transport ministers on 22 May that mutually recognised test results in either country. The commissioner for Longido District in Tanzania has said authorities would reciprocate and refuse entry to Kenyan drivers looking to enter Tanzania.

The growing bilateral tensions and the disruption at the border underscore the high risk of transport disruption in the sub-region during the pandemic; similar friction has been reported between Rwanda and Uganda, as well as Kenya and Uganda since authorities began restricting non-essential transport in March and April.