Geopolitics and Cybersecurity Weekly – 1 September 2020

Attacks and cybersecurity news

OSINT search engine, Shodan, now shows that 13,571 hacked Elasticsearch databases and 7,566 MongoDBs have been struck by the Meow database wiper, which first came to light in late-July this year. The remaining results are divided among systems running other database software such as Jenkins, Cassandra and more. More than 25,000 exposed databases have been wiped. The motivation for the Meow wiper remains unclear: there are no obvious correlations between the organisations hit by the attacker(s) other than that they all had misconfigured databases exposed to the internet.

Business at the NZX, New Zealand’s Wellington-based stock market, was interrupted for two days in a row due to what is believed to be a cyberattack. The NZX reported “network connectivity issues” had stopped trading on the NZX main board, NZX debt market, and Fonterra shareholders market. The first shutdown occurred on the afternoon of 25 August, stemming from a DDoS attack targeted at the NZX from abroad. Then, at 11:24 am on 26 August, the NZX went offline once again. This could have serious reputational and financial ramifications for NZX. The exchange reopened on 28 August after the bourse operator put in place measures to maintain system connectivity. “NZX has been continuing to work with its network service provider Spark SPK.NZ, and national and international cyber security partners … to address the recent cyber-attacks,” it said in a brief statement on Friday. Despite these reassurances, at 07:58 AEST the NZX Debt Market was placed into a halt with trading due to resume at 11:00 AEST.

After a slow start to the week, the Emotet botnet returned to full spamming capacity by Wednesday. Emotet’s spam emails now use new malicious documents templates tagged “red_dawn”. These templates target Office 365 users and state “previewing is not available for protected documents”, users must enable macros to “view the content”. These maldocs were first seen in Italy, then Vietnam and Japan. Users in New Zealand received Emotet malspam from a compromised mailbox belonging to thefrontstore[.]co[.]nz, a local engineering supplies shop. The botnet operators have been alternating packing and obfuscation techniques to bypass detection systems. If encrypted communications are implemented, it will be harder to spot malicious encrypted traffic on monitoring systems. The number of spam emails coming from the Emotet botnet slowed as the week draws to an end. The latest emails were mainly written in Japanese and Norwegian.

Brazil has seen a dramatic increase in brute-force attacks over the past six months. The researchers believe that this was driven by the increase in working from home due to the COVID-19 pandemic which led to the proliferation of imperfect and misconfigured remote working solutions. Fortinet specifically cites misconfigured Remote Desktop Protocol (RDP) servers as a key point of initial access for attackers.

A group of low-skilled Iranian threat actors has been targeting businesses in Russia, Japan, China, and India using a version of the Dharma ransomware. The group employed publicly available kits such as Masscan, NLBrute, Advanced Port Scanner, Defender Control, or Your Uninstaller to launch unsophisticated attacks. The source code of the Dharma ransomware itself is widely accessible for free. The main attack vector is the Remote Desktop Protocol (RDP) whose endpoints have increasingly become a preferred target of ransomware operators. The attackers are trying to keep a low profile and ensure they are paid by demanding a relatively small ransom payment of around 1 to 5 Bitcoin (USD10,000 to USD50,000).

An unknown ransomware group attempted to target Tesla by bribing an employee to install malware on to Telsa’s internal network. A Russian national met with a current Tesla employee and offered them USD500,000 to install malware either via a USB drive or by opening a malicious email attachment. While the bribe was later increased to USD1 million, the employee chose to alert Tesla which informed the authorities.

A new report has linked three separate campaigns through the deployment of various JavaScript-sniffer (JS-sniffer) families, used to steal bank card data. Each campaign had previously been attributed to the Magecart group: the report, however, illustrates that all were related to an independent threat group dubbed UltraRank. The group also used its own way of monetising the data that it had stolen: using the card shop ValidCC, the threat actors made more than USD5,000 every day. 691 individual websites were hit by UltraRank, alongside 12 third-party service providers, including various advertising and browser notification services, web design agencies, marketing agencies, and website developers around the world.

Luminate Education Group (LEG), a company which oversees several further education colleges in the north of the UK, was recently hit by a cyberattack that caused “operational disruption” to LEG’s IT infrastructure. The group has 2,000 staff and around 29,000 students. The attack took place on 11 August and affected Leeds City College (LCC), Keighley College, Harrogate College, Leeds Sixth Form College and University Centre Leeds. Some students at LCC were unable to receive their exam results due to what was described as a “major server issue” at the time.

Email service provider SendGrid is reportedly experiencing an unusually high number of compromised customer accounts being used to distribute malware and phishing campaigns.

Compounding the issue, SendGrid obfuscates links in emails for tracking purposes, increasing the likelihood of a recipient inadvertently clicking on a malicious link. Parent company Twilio says it is planning to enforce multi-factor authentication across all accounts; however, it is not clear when this will be rolled out.

COVID-19 Cybersecurity Update

During the height of the COVID-19 pandemic, many US states set up centres to which citizens could report any violations of COVID-19 lockdown guidance. However, details including the names, email addresses, and contact details of the individuals who submitted reports, as well as the nature of the alleged breach, have been leaked. Databases containing reports made in the states of Washington and Missouri have been leaked on Raid Forums. The user who posted these, Omnipotent, is encouraging other users to share similar databases.

Data breaches, fraud, and vulnerabilities

Data Breaches

RailYatri, India’s government-backed travel marketplace has reportedly exposed 43GB of customer and corporate data. This was contained in an unsecure ElasticSearch before most of it was deleted by the Meow database wiper. The database is now secured after RailYatri was successfully contacted by India’s national CERT (CERT-In). The Meow wiper took control of RailYatri’s unsecured database before it was secured, however, deleting 42GB of data and leaving just 1GB.

Security researcher Bob Diachenko has reported the exposure of more than 50,000 scanned driver’s licenses and toll charge notifications in a misconfigured S3 bucket believed to belong to the Roads and Maritime Services of New South Wales, Australia. Diachenko has attempted to contact the owners of the data but has received no response at the time of publication. Nonetheless, the data has now been secured.

Ransomware

Following in the steps of other ransomware groups, the operators of the SunCrypt ransomware have now created a data leaks blog on which victims will be named and their data leaked. Given the current trend of ransomware groups creating sites to name victims and leak their data, it was almost inevitable that SunCrypt would also adopt this approach. Notably, unlike other ransomware groups, the operators of SunCrypt leak large amounts of victim data, often several hundred gigabytes, when victims are first named.

Researchers have now revealed that the threat actors behind SunCrypt appear to be a part of the Maze ‘cartel’, created in June this year to facilitate the sharing of information and techniques between ransomware operators. The cartel initially only included Maze and LockBit; RagnarLocker was added soon after. As well as taking on some of the operational burden, the SunCrypt operators informed Bleeping Computer that they also “share revenue from the successful operation.” It seems that Maze may have provided compromised network access to the members of its cartel in return for a share of the revenues. Further analysis of a public IP address used by Maze ransomware during attacks showed that either “Maze is sharing their infrastructure or white-labelling their ransomware technology to other groups.” SunCrypt is currently being analysed; it is not yet clear if data encrypted by the ransomware can be recovered for free.

Fraud

Cyjax analysts uncovered a Zoom meeting-themed phishing attack targeting one of our members of staff. If the ‘review invitation’ button is clicked, the user is taken to a CAPTCHA page and Outlook-themed fake login page. In this phishing attack, we noticed that the scheduled Zoom meeting is set for the same day as when the phishing email was sent. This could be to add pressure to the target and entice them to check if they have missed a business meeting notification.

Threat actors behind Business Email Compromise (BEC) scams are increasingly turning their focus towards employees in the finance department and away from C-suite executives. The COVID-19 pandemic led to a surge in the volume of BEC attacks observed by Bitdefender, presumably due to an increase in remote working and lack of face-to-face communication between employees. Notably, these attacks now increasingly targeting employees in the finance department, with invoice fraud proving particularly popular.

Malicious actors have been sending emails purporting to be from Bitcoin trading platform BTC Era to lure users of the exchange into paying for a fake investment. The aim of the attacks is to infect users of the online currency with malware.

The FBI and CISA are issuing a security advisory concerning an ongoing voice phishing (vishing) campaign targeting corporate VPN users. The campaign reportedly began in mid-July which involved cybercriminals gaining access to employee tools at multiple companies with indiscriminate targeting. The campaign’s main goal is reportedly to sell VPN access to large corporations. Using vished credentials, attackers infiltrated multiple private enterprises and exfiltrated the data from victim company databases.

The Grandoreiro banking Trojan is being distributed in a new campaign targeting Spain. The malware is being pushed in phishing emails masquerading as the Spanish Tax Agency (Agencia Tributaria). Grandoreiro is traditionally a Latin American banking Trojan that has since made the move from Brazil and Mexico to targeting users in Spain and Portugal.

Cyjax analysts uncovered an Office 365 credential harvesting campaign targeting several large enterprises in the UK, the US, and Australia. The attacks start with a phishing email containing a link that abuses an open redirect in the National Trust’s email marketing platform. We investigated these attacks further which revealed this campaign’s tactics and targeting. The URLs currently being abused are from the National Trust, as well as Blackbaud Hosting.

A new attack campaign is targeting users and companies in Italy. The campaign includes sending a large number of spam emails masquerading as communication from the Istituto Nazionale della Previdenza Sociale (INPS). Attached to the spam emails are malicious XLS documents with embedded macros. If a user enables these macros their device is connected to the attacker’s C&C server and sensitive information is collected and exfiltrated.

Vulnerabilities

A vulnerability in the “manage versions” function of Google Drive could allow malware distribution through legitimate files. The bug stems from a flaw in the way in which files are updated on Google Drive. An attacker could update a file at any point and change the file extension to one of their choosing, including malicious executables. This can be done to files already shared among a group.

A recently disclosed vulnerability in Apple’s Safari browser could be abused to leak or steal files from user devices. The bug is related to Safari’s implementation of Web Share API, which allows users to share links from the browser to third-party software, such as email clients or instant messaging apps. This vulnerability was initially reported to Apple in April. However, the researcher decided to disclose it after Apple delayed patching the vulnerability until Spring 2021.

High severity memory exhaustion vulnerability in Cisco IOS XR software that runs on carrier-grade routers. Patches will be released but are not yet available. There are no workarounds; however, multiple mitigations are available depending on the user’s needs.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • US CISA has issued several security advisories regarding critical vulnerabilities in Advantech, Emerson, and WECON ICS products. Successful exploitation can lead to path traversal, unauthorised modification of data, remote code execution, or a denial of service condition. The ICS products affected are used worldwide in the manufacturing, healthcare, chemical, energy, and water management sectors.
  • Apache has recently patched multiple major vulnerabilities in its web server software that could have allowed remote code execution (RCE) and denial of service
  • Two vulnerabilities in IBM Security Guardium Insights. Successful exploitation can lead to information disclosure or a remote attacker hijacking the victim’s click actions to launch further attacks.
  • High-risk vulnerabilities in Microsoft Azure Sphere. Successful exploitation can lead to remote code execution and privilege escalation.
  • CCCS has issued a security advisory for a Microsoft out-of-band security update to address vulnerabilities in Windows. Successful exploitation can lead to privilege escalation.
  • Multiple vulnerabilities disclosed in IBM Cloud Private Successful exploitation can lead to arbitrary code or command execution, denial of service, and unauthorised access.
  • US CISA has issued an advisory pertaining to the Cisco August security update. Organisations using this equipment are recommended to apply the fixes as soon as possible.
  • US CISA has issued two security advisories for security updates in Google Chrome and Mozilla Firefox. If successfully exploited, some of these vulnerabilities can be used to take control of an affected system.
  • Multiple vulnerabilities discovered in Red Lion ICS Red Lion ICS products are used in commercial facilities, energy, transportation, and water management.

APT Activity and Malware Campaigns

APT activity

A new report has revealed the existence of a group of ‘hackers-for-hire’ with a toolset that contained powerful espionage capabilities and also exploited a previously unknown vulnerability in Autodesk 3ds Max, a popular software widely used in 3D computer graphics. The target is known to have been collaborating in billion-dollar real estate projects in New York, London, Australia, and Oman. The investigation into this group and its tools revealed that the threat actors had used a C&C server in South Korea. Interestingly, further analysis of other samples showed that these also communicated with the same C&C server, indicating the group was developing multiple samples. These additional malware samples initiated connections to the C&C server from countries including South Korea, the US, Japan, and South Africa, suggesting that this APT may also have compromised victims in these countries that have yet to be confirmed.

Kaspersky has disclosed more information surrounding a group it has dubbed DeathStalker (formerly known as the Deceptikons). The group primarily focuses on law firms and companies in the financial sector to gather sensitive business information. This tactic leads the researchers to believe DeathStalker is a mercenary group that may offer hacking-for-hire services or act as an information broker in financial circles. The group’s victims are spread across the UK, Switzerland, the UAE, India, Turkey, Israel, Lebanon, Jordan, Cyprus, China, Taiwan, and Argentina.

A new malicious Excel Sheet, with low detection by antivirus engines, leverages a VBA macro that, if enabled, will download a payload from a typosquatting domain (windowsupdate[.]me). Cyjax analysis of the C&C server used in this infection chain revealed a malicious XLS document called “MofaVPN.xls” that was detected as a dropper for the Valyria Trojan (also known as POWERSTATS). We suspect that MofaVPN could stand for “Ministry of Foreign Affairs”. Further investigation found that the name of the VBScript “komisova.vbs” had also been used in an OilRig campaign detected by Unit42 in 2016. POWERSTATS has been used by Iranian APTs such MuddyWater and OilRig for multiple cyber-espionage campaigns. It is a backdoor written in PowerShell and can disable Microsoft Office Protected View, fingerprint the victim, and receive commands.

A number of attacks on cryptocurrency exchanges have been linked to the Lazarus group. The attacks targeted cryptocurrency organisations from North America, Europe, and Asia. The attacks reportedly begin with a phishing email for malware deployment that leverages fake LinkedIn job offers, each tailored to the recipient’s profile. The campaign was traced back to January 2018; at least 14 countries have been targeted including the US, China, the UK, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.

New research has revealed that Iranian threat actors, believed to be part of APT35 (also known as CharmingKitten or Phosphorus), have been impersonating journalists and directly contacting targets via LinkedIn and WhatsApp. This activity was observed in July and August. This campaign targeted academics, human rights activists, and journalists. Although the malware used was not specified, they did note that it was capable of stealing victim credentials. This would be consistent with the Iranian government’s broader surveillance efforts targeting dissidents and other critics of the regime.

The Thinmon backdoor, a new malware framework, has been linked to the DarkHotel APT group, that was used in a cyber-espionage campaign earlier this year. DarkHotel leveraged VPN software vulnerabilities against Chinese organisations to deploy the Thinmon backdoor. Analysis of the malware revealed that it has been deployed by DarkHotel since 2017 for monitoring infected devices and stealing confidential documents. DarkHotel created a South Korean pornographic website that delivered a fake QuickTime installation package, loaded with the Thinmon Trojan backdoor. DarkHotel has been active since at least 2007 and is possibly state sponsored; its members appear to be native Koreans or Korean speakers.

US authorities have issued a joint advisory concerning a global campaign against financial institutions orchestrated by North Korean attackers dubbed the BeagleBoyz. These attackers have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions. This activity includes using anti-digital forensic tools and wiper malware to destroy thousands of computers to distract from efforts to send fraudulent messages from the bank’s compromised SWIFT terminal. Fraudulent ATM cashouts have affected upwards of 30 countries in a single incident. The cybercriminals withdrew cash from ATM machines operated by various banks in multiple countries, including in the United States.

New research has revealed that Iranian threat actors believed to be part of APT35 have been impersonating journalists and directly contacting targets via LinkedIn and WhatsApp. This activity was observed in July and August. The Iranian threat actors, posing as journalists from either Deutsche Welle or Jewish Journal, would first message a target on LinkedIn. From there, they would attempt to set up a WhatsApp call with the target under the pretence of discussing Iranian affairs. After building this cover and developing a relationship with the target, the Iranian threat actors would then share links to phishing pages and malicious files. This campaign targeted academics, human rights activists, and journalists.

Malware

Sophos reports that a cryptocurrency mining campaign, dubbed Lemon_Duck, has compromised a high number of exposed Linux systems. Lemon_Duck is an advanced cryptomining malware that is regularly updated with new code and obfuscation techniques. Some of the attacks that deliver Lemon_Duck have included COVID-19-themed malspam, end-of-year holiday shopping, tax season, and other current events to entice users into infecting their systems. The most common email subjects recently include: “The Truth of COVID-19,” “COVID-19 nCov Special info WHO,” and “HALTH ADVISORY: CORONA VIRUS”. Computers infected with Lemon_Duck can then be used to spread the malware further. The cryptominer steals users’ Outlook contact list and sends spam emails to friends and co-workers.

Several Android Trojans are targeting users in Turkey with mobile data and COVID-19-themed ‘giveaways’. The malware that has been detected most is the Anubis banking Trojan. The attackers created a site that masquerades as the Turkish government and delivers apps from a domain whose name means “social support pre-application”.

Researchers have reported on the latest versions of the Quaverse Remote Access Trojan (QRAT) being spread in malspam. These new variants use a subscription service called QHub that allows QRAT affiliates to control all infected machines from a single interface. The spam campaigns use multi-stage downloaders. While all current samples of QRAT exclusively target Windows, they are nonetheless written in Node.js which is cross-platform compatible. This suggests that, should the threat actors operating QRAT wish to do so, the malware’s targeting could be expanded to encompass macOS and Linux.

Further analysis of the Qbot banking Trojan, one of 2020’s most prolific malware families, with a spam campaign in March and its current deployment in Emotet-driven malspam, has shown that its key features include stealing information from infected machines, including passwords, emails, credit card details and more. The malware can hijack users’ legitimate email threads from their Outlook client and using those threads to try and infect other users’ PCs. Most of Qbot’s attacks have targeted the United States and Europe. Other targets include Canada, India, Israel, Turkey, and Taiwan.

A new cryptojacking worm, dubbed Cetus, is targeting Docker daemons to mine Monero. It disguises itself as a legitimate binary called Portainer – a tool that is used to manage multiple Docker environments. Cetus uses the same Monero wallet address as another cryptojacking worm discovered earlier in August. In that instance, threat group TeamTNT was linked to a Monero-generating malware that could steal AWS credentials from infected servers. Cetus is subsequently the third cryptojacking worm to be identified that targets Docker hosts, following Graboid and the TeamTNT strain.

Google has removed 57 apps from the Play Store after they were discovered to be part of the Terracotta ad fraud botnet. The apps had collectively been downloaded nearly 95,000 times since late 2019 when the botnet emerged. In most instances, the apps offered free footwear, tickets, and coupons, if the app was installed and left on the device for two weeks. Instead, a modified version of WebView was downloaded to load ads and generate revenue from fake ad impressions.

Darknet

Empire market has gone offline in an apparent exit scam. The DDOS attacks which began last week initially caused the market to be taken offline, however Empire did not return after these attacks subsided. One of Empire’s head moderators posted on Dread stating the market admin had not been online for over two days. Soon after, this moderator deleted their account, leading to rampant speculation that Empire had exit scammed. Over a week later, Empire has still not returned and virtually all darknet users are treating it as having exit scammed.

Empire was the dominant market for a long period of time and its sudden disappearance will have significant ramifications on the darknet market landscape. Many vendors are already moving to White House and Monopoly, which were second and third respectively behind Empire in terms of size. Both markets will likely experience significant growth in the coming weeks. Icarus and DeepBlue are two lesser-known markets who also appear to be experiencing growth considering Empire’s disappearance, but neither of these markets is well-established and user trust remains low.

The operators behind the CryLock ransomware have announced they are adopting the Ransomware-as-a-Service (RaaS) model and are currently recruiting affiliates. Previously known as Cryaki, the CryLock ransomware has been active for many years. However, there has recently been a surge in publicly detected samples, suggesting the group is ramping up their activity. This is consistent with adopting the RaaS model, as the recruiting of affiliates enables ransomware groups to scale-up their operations.

The Cerberus Android malware operators have now publicly released the source code for Ceberusv2. It is unclear the impact this will have on the malware development industry, but we expect elements of this remote-access-Trojan to be used in other malware very soon.

Finally, a user on a darknet hacking forum is claiming to sell access to a French banking cooperative which Cyjax deduced as Group Credit Agricole. The user was also offering access to a US company with a revenue of USD1 billion. Cyjax has not been able to find out which company this is.

 

Geopolitical Threats and Impacts

In partnership with A2 Global Risk

Americas

Salesforce, the San Francisco-based customer relationship management (CRM) giant, announced last week that staff would be offered a work-from-home option until at least August 2021 due to the ongoing COVID-19 pandemic and attendant restrictions on travel, assembly, and schools. Salesforce also announced an expansion of parental leave and financial support of USD250 for employees’ office supplies. Salesforce is San Francisco’s largest private employer, occupying several buildings in the city’s Transbay district. Their announcement follows similar moves from other California-based tech companies, including Facebook, Google, and Uber, each of which will allow staff to work remotely until at least July 2021. Salesforce’s decision comes as non-essential workers remain barred from offices in San Francisco due to the spread of COVID-19, and reflects much of the tech industry’s openness to remote working. The announcements are likely to encourage other employers to expand their work-from-home policies well into 2021.

On 26 August, professional sports teams from the NBA, WNBA, MLB, and MLS postponed scheduled fixtures in protest at the shooting of Jacob Blake, a 29-year-old black man, by police in Kenosha, Wisconsin. Tennis player Naomi Osaka also pulled out of a WTA match, prompting the organisers of the Western & Southern Open to cancel play on 27 August. In the US, sportspeople have often taken the lead on highlighting racial injustice and other forms of discrimination in wider society. This week’s actions are likely to lead other commercial organisations to review their anti-racism and anti-discrimination policies. This is particularly likely in organisations partnering with sports teams, such as sports clothing manufacturers, television networks, and companies sponsoring sports franchises. Companies with interests in the US, particularly in industries linked to sport, should monitor updates and assess how growing societal awareness and condemnation of racism and discrimination impacts operations, policies and strategy.

On 26 August, the US Department of Commerce imposed sanctions on 24 Chinese companies and an unspecified number of individuals over Beijing’s construction and military activities in the disputed South China Sea. The targeted companies were added to Washington’s so-called ‘entity list’, limiting their access to US products, while visa restrictions were imposed on individuals ‘responsible for, or complicit in’ China’s actions. In a separate development on 27 August, Taiwanese President Tsai Ing-wen used a speech to an Australian think tank to warn of the potential for accidental conflict in the South China Sea. Tsai called on all parties to ‘maintain open lines and communications’ to mitigate the risk of miscalculations.

The sanctions are Washington’s first such measure against companies and individuals involved in Chinese construction and military activities in the South China Sea. The region hosts a strategically-critical waterway and significant quantities of energy resources, which are disputed between China and other nearby countries, including Vietnam, the Philippines, and Malaysia. Washington’s latest actions highlight the tense and volatile nature of Sino-US ties, and come just one day after the two sides reaffirmed their commitment to an earlier trade pact. While the risk of immediate-term military conflict in the South China Sea is assessed as low, the region is an increasingly significant point of contention between Beijing and Washington, among a host of bilateral and international disputes. Organisations with interests in China, particularly in the construction sector, should immediately adjust operational planning to account for the imposition of US sanctions, and assess their legal and reputational exposure.

On 26 August, Argentina formally requested talks with the IMF on a new lending programme to replace its USD57 billion stand-by agreement penned in 2018. In tweets sent shortly after the request was made, economy minister Martín Guzmán described the 2018 deal as ‘unsustainable’ and said that a new agreement should include rescheduling of debt maturities with the IMF. The fund’s chief, Kristalina Georgieva, said that the IMF was ready to ‘support Argentina in these challenging times.’ Argentina is suffering a profound economic crisis, fuelled by high levels of debt, shrinking output, rising unemployment, and the steady depreciation of the Argentine peso. This economic malaise has been exacerbated by the COVID-19 pandemic, which has led to the imposition of restrictions on travel and assembly, further harming economic activity. The decision to request new talks with the IMF, almost certainly to delay maturities on existing debt, forms part of leftist President Alberto Fernández’s broader economic strategy, which includes the renegotiation of outstanding debt and halting the immediate loss of further jobs. This has been evidenced by his government’s restructuring of USD65 billion in sovereign debt. Organisations with interests in the Argentine economy should monitor updates on the IMF talks and assess their impact on operations and strategy.

On 31 August, the Office of the US Trade Representative (USTR) announced a tightening of restrictions on steel imports from Brazil and Mexico, in a bid to protect US producers facing slumping demand and low prices, largely triggered by the coronavirus (COVID-19) crisis. Brazil’s remaining 2020 quota for semi-finished steel imports was reduced from 350,000 metric tons to a mere 60,000 tons. Mexico, meanwhile, agreed to establish a strict monitoring regime to address increasing exports of steel pipe, mechanical steel tubing and semi-finished steel exports to the US. Mexico will also strengthen efforts to prevent the transhipment of steel products from other countries through Mexico to the US, announcing that exporters would require a permit for such transactions.

In a separate trade development on 31 August, Brazil reimposed a 20 per cent levy on US ethanol imports, despite US calls for continued tariff exemption.

The latest measures are likely to have a significant impact on Brazilian and Mexican companies exporting certain steel products to the US. The global economic slump triggered by the COVID-19 pandemic has reduced demand for steel products, leading to declining prices for producers, some of whom have cut output. The measures also exemplify President Donald Trump’s pledges to defend the interests of US steel producers. Trump’s actions to protect the steel industry and jobs in associated manufacturing industries are likely to form a core part of his campaign for re-election, particularly focused on industrial battleground states such as Ohio, Pennsylvania and Michigan. Organisations with interests in the US steel and ethanol industries should assess how the new quota and tariff measures affect operations, finances, and planned investments.

A 12,800-km long underwater data cable linking Los Angeles with several Asian countries and territories will no longer land in Hong Kong, it was announced last week, amid US national security concerns of potential data theft from China. The Pacific Light Cable Network (PLCN), which was launched in 2016 and is backed by US tech firms including Google and Facebook, will now only dock in Taiwan and the Philippines. While the cable has already been laid, its landing in Hong Kong will not be activated. The project was originally intended to enhance Hong Kong’s internet connectivity and boost US tech firms’ commercial interests in the territory. These plans, however, have been overshadowed and ultimately dashed by worsening diplomatic and commercial ties between China and the US, particularly related to Hong Kong’s evolving political status. Moreover, in the past two years, Washington has expressed increasing concern over the potential for espionage from Chinese or China-linked technology firms, including Huawei and ZTE. This has led to calls for bans on Huawei and recently prompted the US government to order the sale of the US operations of popular Chinese-owned video-sharing app, TikTok. Organisations with interests in Hong Kong’s tech sector, particularly related to internet connectivity, should assess how its removal from the PLCN impact operations and strategy.

APAC

The Australian government on 27 August said it expects to use a new law preventing individual states and institutions from entering into agreements with foreign countries to bar investments linked to China’s ‘Belt and Road Initiative’ (BRI). The new law, expected to be introduced next week and passed by the federal government later this year, will authorise the country’s foreign minister to bar and rescind new and previously signed agreements between overseas governments and Australia’s eight states and territories, local authorities and universities. Sectors covered by the new law will include infrastructure, trade cooperation, tourism, science, health, and education. The new law will further strain diplomatic and economic ties between Australia and China, the former country’s largest single trading partner. The law is expected to directly affect a BRI-linked infrastructure deal between the state of Victoria and Chinese companies while also likely resulting in a review of tentative agreements related to investment, scientific cooperation and access to the Antarctic between Beijing and the state governments of Western Australia, South Australia and Tasmania. A further 130 agreements between Australian states and institutions with at least 30 foreign countries could also be affected by the new law. Companies should assess whether their operations will be affected by the legislation while also recognising China, and potentially other countries, may retaliate with countermeasures or sanctions against Australian interests.

India is gradually removing Chinese vendors, including Huawei Technologies, from its telecommunications networks, according to a Financial Times (FT) report. While the Indian telecommunications department has already banned 5G testing with Chinese vendors, New Delhi is opting for a gradual phasing out of Huawei rather than an explicit ban, and Prime Minister Narendra Modi is very cautious about investment from China into sensitive infrastructure, according to the report. The Indian government is unlikely to officially prohibit Huawei or other Chinese firms to avoid retaliation by China, according to a senior government official cited by the FT. The report is assessed as credible, as such a measure would follow a trend of measures by the Indian government against Chinese businesses amid increasingly strained bilateral relations and against the backdrop of growing Hindu nationalism. Businesses with ties to Chinese vendors in India should assess the impact of a likely removal of such firms on their operations and factor this into their strategic planning.

On 28 August Japanese Prime Minister Shinzo Abe announced his resignation from his role over poor health. Abe suffers from a non-curable inflammatory bowel disease called colitis, which also led him to resign as prime minister after approximately a year’s tenure in 2007. Abe is almost certain to be succeeded by a member of his conservative Liberal Democratic Party (LDP). The consensus among experts appears to be that the Japanese government is likely to maintain current policy, particularly as the country remains under the duress of the COVID-19 pandemic and attendant economic fallout.

During a speech in Taiwan’s parliament on Tuesday (1 September), the head of Czech Republic’s Senate, Milos Vystrcil, declared himself as Taiwanese in a demonstration of solidarity. Beijing said the Czech representative would pay a ‘heavy price’ for visiting Taiwan, a country with which the Czech Republic has no formal ties. Prague did not support the visit but condemned China’s strong response and summoned the Chinese ambassador. The statement bears similarities with former US President John F. Kennedy’s 1963 ‘Ich bin ein Berliner’ speech in West Berlin, a famous declaration of solidarity with Berliners in favour of freedom against communism. Seen in the wider context of Czech-China relations, the latest diplomatic incident will further fuel bilateral tensions. Deteriorating political relations will likely translate into growing antipathy towards Czech commercial interests in mainland China. Similarly, Chinese firms seeking to invest in the Czech Republic may face heightened political and regulatory scrutiny, which is consistent with a Europe-wide trend of targeted protectionism.

Europe

A large leak of confidential Cypriot government documents called The Cyprus Papers, obtained by news outlet Al Jazeera’s Investigative Unit, on 24 August unveiled that numerous high-level officials and their families purchased so-called ‘golden passports’ from Cyprus over late 2017 to late 2019.

The development highlights the corruption and money laundering risks associated with the Cyprus Investment Programme. It follows shortly after a previous Cyprus Papers report published on 23 August by Al Jazeera showed that Cyprus granted golden passports to convicted fraudsters, money launderers, and allegedly corrupt political figures from over 70 countries. The Cypriot government responded by saying that it is reviewing the information. Since its inception in 2013, Cyprus’s investment scheme has attracted significant criticism from the European Union, forcing the island nation to modify its rules in 2019. In July 2020 also introduced a rule allowing it to remove the golden passports of anyone perceived to be harming the country’s national interest. The leaks are almost certain to increase pressure on the Cypriot government to rescind citizenships of Politically Exposed Persons (PEPs), a category for those thought to be at higher risk of corruption because they or their close associates hold a government role, and raise scrutiny of the Cyprus Investment Programme overall. Businesses with interests in Cyprus’ real estate industry should monitor the situation for updates and factor these into their strategic planning.

The UK’s Department for Environment, Food and Rural Affairs (DEFRA) launched a six-week consultation over a proposed law that would require large, UK-based companies to ensure that their international supply chains do not contribute to deforestation and violate local laws. So far, DEFRA has included soy, palm oil, cocoa, beef, rubber and leather, as well as forestry products like wood and paper, in its proposed list of agri-products that companies will need to disclose the origin of under the new law. While the proposed legislation already enjoys support from several large companies, such as US fast-food chain McDonald’s and UK retailer Tesco who have advocated for legally binding targets by 2030, non-governmental organisation Greenpeace has lambasted the proposal, calling it ‘significantly flawed’. Nevertheless, the legislation is likely to be passed in the one-year outlook. Security managers should monitor protest plans and activity by such groups and review their early warning systems and access-and-egress procedures at business premises.

The German motor vehicle authority KBA announced a probe into Volkswagen’s (VW) luxury sports vehicles unit Porsche AG over suspected manipulation of petrol engines to falsify emissions data. Porsche confirmed a news report published on 23 August that it had notified authorities after an internal probe had identified suspected irregularities. There is no indication that current vehicles are impacted. Audi, VW’s premium division, said there were no signs that the issues identified at Porsche also affected its division. This comes after authorities fined Porsche EUR535 million (USD632m) in 2019 over irregularities that enabled the firm to fake diesel emissions tests, though such actions have not yet been proven for petrol engines. It also forms part of a series of probes in the long-standing ‘dieselgate’ scandal around VW since 2015. The focus on petrol engines could indicate a widening of investigations into such engines in the medium-term. Businesses should assess their exposure to the ongoing investigations, maintain regulatory compliance, ensure that potential interactions with authorities are above board, and self-report any wrongdoing to authorities.

On 26 August, the French foreign ministry announced the deployment of several military aircraft and a frigate for the Eunomia joint naval exercise in co-operation with Cyprus, Greece, and Italy. The military drill, which is taking place south of Cyprus and the Greek island of Crete, ended on 29 August. In parallel, Turkey issued a ‘Navtex’ on 27 August, announcing its intention to hold live-fire exercises in the same area on 1 and 2 September. Both exercises follow similar drills by both Turkey and Greece, in collaboration with US forces on Monday and Tuesday this week. The military drills mark a further escalation in tensions between Ankara and NATO members, including Greece, France, and the United States, due to Turkey’s persistence in pursuing oil exploration in contested waters with Greece. Ship masters should take note of the Navtex announcements and re-route operations accordingly, while communicating with the relevant authorities when transiting the area.

The EU’s trade commissioner, Phil Hogan, resigned from his position on 26 August, following his apparent breach of COVID-19 guidelines at a golf society dinner in his native Ireland on 19 August. In his resignation statement, Hogan said he had not broken any law but regretted the ‘concern, unease and upset’ his trip had caused. Hogan’s departure marks a significant blow for Ireland’s immediate-term influence in the EU, and poses questions about the future direction of EU trade policy. Organisations with interests in EU trade policy, particularly related to negotiations with the UK, US, and other markets such as Mercosur, should monitor news on Hogan’s replacement and assess the likely impact on operations and strategy.

In a television interview on 27 August, Russian President Vladimir Putin said that Moscow has assembled a police reserve force which could be sent to Belarus in the event of violent unrest over this month’s disputed presidential elections. Putin said that the force’s assembly came at the request of Belarusian President Alexander Lukashenko, whose official victory in the 9 August election has triggered widespread protests within Belarus and been condemned as fraudulent by multiple countries. While the EU and other western powers have condemned the election’s outcome, they also recognise Belarus’ extremely close ties to Russia and have purposefully avoided statements and actions which Moscow may deem as antagonistic. Organisations with interests in Belarus, particularly in major cities such as Minsk, should monitor updates on demonstrations and assess the impact a potential Russian police intervention could have on operations and strategy.

On 27 August the Greek parliament ratified an accord laying out maritime boundaries first tabled on 6 August that demarcate exclusive economic zones (EEZ) with Egypt. The pact, which has already been ratified by Egypt’s parliament, was given approval in a majority vote by Greek lawmakers. Under the accord, Greece and Egypt are permitted to access the maximum resources available in the EEZ, including oil and gas reserves. The accord comes amid rising tensions with Turkey which escalated in July after Ankara announced plans to conduct seismic research in areas that fall under Greece’s continental shelf. Greece and Turkey remain in a stand-off over the rights to hydrocarbon resources in the disputed area. It should be noted that conflict remains a low likelihood scenario given the current shared reluctance from disputing states to engage in such activity. Energy firms with interests in the region are advised to continue monitoring all updates and prepare contingency plans for the chance of conflict occurring.

MENA and Central Asia

On 24 August Tunisian prime minister-designate Hichem Mechichi said that a cabinet of independent technocrats had been successfully formed. The statement comes nearly two weeks after Mechichi announced his intentions to form a technocratic government on 12 August. A key focus for Mechichi is addressing economic stagnation, which has caused a significant uptick in protest activity over recent months. His cabinet notably includes Ali Kooli, CEO of Arab Banking Corporation (ABC Bank), who will lead a newly merged department overseeing the country’s economy. This will be the second new government in six months. Mechichi’s decision not to include political figures in his cabinet has been met with backlash, particularly from Ennahda who has demanded a political government. A vote of confidence must now be held, which will likely take place in the next ten days. While criticism of the technocratic cabinet exists, it is likely that leading parties such as Ennahdha will give their support given the alternative of an early election, which would further elevate economic and political instability. A failure to secure a vote of confidence will detrimentally impact Tunisia’s stability and result in an uptick in nationwide protest activity.

On 25 August the US Justice Department charged Teva Pharmaceutical Industries Ltd, an American-Israeli company headquartered in both US and Israel, with coordinating with its competitors to inflate the prices of widely used drugs. Teva is charged with conspiring with the following companies: Glenmark Pharmaceuticals, Apotex Corp, Taro Pharmaceutical Industries and Sandoz Inc. The widely used medications whose prices have allegedly been inflated include drugs to treat brain cancer, cystic fibrosis, arthritis, blood clots and seizures. The indictment brought against Teva, which is the world’s largest generic drug-maker by market value, marks the most high profile company targeted by the US Justice Department under ongoing investigations into companies conspiring with one another to inflate the prices of widely used drugs.  Businesses with ties to the company are advised to prepare contingency plans in the realistic chance of a criminal conviction, which would likely have a detrimental impact to Teva, which is already struggling with a USD26 billion debt load.

The Southern Transitional Council (STC) said on 25 August that they had suspended their participation in talks over a Saudi-sponsored power-sharing deal for the south of Yemen, known as the Riyadh Agreement. STC Vice President Hani Ben Brik said in a tweet that the decision was made in protest at ‘irresponsible behaviour’ toward the agreement. In a statement, the STC listed several other factors in the decision, including accusing the internationally recognised government of military escalation in Abyan, ceasefire violations, and underfunding the region leading to a collapse of public services in the south. It is worth noting that some southern forces have rejected the agreement altogether, calling instead for the restoration of the southern Yemeni state. A 30-day mechanism put forth by Saudi Arabia to accelerate the implementation of the Riyadh Agreement (struck on November 2019) was due to expire on 29 August, and the STC’s announcement will effectively end this effort. The dispute will further delay UN efforts to negotiate a ceasefire in the wider conflict with the Houthis and could lead to a revival of STC ambitions for self-rule. Security managers should monitor the situation for updates and anticipate an uptick in violence in the south, with likely flashpoints being Aden and Abyan.

On 26 August, a joint statement released by the International Atomic Energy Agency (IAEA) Director-General Rafael Grossi and Iran’s nuclear agency chief, Ali Akbar Salehi, confirmed that Iran would grant the IAEA access to two sites suspected of conducting covert nuclear activity. The sites, which remain unnamed, are situated near Karaj city in the western Alborz Province and near Isfahan city in central Iran. Evidence collected by the IAEA indicates that undeclared nuclear activity likely took place prior to the 2015 JCPOA agreement and involved activities ‘relevant to the development of a nuclear explosive device’. The move signals a notable de-escalation in tensions between Iran and the United Nations-controlled IAEA following a standoff that has been ongoing since January 2020 when Iran refused UN inspectors access to the sites. As Iran softens its resistant position against the UN, further acts of cooperation are possible in the one-month outlook.

Reuters reported on 26 August that a two-page ‘concept paper’ outlining a roadmap with reforms necessary for the release of foreign aid was sent by French President Emmanuel Macron to Lebanese politicians. The measures detailed in the paper notably included an audit of the central bank and the ‘rapid formation’ of a government to ‘avoid a power vacuum’. Four areas were identified as requiring urgent attention; these include humanitarian aid amid the COVID-19 crisis, Beirut’s reconstruction after the explosions on 4 August, substantive political and financial reforms, and early parliamentary elections. Calls were also made for the reinstatement of negotiations between the IMF and the Lebanese government, which were suspended in early July amid significant political discord.

The paper signals a notable development in France’s involvement in Lebanese domestic affairs. Macron has played an increasingly active role in the country since the explosions at the Beirut port, having visited the city on 8 August and reportedly holding multiple phone calls with political leaders from across the sectarian system. If followed, the roadmap, which indicates that France would play a considerable role in stabilising Lebanon with financial support, resources and guidance, will signify a new period of French influence in the region. Talks between political leaders on the appointment of a new prime minister following the resignation of Hassan Diab and his government on 10 August continue to stall. Macron’s efforts to resolve the political crisis are likely to be met with significant backlash from Hezbollah, who have previously stated their objection against Western interference in the county. Opposition such as this is likely to significantly impede any form of progress in the short to medium-term, raising the risk of Lebanon falling further into extreme economic and political instability. Widespread violent protests are likely to continue in the coming weeks.

On 31 August, Mustapha Adib was nominated to become the new prime minister-designate of Lebanon. The selection came after President Michel Aoun held binding consultations with MPs from across the political blocs to ascertain the candidate. This included an influential group of former prime ministers who picked Adib; they represent the largest number of Sunni MPs in Parliament. Their support is viewed as crucial to the success of a new prime minister, who under Lebanon’s political power-sharing pact, must always be Sunni. Adib, previously an ambassador to Germany, successfully secured 90 out of 128 parliamentary votes, thereby permitting him to form a government.

In a televised speech, Adib announced his intentions to quickly form a government and begin implementing reforms ‘immediately’. This process of forming a cabinet will likely take between 2-4 weeks but could be longer if disputes between political blocs take control of the selection process. Delays to the formation of a government would further hinder the chances of any reforms taking place within the next month. It is worth noting that Adib’s support from a large majority of Sunni MPs bears a significant contrast to the comparably weaker support shown towards previous prime minister Hassan Diab, who secured votes from just a small handful of parliament’s 27 Sunni MPs. A larger support base could offer Adib important leverage in the months to come as he works to take control of the country’s dire economic situation. Despite the selection, widespread anti-government suspicion is likely to prevail until reforms are successfully implemented. Until then, protests and social unrest will likely continue, particularly across urban centres including Beirut and Tripoli.

Israeli aircraft hit Hamas facilities in the Gaza Strip overnight 28 August. The Israeli Defence Forces (IDF) said it hit underground infrastructure and a military post belonging to Hamas, Gaza’s rulers, in response to incendiary balloons that were launched from the coastal enclave and burned Israeli farmland in recent days. In response to the Israeli strikes, militants in Gaza launched six rockets toward Israel, none of which were intercepted by the Iron Dome system. It is unclear where the rockets landed. Israel then fired a second round of strikes, hitting a Hamas armed training camp. There were no immediate reports of casualties on either side.

Tensions between the two sides are currently high: mediators from the UN, Egypt and Qatar are working to negotiate a truce, with Qatari envoy Mohammad Al-Emadi having been in Gaza since 25 August holding talks with Hamas. Efforts at securing calm will be complicated by Israel’s halting of fuel imports into Gaza, leading to its only power plant shutting down on 18 August. Gazan hospitals and homes are now solely reliant on their generators for power, which will put pressure, especially on the medical sector as Gaza has faced an uptick in COVID-19 cases and renewed lockdown. This situation is likely to further fuel local grievances. Operations managers should monitor the situation for updates. Follow all directives issued by the emergency services and civil authorities in the event of rocket fire. Staff based in southern Israel should familiarise themselves with the immediate actions to take on hearing air raid warnings, and the location of the nearest air-raid shelter. Travel to Israel within 40km of the border with Gaza should be for essential purposes only.

On 25 August, the Kuwait supreme judicial council moved to suspend seven judges from work and referred them for investigation. The move stemmed from the discovery of their possible dealings with a money-laundering ring known as the ‘Bneider network’ run by an Iranian citizen, Fuad Salehi, who is currently imprisoned on charges of money laundering, alcohol trade and bribery. According to an anonymous source referenced by Al-Qabas newspaper, the names of the judges were found on Salehi’s phone during investigations. This underlines the risk of corruption among high ranking government officials in Kuwait. Over the past year, this has caused increasing tensions between the government and the public and resulted in large anti-corruption demonstrations in November 2019. Further demonstrations of this kind are possible in the short-term outlook following the suspension of the judges. These will most likely be carried out in Kuwait City, with key protest sites notably including outside the National Assembly in Jibla district.

Sub-Saharan Africa

The London High Court has rejected UAE-based ship-building company Privinvest’s appeal to delay proceedings and allow for arbitration in Swiss courts, according to Mozambican television channel STV on 25 August. The court reportedly set a new date for hearings in January 2021 in the so-called ‘hidden debt’ scandal, which saw the government agree to guarantee USD2 billion in undisclosed loans in 2013 and 2014 from Swiss bank Credit Suisse and Russia’s VTB. The uncovering of the loans caused a sovereign debt default in 2017. Mozambique filed a lawsuit against Credit Suisse and VTB, as well as Privinvest and its CEO, Iskander Safa, in February 2019, accusing them of being at the centre of a scheme that saw million-dollar contracts signed between the company to supply equipment at seriously inflated prices with three special purpose vehicles set up by the Mozambican state. Former president Armando Guebuza has also been listed as a defendant in the case.

The rejection of the appeals application is likely to deal another reputational blow to the shipbuilder and other companies involved, signalling probable sanctions in the coming year or two. However, while the former president has been implicated in the case, corruption risks remain high in Mozambique given the dominance of the ruling FRELIMO party and despite moves under the current administration to tighten anti-money-laundering controls. Companies with interests in the country or considering market entry should factor this into their compliance programmes and ensure their internal controls meet extraterritorial anti-bribery legislation, such as the FCPA and the UK’s Bribery Act.

South Africa’s ruling African National Congress (ANC) on 23 August launched a countrywide internal investigation into allegations of corruption by its representatives and officials at the provincial level. As part of the probe, all provincial officials are required to draw up a list of ANC representatives accused of or facing criminal charges of wrongdoing and submit this to the ANC Secretary-General Ace Magashule. In a letter to party members on Sunday, President Cyril Ramaphosa made several calls for action, including lifestyle audits of all ANC officials, regular wealth declarations by ANC members, and for the party to distance itself from individuals who fail to give acceptable explanations to allegations of wrongdoing. The letter and probe mark an escalation in rhetoric by the ANC leadership, which is facing stark criticism from opposition parties and business leaders amid a raft of corruption allegations. The Serious Investigating Unit of the police is currently investigating a series of corruption allegations relating to government contracts and public tenders worth ZAR5 billion (USD297 million), many of which have emerged relating to emergency responses to combat the COVID-19 pandemic. The probe also underscores South Africa’s elevated corruption risks, which suggests that exporters of goods, including PPE, need to increase their due diligence controls of local partners to mitigate the risk of being implicated in corrupt practices in South Africa.

In Mali, the ruling military junta on 27 August announced that former President Ibrahim Boubacar Keïta, who was detained during the nation’s coup on 18 August, has been released. This coincides with a meeting of the regional political and trade bloc Economic Community of West African States (ECOWAS), which was postponed to Friday (28 August). The meeting is set to include a discussion on whether to tighten sanctions against Mali. The tightening of existing sanctions, which include a trade ban and border closures, would further exacerbate Mali’s already poor socio-economic climate. Keïta’s release, and that of other senior officials, was a crucial demand of France, international organisations, and Mali’s neighbours. Keïta was likely released as a concession to ECOWAS’ demands, and this will probably factor into the bloc’s deliberations regarding sanctions. Nonetheless, outstanding issues persist, including ECOWAS’ demand for an interim government against the junta’s plan to rule for a three-year period. Businesses with interests in Mali should monitor the ECOWAS meeting and potential announcements regarding the tightening of sanctions and factor outcomes into strategic and operational planning.

Ruling party RPG-Arc en ciel on 31 August announced that Guinea President Alpha Condé would seek re-election on 18 October. The announcement also confirmed that the CDCC coalition, which was announced in May, was also backing Condé’s bid. The opposition and civil society coalition, FNDC, on Tuesday (1 September) said the move was unsurprising and called for a broad-based mobilisation of opposition forces to stage imminent protests against his third-term bid. The FNDC said it would announce further details by 5 September. The FNDC and many opposition groups consider the president’s re-election plan as unconstitutional, due to a two-term limit on presidents. The RPG-Arc en ciel and its allies argue the adoption of a new constitution earlier this year means he can run again. Despite ostensible divisions, which emerged in August, among FNDC allies over the intention of opposition UFDG party leader Cellou Dalein Diallo to run in the polls, which some argue is allowing Condé to run, the anti-government coalition remains a powerful political force and will likely mobilise thousands of protesters onto the streets of Conakry and other cities in the one-month outlook. A flashpoint date for protests is likely to be 8 September, the deadline for presidential candidate applications.

Scroll to Top