Geopolitics and Cybersecurity Weekly Brief – 12 October 2020

Executive Summary

Cyber threat actors are expected to increase their attacks as the 2020 US Presidential Election approaches. In its first HTA annual report, the US Department of Homeland Security (DHS) disclosed that unknown threat actors targeted the US Census network throughout 2019. The DHS expects state-sponsored attackers from China, Russia, Iran and North Korea to continue attacks against the US Census’ infrastructure to influence voters.

Further to this, the United States Department of Justice announced that American authorities have seized and shut down 92 domain names that were leveraged by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign. This connects with Microsoft’s assertion on 11 September that APT groups from Russia, China, and Iran had ‘stepped up their efforts targeting the 2020 election as had been anticipated and is consistent with what the U.S. government and others have reported.’

In the geopolitical sphere, US Vice President Mike Pence and Kamala Harris, a California senator and the Democratic Party’s nominee for the vice-presidency, clashed over coronavirus (COVID-19) and other policy issues in a televised debate in Salt Lake City, Utah on 7 October. In Kyrgyzstan, the President agreed to resign after the government was overthrown following highly criticised 4 October elections. US President Donald Trump on 7 October called for the remaining US troops currently deployed in Afghanistan to be withdrawn by Christmas.

The UK government’s defence committee said on 8 October it found clear evidence supporting claims that China-based technology company Huawei had colluded with the Chinese government.

The banking and commercial sector continues to be a primary target for cyberattacks. The local Ugandan subsidiaries of South Africa-headquartered Stanbic Bank and telecommunications company MTN, as well as India’s Airtel, said they had suffered a data breach through an unnamed third-party service provider on 3 October. This comes in the same week that Verizon issued a data breach notification. Meanwhile, the COVID-19 pandemic has been another outlet for cybercriminals, with Europol saying hackers are specifically exploiting the pandemic by targeting staff that work from home.

Also this week, the US Financial Industry Regulatory Authority (FINRA) issued a notice to brokerage firms warning of widespread phishing campaigns attempting to use surveys to harvest user information. This is the third such warning that FINRA has had to issue in 2020. Using the name of a well-known professional organisation makes it more likely for potential victims to fall for a phish.

Microsoft Threat Intelligence Centre (MSTIC) has revealed that an Iranian state-sponsored APT known as Mercury (more commonly referred to as MuddyWater), has been exploiting the ZeroLogon vulnerability in active campaigns. Since the vulnerability was disclosed in mid-September, multiple publicly available proof-of-concept (PoC) exploits have been developed and used in active campaigns. Patching, as ever, is a critical part of protecting business.

 

Attacks and cybersecurity news

US payment processor VISA this week published a security alert revealing that two North American organisations in the hospitality sector were compromised and infected with point-of-sale (POS) malware in May and June 2020. VISA did not name either of the victims. Point-of-sale systems are regularly targeted by skilled financial attackers. These systems are often outdated and seldom replaced, meaning that publicly known flaws can be targeted for exploitation long after they have been patched. Recently, other financial threats such as ransomware and web skimming have had more media attention: these attacks, however, show that POS systems are still an attractive target for attackers and should be protected accordingly.

The New York Times reported the recent disclosure of a cyberattack on eResearchTechnology (ERT), a Philadelphia-based firm that sells software used in hundreds of clinical trials; ransomware brought operations to a halt for a fortnight. Among the victims was IQVIA, a contract research organisation that helps manage AstraZeneca’s Covid-19 vaccine trial; and Bristol Myers Squibb, a drug maker leading a consortium of companies in developing a quick test for the virus. Companies and research labs involved in the pandemic have been frequent targets of foreign threat actors over the past seven months, as the search for a vaccine becomes became increasingly important.

In its first HTA annual report, the US Department of Homeland Security (DHS) disclosed that unknown threat actors targeted the US Census network throughout 2019. Attacks against the US Census’ public-facing network included attempts to access census-gathered bulk data, alter census registration information, compromise the infrastructure supply chain, or cause a denial of service (DoS) condition. The DHS expects state-sponsored attackers from China, Russia, Iran and North Korea to continue attacks against the US Census’ infrastructure to influence US voters in the upcoming 2020 presidential election.

Threat actors targeted and compromised the accounting systems of several Swiss universities to divert staff wage payments. At least three universities were affected, including the University of Basel. The attackers gained access to the internal university systems through a phishing attack, allowing them to steal tens of thousands of francs, some of which was immediately transferred abroad. The University of Zurich managed to avoid being compromised when an employee recognised the email as a phish.

The operators of the SunCrypt ransomware have begun to launch Distributed-Denial-of-Service (DDoS) attacks against victims who refuse to pay the ransom. It remains unclear how many ransomware groups are currently utilising this tactic, but SunCrypt appear to be the first to publicly confirm it. DDoS attacks are the latest extortion tactic used by ransomware operators to pressure victims into paying the ransom. The SunCrypt operators claim these attacks were launched after victims abandoned negotiations.

 

Data breaches, fraud, and vulnerabilities

Data Breaches

Verizon, a North American Internet Service Provider (ISP), has issued a data breach notification concerning the exposure of an undisclosed number of users’ account credentials. Twitter users, who are Wireless customers of Verizon, shared their personal letters sent by the ISP disclosing details of the breach. Technical details have not been disclosed. Verizon is still investigating the incident and has not stated whether its systems were specifically breached, or a large list of Verizon customers’ accounts was compromised via a third party.

Security researcher Bob Diachenko found an exposed database belonging to an Indian finance company, Free Loan. Exposed information includes names, email addresses, phone numbers, Aadhar numbers, and IP addresses. The database was quickly destroyed in a ‘meow’ attack. These types of aggressive incursions have presented a significant threat to unsecured databases since late-summer. So-called ‘meow’ attacks delete all the data on the database, leaving only the word ‘meow’ in its place. Thousands of datasets have been wiped since these attacks began.

The operators of the Clop ransomware have announced Software AG as their latest victim. Software AG, based in Germany, is Europe’s seventh-largest software provider. The Clop operators were demanding USD23.6 million (or 2,095 BTC) for decrypting all encrypted devices on the company’s network. Bleeping Computer also gained access to the chat on the leaks site between Clop and Software AG, where the ransomware operators claim to have stolen around 1TB of data, including passports, health bills, contracts, contact lists, certificates and emails.

On 5 October, the local subsidiaries of South Africa-headquartered Stanbic Bank and telecommunications company MTN, as well as India’s Airtel, confirmed they had suffered a data breach through an unnamed third-party service provider on 3 October. The data breach reportedly began on 1 October, but was only discovered over the weekend. The company in question is Kampala-based Pegasus Technologies, which integrates mobile money transactions between telecoms, banks, and other mobile money transfer businesses. Pegasus has refused to confirm the incident. The incident is significant given that Airtel and MTN account for about 90 per cent of Uganda’s mobile money market. Pegasus also handles up to UGX1.7 trillion each year as well as Stanbic’s so-called FlexiPay service which allows customers to use mobile money to pay for goods and services.

Fraud

A new Business Email Compromise (BEC) campaign has targeted at least 73 French firms. The majority of these were in the manufacturing sector, followed by healthcare, energy, real estate, and FMCG organisations, among others. The email address used to register the initial malicious domain was also deployed in the creation of several others since September 2019. All were very similar to other legitimate French companies’ domains. According to the FBI’s 2019 IC3 report, BEC scams resulted in USD26 billion in total losses worldwide between June 2016 and July 2019.

The researchers also believe that this type of fraud is more widespread than is currently being reported.

A new phishing campaign targeting Canada is harvesting banking credentials and other personal information from 12 different banks. Employees who were expecting a COVID-19 relief grant (CERB – Canada Emergency Response Benefit) were targeted. The emails imitate a notification from Interac’s e-transfer service, which distributes the CERB, indicating that a payment has been sent. The malicious link takes the user to one of 12 phishing pages. Impersonated banks include ATB Financial, Bank of Montreal, Canadian Imperial Bank of Commerce, Desjardins, Laurentian Bank, Meridian, National Bank of Canada, Royal Bank of Canada, Scotiabank, Simplii Financial, Tangerine, and TD Canada Trust.

A phishing campaign is using the lure of coronavirus tax relief to scam users into submitting sensitive personal information. The emails take advantage of the fact that the US Internal Revenue Service (IRS) deadlines are approaching for people who have not received an Economic Impact Payment. This phishing page was hosted on a compromised SharePoint account, adding to the legitimacy of the campaign. The email aims to convey a sense of urgency, suggesting that the recipient has a limited amount of time to complete the task.

The US Financial Industry Regulatory Authority (FINRA) has issued a notice to brokerage firms warning of widespread phishing campaigns attempting to use surveys to harvest user information. These messages are being sent from fake FINRA domains and have been made to look as though they are legitimate FINRA surveys. In August 2020, FINRA warned of another phishing campaign in which a fake site mimicked the FINRA website but had an extra letter in its domain name. This site included a registration form to steal information from FINRA users. The organisation issued another alert in May, this time warning of a phishing campaign impersonating FINRA officers. Using the name of a well-known professional organisation makes it more likely for potential victims to fall for a phish.

Vulnerabilities

Microsoft Threat Intelligence Centre (MSTIC) has revealed that an Iranian state-sponsored APT known as Mercury (more commonly referred to as MuddyWater – see below), has been exploiting the ZeroLogon vulnerability in active campaigns. MSTIC strongly recommends that any organisations still affected by ZeroLogon, tracked as CVE-2020-1472, patch their systems as soon as possible. The ZeroLogon vulnerability takes advantage of the weak cryptographic algorithm used in the NetLogon Remote Protocol (MS-NRPC) authentication process. Since the vulnerability was disclosed in mid-September, multiple publicly available proof-of-concept (PoC) exploits have been developed and used in active campaigns.

MuddyWater (also known as Mercury, SeedWorm, Temp.Zagros) is a state-sponsored APT group that first appeared in 2017. It is responsible for many cyber-espionage campaigns and intelligence-gathering operations on behalf of the Iranian government. It has targeted organisations in the telecommunications, government, and energy sectors in the Middle East, Turkey and various countries in Asia. A day after that first warning, MSTIC then reported that that it is was also seeing exploitation of ZeroLogon in the wild by the Russian group, TA505.

The Canadian Centre for Cyber Security (CCCS) has issued an advisory over the IBM Security Updates for October 2020. IBM has published patches to address several vulnerabilities in products including IBM App Connect Enterprise Certified Container, IBM Maximo Asset Management, and IBM Resilient SOAR.

Multiple vulnerabilities have been found in Pepperl+Fuchs Comtrol’s RocketLinx industrial switches. Some of these can be exploited to take complete control of devices; or be used to gain access to switches, execute commands, and obtain information. A total of five flaws were discovered: three are rated critical and two high severity. Exploitation of these bugs requires network access to the targeted switch, but no permissions are needed on the device itself.

Multiple security bugs have been disclosed in anti-malware software that allow Local Privilege Escalation (LPE) on a compromised device. The main cause of the bugs stems from the default discretionary access control list (DACL) of the C:\ProgramData directory in which Windows stores application data by default. Products from Kaspersky, Trend Micro, McAfee, Symantec, Avast, and Microsoft are all affected.

Cisco has issued patches for three high-severity vulnerabilities in its WebEx video-conferencing system, video surveillance IP cameras, and Identity Services Engine network administration portal. 11 medium-severity flaws were also patched. There is no indication that any of these flaws have been exploited in the wild. Users are urged to update to the most recent versions of each service to avoid potential compromise.

 

APT Activity and Malware Campaigns

APT activity

A new Waterbear campaign has been observed that targets Taiwanese government agencies. These sophisticated attacks took place in April 2020, but the threat group leveraged malware already present on the system from a previous attack – unrelated to the group – to deploy Waterbear. This campaign used a decade-old antivirus evasion technique known as ‘Heaven’s Gate’ to trick Microsoft Windows operating systems into executing 64-bit code, even when declared as a 32-bit process. This allows the malware to bypass security engines and inject shellcode without detection. Waterbear has previously been linked to the BlackTech threat group, an advanced APT known for attacking technology companies and government organisations in Taiwan, Japan, and Hong Kong with the PLEAD backdoor, TSCookie, and IconDown. The Waterbear malware is used for lateral movement, decrypting, and triggering other payloads with its loader component.

Kaspersky has uncovered a new industrial espionage APT group leveraging a previously undisclosed toolset. The malware authors called their tools ‘MT3’ and Kaspersky has subsequently named the group MontysThree for tracking purposes. The researchers have not observed any similarities or overlap with other publicly disclosed campaigns in terms of TTPs, infrastructure, or malware code. It is believed, therefore, that MontysThree is a new APT group. MontysThree is both a Russian-speaking group targeting Russian-speaking targets: this is unusual as groups from Russia tend to operate exclusively outside the country and the 11 CIS members. The highly customised malware, unique infrastructure, and TTPs used in this type of campaign are typically reserved for the types of state-sponsored espionage campaigns against government entities and critical national infrastructure. These tactics are much less common for industrial espionage groups: making MontysThree relatively unique and worth monitoring.

The United States Department of Justice has announced that American authorities have seized and shut down 92 domain names that were leveraged by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign. As the 2020 US Presidential Election approaches, US authorities are cracking down on attempts to disrupt and undermine the democratic process. The FBI and CISA released a joint advisory regarding the dissemination of disinformation regarding 2020 election night results. The US believes that state-sponsored influence operations will aim to sow doubt regarding many other things besides the results, including compromised voting systems and hacked voter registration databases. On 11 September, Microsoft also revealed APT groups from Russia, China, and Iran ‘have stepped up their efforts targeting the 2020 election as had been anticipated and is consistent with what the U.S. government and others have reported.

Malware

360 NetLab has shared details of a new Peer2Peer (P2P) IoT botnet dubbed HEH. It is targeting unsecure Telnet services. HEH is spreading malware via brute-forcing Telnet passwords on ports 22 and 23. As noted by the researchers, the HEH botnet is relatively new and still under development. The HEH botnet could become a significant threat in the future due to its ability to target multiple CPU architectures and an embedded self-destruction technique.

All spamming from the Emotet botnet has ceased. No new documents, URLs, EXEs, or changes to the C&C servers have been observed since last week. In the past, the operators have ceased distribution when they intend to modify their botnet malware. This may be the case this week, but this is unconfirmed.

Abuse.ch has shared samples of the QNodeService remote access Trojan (RAT) distributed in politically themed spam emails. The email subject is ‘USA President Donald Trump health is very serious!!!! We have the evidence here’ with an archive attached called ‘VideoCCTV.zip’. This contains a malicious .jar with the same name. The sender masquerades as the ‘REUTERS NEWS NETWORK’ and the body of the email is written in English and Arabic suggesting the operators are targeting five eyes countries, those in the Middle East, and potentially others further afield.

Several new malware campaigns are leveraging a Pastebin-like service called paste.nrecom.net. This service has been active since May 2014 and has similar functions to Pastebin, as well as an API that allows for scripting, making it popular among cybercriminals. Researchers highlighted a specific AgentTesla campaign targeting multiple industries related to shipping, supply chains, and banks, that used paste.nrecom.net to host their malware. AgentTesla is the most common malware that uses this service in its attacks. Other targeted sectors include healthcare and manufacturing companies in the US by the Redline Stealer.

A new malware deployed by a threat group linked to China repurposes Hacking Team’s leaked spyware, VectorEDK – a persistent implant that targets the device’s Unified Extensible Firmware Interface (UEFI). This new malware has been dubbed MosaicRegressor. The campaign targeted a number of victims around the world including diplomats and NGO staff from Africa, Asia and Europe – all of whom worked on issues related to North Korea. By targeting the device’s UEFI, the malware can persist even if the entire hard drive is wiped or the operating system reinstalled. This makes it much harder to remove than traditional malware. Even if the MosaicRegressor payload is discovered and removed, the UEFI implant can redeliver it later. UEFI is largely overlooked by security vendors despite being of clear interest to APT groups.

 

Darknet

Europol has released its Internet Organised Crime Threat Assessment (IOCTA) for 2020. The report includes numerous observations about the darknet. Cryptocurrencies that emphasise privacy and security have experienced significant growth this year. This aligns with our own observations, particularly regarding Monero’s increasing adoption among cybercriminals.

The average lifespan of darknet markets is decreasing. Again, this supports our own findings. This trend was particularly visible in the aftermath of Empire’s exit scam, where multiple markets were established and then taken offline within a matter of weeks. However, it is also important to note that a few select markets do manage to survive for an extended period.

On 11 October an advertisement was posted on Joker’s Stash, the largest stolen card shop on the darknet. The advertisement claims that Joker (the owner of Joker’s Stash) is going to add 3 million cards to the site. This is reminiscent of the Wawa breach of late 2019, where 30 million cards were stolen from an American convenience store chain and subsequently sold on Joker’s Stash.

 

Geopolitical Threats and Impacts

Americas

UNITED STATES – VP candidates clash over COVID-19, other policy issues in debate

On 7 October, Vice President Mike Pence and Kamala Harris, a California senator and the Democratic Party’s nominee for the vice-presidency, clashed over coronavirus (COVID-19) and other policy issues in a televised debate in Salt Lake City, Utah. The candidates sparred over President Donald Trump’s handling of COVID-19, healthcare, the Supreme Court, race relations and taxes, among other topics. The debate produced few standout moments for either candidate and is unlikely to significantly shift public opinion. The next presidential debate between Trump and Biden is scheduled for 15 October, however whether it goes ahead will depend on Trump testing negative for an active COVID-19 infection.

UNITED STATES – Trump ends talks on COVID-19 relief bill, elevating economic risks

On 6 October, US President Donald Trump announced an end to bipartisan negotiations over a coronavirus (COVID-19) economic relief bill. In a tweet, Trump said he would not negotiate a new relief bill until after the 3 November presidential election. Talks broke down after the two sides were unable to reach agreement on the size of the relief package and how money would be spent. While Trump’s decision to end negotiations will please fiscally conservative voters ahead of November’s poll, it risks exacerbating ongoing economic distress caused by the COVID-19 pandemic. Industries at particular risk include the travel, tourism, and hospitality sectors, as well as many small businesses affected by restrictions on assembly.

COSTA RICA – Government withdraws IMD-linked fiscal proposals after protests

On 4 October, President Carlos Alvarado announced the withdrawal of the government’s proposed IMF-related economic reforms following days of public protests against the measures. The withdrawn fiscal reforms, which included new taxes on banking transactions and individuals earning more than CRC840,000 (USD1,400) per month, were announced in late September ahead of talks with the IMF over a potential USD1.75 billion loan through the fund’s Extended Fund Facility (EFF). The government’s proposals triggered four days of disruptive protests across the country, including road blockades in at least 17 locations, with participants angered at the prospect of new taxes. While the withdrawal of the proposals is set to lower the incidence of further unrest in the one-week outlook, there is a high likelihood that subsequent fiscal reform proposals trigger similar protests.

APAC

CHINA – Thirty-nine countries press Beijing on human rights of Uyghurs

Thirty-nine countries, including Japan, a majority of European Union (EU) countries, and the United States, on 6 October urged Beijing to respect the human rights of China’s Uyghur minority, and voiced concern about the situation in Hong Kong. China’s envoy for Pakistan responded by reading out a statement signed by 55 countries, including China, criticising the use of Hong Kong’s situation as a reason to meddle in China’s domestic affairs. China singled out Germany, the United Kingdom, and the United States in its criticism. The development comes against the backdrop of rising antipathy towards China; a 14-nation Pew poll published on Tuesday found a marked increase in negative views of China, including in Australia, Germany, the United Kingdom, and the United States. Germany’s increased assertiveness regarding China signals a significant departure from previous, more conciliatory approaches primarily guided by trade relations. Germany’s prominent position within the EU suggests that its strategic shift will be followed by other EU member states, likely heightening the risk that the countries and their respective diplomatic missions, companies, and citizens will be targeted with reprisals by Beijing.

AFGHANISTAN – Trump calls for US troops to be withdrawn from country ‘by Christmas’

US President Donald Trump on 7 October called for the remaining US troops currently deployed in Afghanistan to be withdrawn ‘by Christmas.’ He made his comment on Twitter a few hours after the US National Security adviser Robert O’Brien said the country’s 5,000 or so troops would be cut to 2,500 by early 2021. This would be in line with an agreement reached with the Taliban insurgents, but remains dependent on negotiations ensuring a permanent ceasefire and a power-sharing accord with the Afghan government. President Trump’s intervention may reflect an attempt to garner support ahead of the 3 November US elections but is also viewed as offering the Taliban an advantage in the talks underway in Doha, Qatar. It also increases uncertainty over the viability and duration of numerous foreign military and civil society programmes and international aid and development initiatives in Afghanistan. The presence of US troops and their military assets have provided a level of assurance for many of these efforts, and it is unlikely any other country or organisations such as NATO will be prepared to increase their force levels to offset the US withdrawal.

Europe and Russia

UK & CHINA – Parliamentary report finds evidence linking Huawei to Chinese state

The UK government’s defence committee said on 8 October it found clear evidence supporting claims that China-based technology company Huawei had colluded with the Chinese government. The committee added that Huawei equipment installed on UK mobile 5G networks could be removed earlier than planned. No exact details were provided into the Huawei-Beijing links within the report, which Huawei said lacked credibility. Following intense pressure from the US, Prime Minister Boris Johnson said in July that telecommunications firms should remove Huawei components by the end 2027. Washington has repeatedly warned that Huawei could be used to spy on allies, while also warning that failure to take a strong stance on the firm could lead to a stop in intelligence sharing. The UK committee report clearly carries important implications, as it will influence the government’s stance towards Huawei. For lawmakers aligned with the US on the issue, the report lends credibility to claims that Huawei shares strong links with the Chinese government, making an earlier removal of Huawei equipment highly probable.

UNITED KINGDOM – Finance minister to use new powers blocking firms listing on stock exchange over security concerns

Finance minister Rishi Sunak is planning to use additional powers in a bid to prevent companies from listing on the London Stock Exchange (LSE) over national security grounds, according to a 7 October report by The Times. An outline of the plans will highlight cases where the powers can be used, including scenarios where a hostile foreign state is specifically seeking to undermine LSE’s reputation. A listing may be blocked if authorities determine that it would help a foreign state access official and commercial secrets. This comes after the influential foreign affairs parliamentary committee published a report last year calling on the government to assume a more direct role in blocking listings. The report is in line with a trend that is emerging across much of Europe; governments are seeking additional powers to prevent market access to potentially hostile foreign commercial and state actors.

MENA and Central Asia

US & IRAN – Furthers sanctions announced, elevating geo-political tensions

On 24 September, US secretary of state Mike Pompeo said that new sanctions had been implemented against several Iranian officials and entities, including Judge Mohammad Soltani and Judge Seyyed Mahmoud Sadati. Sanctions were also imposed against Adel Abad, Orumiyeh, and Vakilabad Prisons as well as Branch 1 of the Revolutionary Court of Shiraz. The move was anticipated following an earlier announcement that President Donald Trump had signed an executive order unilaterally authorising the re-imposition of all pre-2015 sanctions against Iran and officially extending a UN arms embargo beyond its original expiry date of 18 October. This strategy reflects an ongoing maximum pressure campaign and increasingly combative US foreign policy; however, several UN member states, including Britain, Germany and France, say the US does not have legal power to re-impose the sanctions. The US will not be able to fully enforce sanctions without international support. As such, Washington will likely bank on its trading power as a means of instigating compliance, particularly over China and Russia, and will work to demonstrate its uncompromising strategy by quickly sanctioning any violators.

KYRGYZSTAN – President agrees to resign after government overthrown, further unrest likely

President Sooronbai Jeenbekov said on 9 October that he was prepared to resign once a new cabinet had been appointed to bring an end to the current power vacuum. The news comes amid nationwide unrest following the results of the 4 October parliamentary elections, which critics claim were fraudulent and rigged. Over 7,000 protesters gathered at the Ala-Too Square in the capital Bishkek’s city centre on 7 October, with opposition supporters breaking into government buildings and freeing a number of high-profile prisoners, including a founder of the opposition Mekenchil party, Sadyr Japarov, who had been jailed since 2013. The lack of consensus between opposition groups over who will now lead a provisional government underlines a chaotic power struggle with the emergence of new groups and figures demanding their interests be recognised. The likelihood for further disagreements and delays to the formation of a cabinet are high given the lack of legitimacy that currently surrounds decision makers and the high probability that more political figures will stake their claim on the position of PM.

CANADA & TURKEY – Suspension on drone exports to impact weapons manufacturers

On 5 October, Canada’s minister of foreign affairs, Francois-Philippe Champagne, announced the government had suspended the export of some military drone technology to Turkey. The decision follows allegations that the equipment was being used by the Azeri military against Armenian forces in the disputed Nagorno-Karabakh territory, where heavy clashes have taken place since 27 September. Turkey has consistently denied sending any people or arms into the Nagorno-Karabak conflict. Ankara is a long-standing ally of Baku and has publicly vowed to lend its support in the conflict flare up. After Russia and Israel, Turkey is the largest supplier of military equipment to Azerbaijan, with previous sales including rocket launchers and drones; this is a strong indication Turkish supplies have likely been used in the current conflict.

Sub-Saharan Africa

MALI – ECOWAS lifts embargo, allowing trade and financial flows to fully resume

The Economic Community of West African States (ECOWAS) on 6 October announced it was lifting its trade embargo on Mali. This came after the nomination the previous day of a transitional government. Despite the presence of several high-ranking military officials in strategic ministerial posts, ECOWAS said it had observed ‘notable progress towards constitutional normalisation’ but reiterated calls for the dissolution of the junta, the Comité national pour le salut du peuple (CNSP) and the liberation of military officials who were detained amid the 18 August coup d’etat. The lifting of sanctions means that trade and financial flows with Mali will resume, reducing the short-term stability risk.

ETHIOPIA – Airlines face increased compliance risk as government bans flights over GERD 

The Ethiopian Civil Aviation Authority (ECAA) on 5 October banned flights over the Grand Ethiopian Renaissance Dam (GERD) on the Blue Nile river near the border with Sudan due to ‘security reasons’. The impromptu ban comes after negotiations between Ethiopia on one side, and Sudan and Egypt on the other, hit an impasse in August. Khartoum and Cairo are concerned that Addis’ timetable for filling the dam endangers their food and water security and threatens local livelihoods, as the Blue Nile is a major tributary for the White Nile in Sudan and the Nile in Egypt. The ban also follows the US state department’s move to suspend USD100 million in funding to Ethiopia over its unilateral move to begin filling the dam in July. The events come just under a year before Ethiopia is due to hold general elections, and Prime Minister Abiy Ahmed will likely take a strong stance in the GERD negotiations.

 

London

Email:   info@cyjax.com

Phone:  +44 (0) 207 096 0688

Cyjax combines automated and manual collection of open and closed source data across the clearnet, darknet and deep web. Using our cutting-edge threat intelligence platform alongside our team of experienced analysts, we collect and filter data based on client requirements and transform it into actionable intelligence.

A2 Global Risk is a political and security risk management consultancy with offices throughout Asia-Pacific as well as in London, United Kingdom. Contact our teams at our main regional offices to discreetly discuss how we can assist you and your organisation navigate safely and securely through challenging times.

Hong Kong

Email:   hongkong@a2globalrisk.com

Phone:  +852 2987 7926

London

Email:   london@a2globalrisk.com

Phone:  +44 (0)203 102 4050