The Geopolitical and Cybersecurity Weekly Brief is now part of the subscription package of intelligence services provided by Cyjax and our partners A2 Global Risk. In order to get access to the full report, please contact firstname.lastname@example.org or visit our explanatory service page here.
In the Americas, the US Department of State announced sanctions against seven senior Russian officials and 14 entities over the poisoning and subsequent imprisonment of prominent opposition leader Alexei Navalny. Meanwhile, the US has noted a rise in hate crimes against Asian Americans by almost 150 per cent last year, reflecting a spike in anti-Asian sentiment linked to the coronavirus pandemic.
US managed service provider (MSP) CompuCom has suffered a cyberattack resulting in service outages that stopped customers from accessing its system. It was subsequently revealed that CompuCom was hit by the DarkSide ransomware. CompuCom’s position as an MSP makes it a potentially valuable access point to companies worldwide including Home Depot, Target, Citibank, Wells Fargo, Truist Bank, and Lowe’s.
In Asia, Beijing warned against ‘foreign interference’ in Hong Kong and said only ‘patriots’ approved by Beijing will be permitted to stand in future elections in the territory. Indonesian President Joko Widodo called on local consumers to ‘love’ domestic brands and ‘hate’ foreign products as part of a drive to reduce imports in favour of Indonesian-made goods.
The Indian power sector has reportedly been targeted by a Chinese state-affiliated APT group known as RedEcho. In early 2020, an intrusion campaign was launched against several Indian organisations in the power sector using the ShadowPad malware. Targeting India’s critical infrastructure offers little economic advantage for Beijing: it would appear more likely, therefore, that the threat actors are infiltrating these target environments for strategic advantage in case of further escalation in kinetic warfare.
In Europe, a Finnish city rejected an offer by a Chinese institute to acquire or lease the city’s airport. Slovakia is in a political crisis after two junior coalition parties discussed the possibility of withdrawing from the government over the procurement of two million coronavirus (COVID-19) vaccine doses from Russia.
In the Middle East, business activity has notably slowed across UAE and Saudi Arabia during the month of February amid COVID-19 restrictions. Protests in Yerevan, Armenia are growing amid ongoing discord between the military and political leaders.
In Sub-Saharan Africa, international pressure is mounting in Ethiopia over possible war crimes in Tigray. In South Africa, human rights advocacy organisation Amnesty International (AI) published a report outlining allegations of human rights abuses and possible violations of humanitarian law in the northern province of Cabo Delgado.
Google has patched an actively exploited 0day vulnerability in Chrome for Windows, Mac, and Linux. Google has released minimal information about the issue until users have had sufficient time to update their systems to Chrome version 89.0.4389.72. This is the second actively exploited 0day in Chrome patched by Google in the space of a month.
Attacks and cybersecurity news
A new malware family, dubbed SUNSHUTTLE, has recently been uncovered in connection with the SolarWinds supply-chain attack. The malware was first uploaded to a public malware repository in August 2020 by a US-based entity and SUNSHUTTLE was later found at a victim that had been compromised by UNC2452. Microsoft has now named the adversaries behind the SolarWinds attack NOBELIUM. Three new malware families – GoldMax (also called SUNSHUTTLE), Sibot, and GoldFinder – were connected to late-stage activity by NOBELIUM. These tools were reportedly tailored to their victims’ specific networks and introduced after the adversary had moved laterally with TEARDROP and other hands-on-keyboard actions. This latest discovery differs from what we previously knew about UNC2452’s tactics, techniques, and procedures (TTPs).
A cyberattack has resulted in 15 UK Nova Education Trust co-operative schools being unable to provide online education to students in Nottinghamshire. The threat actor was able to access the trust’s central network infrastructure, so its IT systems, including phone, email, and website communications had to be shut down while an investigation took place. Some of the schools are currently using SMS messaging, temporary phone numbers, and Microsoft Teams to keep disruption to education as minimal as possible. IT teams are still attempting to restore systems, two days after the attacks.
An increasing number of Casbaneiro banking Trojan attacks have been discovered targeting users in Mexico. The banking malware campaign has been upgraded to lower its detection rating and improve the efficacy of its credential-stealing attacks. Casbaneiro is currently spreading via spam emails using tax payment issues as a lure. Currently, this campaign is geo-fenced to only target users in Mexico and Mexican banks. The malware is notable for its ability to target a precise group of users and only downloads the rest of the files when required to maintain persistence and remain undetected. Other banking Trojans that have primarily targeted Latin America have begun gradually transitioning to Europe, a move that we believe indicates a transition path for malware developed in that region.
A Russian-speaking cybercriminal group, known as RTM, has recently updated its long-running banking malware campaign to include the deployment of Quoter ransomware. The campaign has targeted at least 10 organisations in Russia from the transport and finance sectors. The attackers reportedly demand an average of USD1 million in ransom payments. It is unusual for Russian-speaking cybercriminals to target organisations in Russia and it is notable that RMT has also shifted from its typical method of making money to data leaks and extortion. This double extortion tactic, leveraged by the RTM group, is popular among ransomware operators. The tactic was first tried by the Maze group in late 2019 and now there are over 26 groups that orchestrate these campaigns.
US managed service provider (MSP) CompuCom has suffered a cyberattack resulting in service outages that stopped customers from accessing its system. CompuCom contacted customers soon after the attack and revealed that it had been compromised. It was subsequently revealed that CompuCom was hit by the DarkSide ransomware; the exact type of data stolen remains unclear, but due to CompuCom’s position as an MSP, it is a potential access point to companies around the world. The company’s customers include Home Depot, Target, Citibank, Wells Fargo, Truist Bank, and Lowe’s. If a ransom is not paid to the threat actors it is expected that CompuCom will be added to the DarkSide darknet leaks site.
Data security, fraud, and darknet
A malware campaign in which the Ursnif malware was deployed in attacks against at least 100 Italian banks. One of these attacks resulted in over 1,700 credentials being stolen from a single payment processor. The researchers uncovered usernames, passwords, credit cards, and banking and payment information stolen by the malware operators. Minimal details about this campaign have been provided, and it is not known which banks were targeted. Avast has informed those institutions affected, however, as has CERTFin Italy which is currently taking steps to protect customers and recover from the attacks.
On 3 March, the information security and compliance company, Qualys, was added to the Cl0p ransomware leaks site. Data has yet to be leaked from the company, however, the ransomware operators have provided screenshots as “proof” of their attack. Qualys subsequently confirmed an attack on their Accellion FTA server, which reportedly occurred in December of 2020. Data was leaked on 4 March and the company removed on 5 March. It is unclear if ransom negotiations are ongoing, or if the data has simply been temporarily removed. Qualys is the latest company to be affected by a vulnerability in the FTA product. Governmental organisations and financial institutions across the world have had data exposed through this bug, and in February the US cloud service provider, Accellion, announced FTA will be retired and reach end-of-life on 30 April 2021.
Malaysia Airlines has suffered a data breach that potentially spanned more than nine years, exposing information related to customers of its Enrich frequent flyer program. The breach was caused by a third-party IT service provider, and occurred at some point between March 2010 and June 2019. It has not been stated which Malaysia Airlines provider is responsible for this breach, and it is unclear how many users may have been affected. Given that the breach appears to have lasted for over nine years, however, it is possible that many thousands of the company’s customers were exposed. Malaysia Airlines has yet to make a public statement regarding the incident.
Threat actors have been using search engine optimisation (SEO) and social engineering techniques to distribute malware payloads to thousands of users through compromised websites that appear higher on the Google Search result rankings. This technique has been dubbed Gootloader and uses the Gootkit Remote Access Trojan (RAT) to deliver many other malware payloads. A network of at least 400 servers must be always maintained for this campaign to be successful, indicating that it is an extensive operation, and potentially involves multiple threat actors. Malware delivered in these files include the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, and has so far been used to target users in South Korea, Germany, France, and the US.
The US Financial Industry Regulatory Authority (FINRA) has warned brokerage firms of an ongoing phishing attack using a recently registered web domain impersonating a legitimate FINRA website. The campaign sends fraudulent emails from the domain ‘@invest-finra[.]org’, a domain registered on 5 November with no ties to the actual organisation. Member brokerage firms are advised to delete any correspondence received from this domain, and immediately notify the appropriate individuals in their firm of the incident. Subsequently, FINRA issued a second alert regarding a cybersquatting domain impersonating them to send fraudulent emails. Threat actors are sending fake “FINRA Membership” emails using the address “supports@finra-online[.]com”.
Security researchers recently uncovered a command and control (C&C) panel hosted on a compromised WordPress site that was used to launch business email compromise (BEC) attacks. The C&C panel matches that of the Origin Logger malware. The threat actors had control over multiple Windows hosts, were logging keystrokes and taking screenshots, and could view the webcam of infected computers. Cyjax analysts discovered that Origin Logger is a commodity malware offered on the darknet for USD70 for a six-month license. As a full-featured off-the-shelf tool, it lowers barriers to entry for less-skilled attackers and lessens the time it takes to initiate attacks. In April 2020, it was distributed by the GuLoader. BEC campaigns have been wildly successful for many cybercriminals. In February, the US Department of Justice charged six defendants for laundering over USD50 million, which primarily stemmed from fraud schemes such as BEC attacks, romance scams, and COVID-19 relief payment fraud. The average wire transfer request in BEC attacks increased from USD48,000 in Q3 2020 to USD75,000 in the following quarter.
The private Russian cybercrime forum Maza has experienced a security breach after an unknown threat actor leaked numerous user’s data online. The leaked data includes usernames, hashed passwords, email addresses and ICQ numbers. This breach comes after two other Russian forums, Exploit and Verified have also recently experienced security breaches. Currently, there is nothing to indicate a connection between these incidents. However, these breaches still pose a risk to the forum users and their anonymity.
The operators of the REvil (aka. Sodinokibi) Ransomware-as-a-Service (RaaS) have announced several updates to their platform. Firstly, affiliates can now pay an additional fee to conduct Distributed Denial of Service (DDoS) attacks against victim organisations which refuse to pay the ransom. Secondly, affiliates can also now contact victim organisations and media outlets directly via the platform. These developments are part of a broader evolution across the threat landscape, as we see ransomware groups begin to adopt new techniques to pressure victims beyond simply leaking data.
APT activity, malware campaigns, and vulnerabilities
The Indian power sector has reportedly been targeted by a Chinese state-affiliated APT group known as RedEcho. In early 2020, an intrusion campaign was launched against several Indian organisations in the power sector using the ShadowPad malware. This tool is a modular backdoor with multiple plugins. It is suitable for advanced intrusion campaigns and was developed by Chinese adversaries. ShadowPad was initially linked to APT41 in 2017 but has subsequently been used by multiple China-backed APT groups which are variously associated with the People’s Liberation Army (PLA) and Ministry of State Security (MSS). The rivalry between India and China has been a significant feature of geopolitics over the last decade. Targeting India’s critical infrastructure offers little economic advantage for Beijing: it would appear more likely, therefore, that the threat actors are infiltrating these target environments for strategic advantage in case of further escalation in kinetic warfare.
A new variant of the MATA malware framework has been discovered in an ongoing campaign pushing a new family of ransomware dubbed TFlower. The campaign has been connected to the Lazarus group (also known as HIDDENCOBRA). Analysis revealed over 200 new C&C server addresses that had been in use since May 2019. Lazarus regularly creates new servers and had over 150 online at any one time during this campaign. The introduction of TFlower ransomware was to be expected, as the Lazarus group is experienced with ransomware deployment. Most famously, the group unleashed WannaCry on the world and has also deployed Hermes 2.1 and VHD ransomware. Hansom and BestCrypt are other suspected extensions of the group’s toolset. In some cases, it is unclear if these deployments are intended to generate funds or to burn endpoints and hide indicators.
In December 2020, a telecoms company based in Central Asia uncovered several malicious files on IT systems on the corporate network which was subsequently identified as the Spyder backdoor. This malware is part of the WinntiGroup’s arsenal. Spyder is designed for intelligence gathering and is the latest tool to join the expanding WinntiGroup malware toolbox. Its main tasks are to operate covertly within the infected system and establish communication with the control server, and then wait for operator commands. Spyder’s modular structure and mode of operation are similar to the way in which ShadowPad and PlugX work. This further supports previous assessments that these Chinese espionage groups share both developers and technological resources, including contractors and individuals with varying levels of experience. WinntiGroup (also called APT41, Barium, or Axiom) is one of the most prominent APTs on the threat landscape and reportedly works on behalf of the Chinese government. The group focuses on intelligence gathering and intellectual property theft.
A new ransomware, dubbed Hog, has been uncovered encrypting user devices, and only providing decryption for the system if the user joins the group’s Discord server. While this malware appears to still be in development, it is being deployed in the wild. This is odd behaviour for a ransomware, as the operators do not ask the user for money to decrypt their files; they simply want the victim to join their Discord server. While this could be a good way to build a following, a user can simply leave the Discord server after the decryption has taken place, defeating the purpose of the original objective. As the ransomware is still in operation, the operators may be planning to improve its features or objectives in the future.
An Fbot variant has appeared in the wild with new features. It is targeting smart devices used in the transportation sector. The operators are reportedly using a remote command execution vulnerability (CVE-2020-9020) in the Vantage Velocity devices by Iteris. Alongside the targeting of CVE-2020-9020, those deploying Fbot in the wild are also targeting AirLink Mobile Gateway products. Researchers speculate that these affected devices are used in roadside equipment systems.
Google has patched an actively exploited 0day vulnerability in Chrome for Windows, Mac, and Linux. The vulnerability, tracked as CVE-2021-21166, is a high severity object lifecycle issue in audio. This flaw has been actively exploited in the wild, so Google has released minimal information about it until users have had sufficient time to update their systems. This was patched in Google Chrome version 89.0.4389.72, alongside 47 other vulnerabilities rated between high and low severity. This is the second actively exploited 0day in Chrome patched by Google in the space of a month. In February 2021, another flaw, tracked as CVE-2021-2114, was also patched. This was a heap buffer overflow in V8 and was also rated as high severity. Cyjax believes that CVE-2021-2114 was used by a North Korean APT to target security researchers.
Geopolitical Threats and Impacts
Provided by A2 Global Risk
US & RUSSIA – WASHINGTON IMPOSES SANCTIONS ON MOSCOW OVER NAVALNY POISONING
On Tuesday (2 March), the US Department of State announced sanctions against seven senior Russian officials and 14 entities over the poisoning and subsequent imprisonment of prominent opposition leader Alexei Navalny. Among those sanctioned were Alexander Bortnikov, head of Russia’s FSB intelligence agency, and two deputy defence ministers. The sanctioned entities include organisations involved in Russia’s chemical and biological industrial base. The announcement came as part of coordinated action with the EU, which imposed sanctions against four Russian government officials. Russian authorities reacted by pledging to respond ‘based on the principle of reciprocity, but not necessarily symmetrically’. The sanctions freeze any US assets of the designated individuals and entities and generally prohibit US persons from transacting with them. The US administration of President Joe Biden has adopted a much more vocal and critical stance on Russia and its suspected hostile activities than the government of former president Donald Trump. Washington, however, has committed to working with Russia in areas of common interest and seeks a ‘predictable and stable’ relationship with Moscow, albeit with retaliation for actions perceived as hostile to US interests. The sanctions announced on Tuesday are likely to have only a limited effect, given their targeting of individuals and specific entities linked to Navalny’s poisoning. Given precedent and Russian comments, retaliation is highly likely, particularly sanctions targeting US intelligence or defence officials or companies in related industries, or in the cyber sphere targeting US government agencies and their private sector providers.
UNITED STATES – RISE IN HATE CRIME TARGETING ASIAN AMERICANS POSES THREAT TO STAFF
Data from 16 of the country’s largest cities show that hate crimes against Asian Americans rose by almost 150 per cent last year, reflecting a spike in anti-Asian sentiment linked to the coronavirus pandemic. Figures from California State University’s (CSU) Center for the Study of Hate and Extremism and Voice of America (VOA) showed that anti-Asian hate crimes rose fastest in New York City, where reported cases jumped from 3 in 2019 to 28 in 2020, an 833 per cent increase. Triple-digit increases in anti-Asian hate crimes were also reported in Los Angeles, Boston, San Jose, Philadelphia, and Cleveland. Other cities reporting an increase included Seattle and San Francisco, both home to large Asian American populations. Only one city, Washington, DC, reported a year-on-year decrease in anti-Asian hate crime. Why it matters: According to figures from anti-hate crime organisation Stop AAPI Hate, verbal harassment and shunning made up around 90 per cent of incidents, while physical assaults accounted for approximately 9 per cent. The figures come despite a wider fall in all forms of hate crime across 15 of the cities studied by CSU. In New York City, for example, all forms of investigated hate crime fell from 428 in 2019 to 265 in 2020. The spike in anti-Asian hate crime came as high-profile public figures, including former president Donald Trump, blamed China for the COVID-19 pandemic. Trump, for example, repeatedly labelled the virus as the ‘China virus’. Despite the election of President Joe Biden, who has not referred to the virus in the same terms, the threat of anti-Asian hate crimes remains elevated, particularly amid the continued social and economic fallout from the pandemic.
HONG KONG – CHINA WARNS AGAINST ‘FOREIGN INTERFERENCE’, BARS ‘NON-PATRIOTS’ FROM OFFICE
China’s Premier Li Keqiang on Friday (5 March) told delegates at the annual session of the National People’s Congress (NPC), the country’s parliament, that the central government would ‘resolutely guard against and deter’ interference by external forces in Hong Kong. Li also said only ‘patriots’ approved by Beijing will be permitted to stand in future elections in the territory, a move widely expected after China directly intervened in Hong Kong in June 2020 following a year of often violent street protests and other acts of what Beijing views as a threat to its authority and security. While the de facto eradication of opposition politics in Hong Kong has attracted the most overseas attention to date, Premier Li’s emphasis on the perceived threat posed by unidentified external forces will be of greater operational concern to international business interests in the territory. The central government has not offered any definition as to what it means by foreign interference, and nor is likely to do so. This leaves international companies vulnerable to pressure from the local and central administrations as they seek to conform to laws and opaque norms that are likely to be opposed by their home governments. Foreign companies closely associated with Hong Kong may also face reputational risks as a result of meeting their local obligations to legal decisions viewed as superseding pre-exiting laws and against the wider interest of many of the territory’s residents. These pressures can be expected to intensify once pro-democracy politicians and activists face trial later this year on subversion and other charges under China’s imposed national security law.
INDONESIA – PRESIDENT WIDODO CALLS ON DOMESTIC CONSUMERS TO ‘HATE‘ FOREIGN PRODUCTS
President Joko Widodo on Thursday (4 March) called on local consumers to ‘love’ domestic brands and ‘hate’ foreign products as part of a drive to reduce imports in favour of Indonesian-made goods. Widodo also called for local products from small and medium-size enterprises to be given prominence in shopping malls, with foreign brands displayed in more marginal locations. In addition, Widodo said Indonesia ‘must not fall victim to unfair digital trade’ as had occurred in other countries, implying possible measures against some online retail operations. President Widodo’s comments may or may not have been intended as rhetorical, but the consequences could result in an increase in latent and overt xenophobic sentiments within some sections of the community. While unstated, the primary target of Widodo’s remarks will be viewed by many Indonesians as imported low-cost goods from China that compete directly with local products. Anti-Chinese sentiment remains a constant, if often low-level, threat to stability in Indonesia and any widespread perception that Widodo has sanctioned such views will unsettle the economically powerful ethnic Chinese minority, as well as potentially increase tensions with Beijing.
Europe and Russia
FINLAND & CHINA – FINNISH CITY REJECTED 2018 AIRPORT ACQUISITION OFFER BY CHINESE RESEARCH INSTITUTE
The city of Kemijärvi, located in Finland’s northern Lapland region, reportedly rejected an offer by the Chinese state-funded Polar Research Institute of China (PRIC) in January 2018 to acquire or lease the city’s airport after it informed Finnish Armed Forces of the proposal. The incident, which was reported on Thursday (4 March) by the Finnish Broadcasting Company (YLE), said the Chinese delegation included members of the Polar Research Institute, the Chinese Arctic and Antarctic Administration, and an assistant to the Chinese embassy’s military attaché. The offer included financing a new runway with a EUR40 million investment, and funding for a new research laboratory. The Finnish military objected to the offer because the airport is located near a strategically important firing range, while the air force occasionally uses its runway. In addition to objections from the military, the investment proposal would likely run counter to an EU directive, which came into force last October and restricts foreign investment. The location of Kemijärvi is geo-strategically important as it is within flying range of the Northeast Passage, a maritime route through the Arctic, and near Russia’s Kola Peninsula. Establishing an airbase in Kemijärvi is indicative of China’s geopolitical aspirations; in its Arctic policy published in 2018, China described itself as a ‘near-Arctic state’ and views the region as a key part of its ‘Polar Silk Road’ economic agenda. Indeed, the Arctic has emerged as a new high-interest area for countries seeking to expand their influence and gain a strong foothold in the region. According to estimates by the US Geological Survey, the Arctic has deposits of around 90 billion barrels of oil, and 30 per cent of the world’s undiscovered natural gas reserves. National and local governments will likely face increased pressure over the coming years to strike a balance between attracting foreign investment for development without undermining national security.
SLOVAKIA – GOVERNMENT COLLAPSE POSSIBLE OVER RUSSIAN VACCINE ROW
The country faces a political crisis after two junior coalition parties discussed the possibility of withdrawing from the government over the procurement of two million coronavirus (COVID-19) vaccine doses from Russia. Prime Minister Igor Matovič negotiated the deal for the Sputnik V vaccine doses, the first of which arrived on Monday (1 March). Slovakia has become the second EU country after Hungary to use Sputnik V, which has yet to receive approval from the European Medicines Agency (EMA). The leader of the Za Ľudí (For the People) party, Veronika Remišová, expressed her disapproval of the vaccine agreement; despite being part of government, Remišová blamed Matovič for a poor pandemic response and repeatedly called on health minister Marek Krajčí to resign. In a sign of heightened government divisions over the vaccine, Slovak foreign minister Ivan Korcok described Sputnik V as ‘a tool in hybrid warfare’. If the two parties decide to leave the coalition, Matovič’s Ordinary People Party (OLaNo) would lose its majority in parliament, increasing the chance of early elections. The political dispute over Sputnik V is likely to be repeated in countries mulling the acquisition of the Russian vaccine; the Czech Republic is also reportedly considering acquiring the vaccine. For some political leaders in Central and Eastern European countries – where memories of Soviet occupation are still vivid – the vaccine is seen as a weapon for Russia to enhance its geopolitical influence. In Ukraine for instance, officials are ambivalent to the option of even considering using the vaccine due to deteriorated relations with Russia. Beyond jeopardising a coherent response to the pandemic, a government collapse in Slovakia threatens to further polarise the political scene between pro-EU parties and those favouring closer cooperation with Moscow.
MENA and Central Asia
SAUDI ARABIA & UAE – BUSINESS SLOWS IN SAUDI ARABIA AND UAE AMID COVID RESTRICTIONS
Business activity has notably slowed across UAE and Saudi Arabia during the month of February signalling lower growth prospects over the months ahead as highlighted in the Purchasing Managers’ Indexes (PMI). In the UAE, PMI fell to 50.6 in February from its 51.2 standing, while in Saudi Arabia, PMI dropped to 53.9 from 57.1 in January. The PMI provides an indication of the health of a country’s economy with insights into economic drivers including a country’s inflation rates, exports, employment and inventories. The reduced markings come amid a recent tightening of COVID-19 restrictions, notably in UAE where case numbers surged in January. The rise prompted government officials in Dubai to reinforce measures such as the closure of leisure venues, restrictions on operational capacity for businesses, and curfews on restaurants and cafes. Efforts were also ramped up to ensure stricter compliance with the rules. As a result of the bolstering and reimposition of COVID restrictions, companies in the retail and service sector across UAE have reported slowing demand. The environment has consequently impacted expectations for future output growth with particular uncertainty on the short-term outlook of business growth prospects. In Saudi Arabia, while COVID-19 case levels remain significantly lower than UAE – as of 1 March there were 317 cases there compared to UAE’s 2,526 – businesses activity levels dropped to its lowest reading since October 2020. The figure reflects a slowing of the non-oil private sector while employment levels notably also continue to lag the ongoing recovery process as companies continue to wait for additional pressure on business capacity. Despite this slowdown of business activity in Saudi Arabia, it is worth noting that the non-oil private sector remains relatively stable amid rising businesses inflows and export sales alongside evidence of businesses building inventories – a key indicator that growth is expected to strengthen. The ongoing roll out of nationwide vaccination campaigns across the two countries over the coming months is likely to significantly improve business activity.
ARMENIA – PROTESTS GROW IN YEREVAN AMID DISCORD BETWEEN MILITARY AND POLITICAL LEADERS
On Monday (1 March) around 10,000 protesters rallied in the centre of the capital city, Yerevan, to demand the resignation of Prime Minister Nikol Pashinyan. These demands have been largely fuelled by Pashinyan’s perceived failures in dealing with the Nagorno-Karabakh conflict. In a notable escalation of tensions, a group of protesters stormed a government building in the capital. The rally follows large-scale protests in Yerevan held on Thursday (25 February) by opponents and supporters of Pashinyan. The unrest came in response to a statement released by the Armenian Armed Forces General Staff on Thursday demanding that the Prime Minister and the government step down. Pashinyan has denounced these calls, labelling it a military coup, and initiated the removal of the Chief of the General Staff, Tiran Khachatryan. The decision must be authorised by President Armen Sarkissia, who on 2 March officially refused to sign the decree. It is likely that Sarkissia’s refusal to authorise such a removal reflects an effort to temper the growing discord between the political and military leadership; a further worsening of relations risks destabilising the country’s already fragile security environment. However, Pashinyan has not accepted this refusal and has resubmitted the decree, warning that the President risks impeachment. This raises the potential for the decree to be moved to the constitutional courts over the week ahead, which will likely work to provoke further rallies from supporters and opponents of Pashinyan.
ETHIOPIA – INTERNATIONAL PRESSURE CONTINUES TO MOUNT OVER POSSIBLE ‘WAR CRIMES’ IN TIGRAY
The UN’s High Commissioner for Human Rights, Michelle Bachelet, on Thursday (4 March) called for an impartial investigation into the continuing allegations of violations of human rights and humanitarian law in the northern regional state of Tigray. She said her office continued to receive reports of ongoing fighting in several parts of Tigray, particularly in the centre of the region, with serious violations being committed by all combatant forces. While echoing calls made earlier in the week by the US and Amnesty International, she urged the federal government to allow the Office of the High Commissioner for Human Rights or independent monitors unhindered on-the-ground access to investigate the claims. Relatedly, US-based advocacy group Human Rights Watch (HRW) called on OCHA to establish a commission of inquiry in parallel to its own publication of a report on Thursday also claiming serious violations in Tigray’s Axum – a Unesco World Heritage Site. Bachelet’s statement underscores growing international consensus that serious violations have taken place, and confirms that fighting continues more than four months after hostilities began. This is in line with our forecast in December that the conflict would become protracted. Amid continued denial and fighting, the risk of international sanctions will grow and expose businesses to mounting compliance risks. Campaigning targeting companies with investments in Tigray may also increase over the coming months, and may expose corporates to heightened security risks at the headquarters and other regional offices.
MOZAMBIQUE – NEW REPORT IMPLICATES PMC IN HUMAN RIGHTS ABUSES IN CABO DELGADO
On Tuesday (2 March), human rights advocacy organisation Amnesty International (AI) published a new report outlining allegations of human rights abuses and possible violations of humanitarian law in the northern province of Cabo Delgado. In the report, AI implicates Islamist militants, state security forces, and South Africa-based private military company Dyck Advisory Group (DAG) in various abuses, including summary killings, abductions, rape, and attacks on civilian structures. While there have been a series of allegations of human rights abuses committed by Islamist insurgents and the state security forces over the past three years, this is the first extensive report implicating a PMC, and DAG specifically. There have been isolated reports of abuse committed by DAG before; the report suggests indiscriminate lethal force used by company operatives is more extensive than previously reported. According to 53 witnesses interviewed by AI, DAG operatives had fired indiscriminately and thrown hand grenades from helicopters into crowds of people, and had repeatedly fired on civilian structures such as hospitals. Casualties among state security forces due to friendly fire was another consequence. The company said in a statement, released on Tuesday, that it was launching an internal investigation with a team that would deploy on the ground rather than ‘through a desktop process’. The statement was an implicit criticism against the report’s methodology, which used open-source research and analysis of satellite imagery, photographs, and medical and ballistics information. The allegations in the latest report are problematic for the potential response to the insurgency in the coming year, following offers of support over the past year by bilateral and multilateral actors. It is possible that the latest abuses violated UN humanitarian law, as well as US and South African laws, which may undermine support efforts in the coming year.