Geopolitical and Cybersecurity Weekly Brief – 29 March 2021

In the Americas, the US and Canada, alongside the EU and UK, announced sanctions against high-ranking Chinese officials and entities over Beijing’s alleged abusive treatment of its ethnic Uyghur population in the western region of Xinjiang. In Brazil, seven automakers announced temporary production suspensions amid a worsening of the coronavirus pandemic and shortages of vehicle parts, particularly computer chips.

The FBI issued a Flash Alert regarding a new wave of attacks leveraging the Mamba ransomware family. US authorities say Mamba has been recently deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.

Also this week, Facebook disrupted a network of Chinese threat actors using the social media platform to push malware to the Uyghur community, including activists, journalists, and dissidents living outside China. China claims that these allegations of human rights violations are baseless, and are “nothing but lies and disinformation”, and has recently sanctioned numerous high-profile individuals in the UK.

As noted above, a number of Western brands have faced backlash in the Chinese media for statements made regarding alleged forced labour in Xinjiang. Elsewhere in Asia, the Singapore and Malaysia governments agreed to develop protocols that will allow the neighbouring countries to recognise each other’s coronavirus (COVID-19) vaccine certificates, enabling a return to large-scale cross-border travel.

In Europe, a local court in Ukraine ruled to seize the assets belonging to a Ukraine-based strategic aerospace firm.  In the Czech Republic, security services warned against involving a Russian energy firm in a nuclear project tender.

The UK Ministry of Defence’s (MoD) Defence Academy has reportedly been hit with a cyberattack. A foreign adversary took the Defence Academy’s IT network and website offline with one newspaper claiming that Russia and China are suspected. Russian operatives are also believed to have perpetrated spear-phishing attacks against the German Parliament.

In the Middle East and Central Asia, a Haifa-owned cargo ship was struck in a missile attack amid escalating tensions between Iran and Israel. Meanwhile, the fourth Israeli elections in two years produced no majority, prolonging the likelihood for political instability.

In Sub-Saharan Africa, the roll-out of the first 5G network in Kenya by Huawei may fuel Western scrutiny. Authorities in South Africa are intensifying preparations for the Protection of Personal Information Act (POPIA) on 1 July, which will raise the compliance burden.

Attacks and cybersecurity news

Facebook has disrupted a network of Chinese threat actors using the social media platform to push malware to the Uyghur community, including activists, journalists, and dissidents living outside China. Most targeted users are those living in the US, Turkey, Kazakhstan, Syria, Australia, and Canada. The threat group, known as EvilEye or EarthEmpusa, would pose as journalists, students, human rights advocates, or members of the Uyghur community to build trust with their target before getting them to click a malicious link. EvilEye also used websites that mimicked third-party Android app stores and published Uyghur-centred applications, such as keyboard applications, prayer apps, and dictionary apps. On 23 March, 30 countries, including the UK, announced sanctions against senior officials in Xinjiang accused of serious human rights violations against the Uyghur community. China claims that these allegations of human rights violations are baseless, and are “nothing but lies and disinformation”, and has recently sanctioned numerous high-profile individuals in the UK.

An organised cybercriminal group was recently arrested for orchestrating a string of ATM jackpotting attacks across the UK in early 2020. The group stole more than £120,000 in under a month, before being caught. They deployed malware using an electronic device to prompt the cash machine to dispense any money stored inside. ATM manufacturer, NCR, surveyed financial institutions about the ATM security landscape in 2020; 60% of respondents saw an increase in ATM attacks. Card skimming has not been as prevalent though, and there has been a rise in pull-out attack and a significant increase in the use of vehicles and explosives. Financial organisations in the UK are advised to remain vigilant for these types of attacks and ensure the correct protection is in place to mitigate them.

US insurance firm, CNA Financial, has suffered a cyberattack that has impacted its business operations and shut down its website and various systems, such as corporate email. The company has also disconnected systems from its network as a precaution. Bleeping Computer claims that a source familiar with the attack has stated that it is likely the result of ransomware.

The UK Ministry of Defence’s (MoD) Defence Academy has reportedly been hit with a cyberattack. A foreign adversary took the Defence Academy’s IT network and website offline with the Sun claiming that Russia and China are suspected. Staff have been asked to use their personal laptops and computers for work, as those provided by their employer have been compromised – it will take at least five weeks to fix them. If a state-sponsored adversary is responsible, then the likely aim of this targeting may have been to gather information and intelligence. Ransomware may be responsible.

The German and Australian parliaments were targeted in cyberattacks this week perpetrated by different threat groups. Several email accounts belonging to members of the German Parliament were targeted in a spear-phishing attack believed to have been carried out by a threat group called Ghostwriter, which is thought to be sponsored by the Russian state. And the Australian Parliament is also investigating a “major technical incident” that left MPs and senators unable to access their email accounts over the weekend. This followed a ransomware attack on Nine Network – a television network. It is not clear if the two incidents are linked.

Data security, fraud, and darknet

Data Security

Researchers have uncovered millions of confidential records exposed by FBS’s websites, and 20TB of information was contained in an unsecured ElasticSearch server. FBS is a major online forex (foreign currency and exchange) trading site with more than 16 million traders across 190 countries. Consequently, it holds a significant amount of sensitive financial and personal information about users. This data is highly sensitive, and could be used for a large number of malicious activities, including fraud and identity theft, phishing attacks, credit card fraud, and potentially extortion and ransom attacks. Since unencrypted passwords were also exposed, as well as password reset links, attackers could have taken over user accounts and potentially other accounts if the credentials were reused across multiple sites.

Voter registration data for an estimated six million Israeli citizens has been leaked online. At least half of those affected have also had personal information leaked, including full names, ID card number, address, and political preference. A threat actor referring to themselves as TheIsraeliAutumn has claimed responsibility for this leak in emails sent to Israeli media. Israel is currently in the midst of its fourth election in the space of two years. The data itself is likely to have little value to cybercriminals. However, the leak is noteworthy because Israel has exceptionally strict laws around political parties sharing voter data with third parties. Given the timing of this leak, it is possible this was a deliberate attempt to damage the reputation of the Likud party.

The California State Controller’s Office (SCO) has announced a data breach in its Unclaimed Property Division following a phishing attack. An employee opened a phishing link contained in an email and entered their ID and password; this was exfiltrated to an attacker who gained access to the organisation’s systems on 18 March and maintained access until 19 March. This highlights the importance of providing regular phishing awareness training and testing to employees in order to help them identify malicious activity attempts to steal personal information or credentials. This attack could be particularly damaging, since a government employee email account was accessed, with claims that additional data from state employees was also stolen. It is likely that subsequent phishing attempts for additional information will be made, or even attempts at fraud or identity theft.


A new adware family, dubbed Convuster, is targeting macOS systems. Two variants have been discovered, written in the Rust and Swift programming languages. Convuster is likely being distributed through other adware families as no evidence was found of it being downloaded or installed by the system owner. The malware has a novel technique whereby it uses macOS Gatekeeper tool to verify the source of a file. The overwhelming majority of unwanted and malicious software detected on the macOS platform is adware. Most macOS malware is also written in C, Objective-C or Swift, making the Rust-based variant of Convuster somewhat of an oddity. A report from Atlas VPN found that the development of macOS malware surged by 1,092% in 2020, as malware developers increasingly target Apple’s computing devices, including the all-new M1 Macs with ARM microchips. 674,273 new malware samples were found in 2020, when there were only 56,556 samples detected in 2019.


The Dread forum operators have now updated their Endgame DDoS filter. The new filter has been made available to all hidden service operators via Github. This update comes after a lengthy attack on the forum that lasted for the majority of February 2021 that almost brought down the entire Tor network.

Cyjax has observed a growing trend of competition between ransomware groups. Said competition includes the changing of affiliate rates in an attempt to recruit more affiliates and expand their network. Multiple groups have now been observed offering over 80% of the stolen funds to their affiliates. With ransomware remaining a top threat to corporate systems the ecosystem of the RaaS (ransomware-as-a-Service) groups is still constantly changing.

APT activity, malware campaigns, and vulnerabilities

APT activity

JPCERT/CC has shared new details on various cyber-espionage operations against entities located in Japan attributed to Lazarus. The North Korean state-affiliated APT group has reportedly developed two new pieces of malware for covert intelligence gathering campaigns: VSingle and ValeforBeta. Three other tools are used to support the malware campaign. Lazarus continues to conduct well-planned, disciplined, and methodical cyber-operations. New tools and techniques developed by Lazarus appear regularly: the APT is known to actively develop and refine its campaigns. These latest malware are designed specifically for covert intrusion operations with the goal of exfiltrating sensitive files and data. In February, the US Department of Justice (DOJ) unsealed an indictment charging three North Korean cyber spies with involvement in some of the Lazarus group’s most prominent campaigns. According to the indictment, the regime has become a “criminal syndicate with a flag” as North Korea “harnesses its state resources to steal hundreds of millions of dollars.”


The FBI has issued a Flash Alert (TLP:WHITE) regarding a new wave of attacks leveraging the Mamba ransomware family. This ransomware is notable due to its use of DiskCryptor, an open-source disk encryption software. US authorities say Mamba has been recently deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. If defenders can access a system and find the “myConf.txt” files present, the password can be recovered without paying the ransom. However, this window of opportunity is small – and closes indefinitely once a system reboots. Decryption without the password is not possible. Mitigation from this threat is provided in the source.

Purple Fox has added new techniques to its arsenal, allowing it to propagate in worm-like fashion by scanning for and infecting Windows systems exposed to the internet. Purple Fox attacks have also increased significantly, with over 90,000 attacks seen since May 2020, and 600% more infections. The newly identified worm-like capability allows Purple Fox to infect services with brute force attacks; the malware also uses phishing and browser vulnerabilities to deploy its payloads and an open-source rootkit module to gain persistence. Purple Fox blocks a number of ports in an attempt to stop victim machines being infected by other malware. The addition of this new capability shows that Purple Fox is being actively improved by its developers: new techniques and exploits have been added every few months to enhance the malware and its distribution methods.

A new sample of the PLEAD Linux backdoor has been uncovered in the wild. The ELF binary is associated with the BlackTech APT group and has several functions to support covert operations. The PLEAD sample was initially fully undetectable (often abbreviated to FUD) with 0/70 detections from the antivirus solutions listed on VirusTotal. This new PLEAD backdoor variant has the option of encrypting communication traffic to the attacker’s C&C server, using OpenSSL, and specifically targets Red Hat Linux distributions. The BlachTech APT group is reportedly affiliated with China-backed cyber-espionage campaigns. Its prerogative is to covertly infiltrate targeted organisations and siphon off valuable intelligence or intellectual property. It primarily goes after organisations in the electronics, finance, and media sectors in Japan and Taiwan.


Cisco has patched a critical arbitrary program execution vulnerability in the Cisco Jabber client for Windows, macOS, Android, and iOS. The flaw, tracked as CVE-2021-1411, can allow a remote, authenticated attacker to execute arbitrary programs on the system. It is recommended that Jabber users update to the latest version of the software to mitigate chances of compromise. These flaws have not been abused in the wild.

Adobe has released an out-of-band security update to address a critical vulnerability, tracked as CVE-2021-21087, in its ColdFusion product. The vulnerability is an arbitrary code execution flaw caused by improper input validation. It impacts ColdFusion versions from 2016, 2018, and 2021. Adobe recommends updating ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will leave the server unsecured. There is currently no indication that this flaw has been exploited in the wild.


Geopolitical Threats and Impacts

Provided by A2 Global Risk



On Monday (22 March), the US and Canada, alongside the EU and UK, announced sanctions against high-ranking Chinese officials and entities over Beijing’s alleged abusive treatment of its ethnic Uyghur population in the western region of Xinjiang. Washington sanctioned two Xinjiang officials – Wang Mingshan and Zhu Hailun – while Ottawa imposed sanctions on those and two other officials and the Xinjiang Production and Construction Corps Public Security Bureau, a government-run security and policing organisation. China promptly retaliated against the EU’s imposition of sanctions, and similar measures against US, UK and Canadian interests are highly plausible in the immediate outlook. The joint imposition of sanctions from Western powers is the first such action under US President Joe Biden, who has repeatedly pledged to coordinate US allies in a common approach to China. While the targeted sanctions themselves are unlikely to have a major impact on corporate operations, their imposition highlights the Western countries’ increasingly coordinated China policy, as well as a toughening of Brussels’ stance on human rights in China. In the medium-to-long term outlook, relations between Western countries and China will continue to be characterised by confrontation in areas of dispute, particularly related to human rights and geopolitical matters, and cooperation in areas of mutual interest, such as in economic affairs.


Seven automakers have announced temporary production suspensions amid a worsening of the coronavirus pandemic and shortages of vehicle parts, particularly computer chips. Toyota, Nissan, Volkswagen, Mercedes-Benz, Renault, Volvo and Scani have all announced production halts, affecting operations in states including São Paulo, Rio de Janeiro, Minas Gerais, and Paraná. On Thursday (25 March), Brazil reported a record 100,158 cases of COVID-19 in the latest 24-hour period. The country’s health system is being overwhelmed with coronavirus cases, with intensive care units (ICUs) reaching capacity across the country. The automakers’ decision to halt production comes as state and local authorities enact new measures to restrict travel and business operations, and also reflects the global shortage of semiconductors. Production suspensions are likely to continue in the immediate outlook, particularly as cases of COVID-19 continue to rise amid the spread of the highly transmissible Manaus (P.1) variant of the virus.



US sports apparel brand Nike on Wednesday (24 March) faced widespread backlash on Chinese social media after netizens found a statement from the firm saying it was ‘concerned’ about reports of alleged forced labour in Xinjiang and that it does not source cotton from the region. A popular Chinese actor cut ties with the firm over the matter, according to a statement by his agency on Thursday (25 March). Swedish fashion retailer H&M faced similar backlash over a statement from 2020 saying it will no longer source cotton from Xinjiang. H&M’s products were removed from Alibaba’s e-commerce platform Taobao on Wednesday, two actors have severed ties with the firm, and the retailer was subject to negative press coverage by state media. Renewed Chinese media attention to older statements by Western brands regarding Xinjiang notably comes against the backdrop of heightened tensions between China and several Western countries over Xinjiang-related sanctions imposed on Monday (22 March). Social media outrage targeting Western firms may have been galvanised and encouraged by Chinese state media and state-affiliated actors as a reprisal against the sanctions. In a post on China’s Weibo social media platform on Thursday (25 March), Chinese state media outlet People’s Daily identified German brand Adidas, UK luxury brand Burberry, and US sports brands Nike and New Balance as firms that have severed ties with cotton suppliers in the Xinjiang region. In the immediate-term outlook, other firms that have made similar Xinjiang-related statements will almost certainly be targeted as part of a broader patriotic campaign in support of Beijing’s denial of alleged rights violations in the region.


The Singapore and Malaysia governments on Tuesday (23 March) agreed to develop protocols that will allow the neighbouring countries to recognise each other’s coronavirus (COVID-19) vaccine certificates, enabling a return to large-scale cross-border travel. Agreement was also reached to permit an extension to compassionate travel, in addition to the existing Reciprocal Green Lane and the Periodic Commuting Arrangement that permits controlled freight traffic and the movement of key workers. No date has been set for the introduction of the proposed vaccine certificates, which is likely to reflect the success and coverage of the COVID-19 inoculation programmes in the respective countries. Singapore is thought to have inoculated nearly 15 per cent of its population to date while Malaysia is prioritising 500,000 ‘front line’ staff before moving on to the general population. This divergence in policy suggests either any mutually agreed vaccination certificate is months away or a political rather than medical decision will bring it forward. On 17 March the International Air Transport Association (IATA) announced the first passenger to use the newly-developed IATA Travel Pass app designed to manage travel health credentials, including COVID inoculations, travelled to the UK on a flight from Singapore. These developments will be closely monitored over the three-month outlook as companies plan to deploy staff in the immediate region and beyond.

Europe and Russia


The Shevchenkivsky District Court in Kiev has ruled to seize all assets and shares of Ukraine-based aerospace firm Motor Sich. Property belonging to the company will pass over to the National Asset Recovery and Management Agency (ARMA). Ukroboronprom, a state-owned defence sector conglomerate, has already indicated its willingness to operate Motor Sich. This comes after the head of Ukraine’s Security and Defense Council Oleksiy Danilo confirmed the government’s plans to nationalise the firm on 11 March. China-based state-owned firms control almost 75 per cent of the firm and are demanding billions of dollars in compensation. The government security agency SBU is investigating two cases linked to the aerospace firm; one relates to alleged sabotage and subversive activity favouring Russia, and the other is looking into possible illegalities committed during Motor Sich’s privatisation, which began in 1994 and was completed in 2000. The re-nationalisation of the firm has an important geopolitical dimension; the US opposed the Chinese investment in Motor Sich due to sensitive technology transfers to Beijing. Indeed, Skyrizon – a Chinese aviation firm that acquired a controlling stake in Motor Sich but saw its shares frozen in 2017 due to an SBU probe – was blacklisted by Washington in January 2021. Ukrainian President Volodymyr Zelenskiy highlighted his government’s pro-West orientation when he approved sanctions on four Chinese firms, including Skyrizon. While the nationalisation will appease the US, it risks undermining Ukraine’s efforts to encourage foreign investment. In addition to seeking financial compensation and pursuing legal avenues against Kiev, Chinese investors in the firm may pull out of other commercial ventures in Ukraine due to the perceived political risk. More broadly, Ukraine will face a challenge in attracting new Chinese investment and bolstering economic ties with China.


The country’s security services have warned the government against considering Russian energy firm Rosatom in a planned tender on developing a new unit at the Dukovany nuclear power station over national security concerns. Security officials called on the state to exclude Rosatom before the tender process begins. The power station is located 100km north of Vienna and about 200km east of Passau, a city in Germany. According to official plans, the new reactor will be completed and connected to the grid between 2035 and 2037, with an estimated cost of around EUR7.5 billion. The announcement comes as President Miloš Zeman has argued for Rosatom to have a role in the tender, while industry minister Karel Havlíček reportedly requested state-controlled utility firm ČEZ to contact four potential bidding firms, including Rosatom to give them the tender documentation. A final decision on the contract to construct the new unit will be made by the next government as general elections due in October are approaching. However, excluding Rosatom entirely from the process will likely be procedurally difficult after it receives the tender documents. Assessed in light of increasingly protectionist attitudes across Europe, this development is consistent with efforts to restrict or prevent altogether non-EU commercial actors with links to foreign states from an important role in strategic projects. This is especially the case for critical national infrastructure, of which nuclear energy production is an integral aspect. Domestically, the nuclear tender will trigger tensions between pro-Russia political figures and others who support the view that awarding the project to a Russian firm would undermine national defence. In the current context, the home country of a firm seeking to bid for such projects matters considerably, adding an important geopolitical dimension to the tender process. This extends beyond the energy sector, and the government’s final decision may set the course for the future direction of Czech Republic-Russia economic ties.

MENA and Central Asia


On Thursday (25 March) a cargo ship owned by Haifa-based company XT Management Ltd came under missile fire while tracking through the Gulf of Oman. Initial media reports on the incident have suggested Iranian involvement. The vessel, which has been identified as MT LORI, was Liberian flagged. It reportedly departed from Dar es Salaam in Tanzania on 21 March and was heading towards the port of Mundra, one of India’s largest private ports located on the north shores of the Gulf of Kutch. MT LORI was, according to Israel Defense news outlet, lightly damaged and continued on its route to Mundra, where it is expected to arrive next Wednesday (31 March). The attack comes after a similar event on 26 February when an explosion struck an Israeli-owned cargo ship, identified as MV Helios Ray, in the Gulf of Oman. The strike was widely believed to have been conducted by Iran, with Israeli Prime Minister Benjamin Netanyahu publicly condemning the attack. Tehran has ‘strongly rejected’ the accusation. Earlier this month, Iran notably also accused Israel of attacking one of its cargo ships in the Mediterranean. In this sense, Thursday’s incident was likely a retaliatory measure carried out by Iran, highlighting the current state of tit-for-tat actions in play between the two adversaries. It will likely work to elevate the risk of further attacks against affiliated vessels tracking across the region’s seas over the months ahead. Businesses with shipping interests tracking through the Mediterranean, Gulf of Oman, Arabian Sea and maritime territories closely situated to either Israel and Iran should ensure security and risk assessments are updated to reflect the growing maritime threat. While recent maritime attacks have been limited in scale and carried out clandestinely, there is a risk of tensions spiralling over the short-medium term outlook, which will likely concern foreign actors such as the US given ongoing hopes of a revival of the 2015 JCPOA deal with Iran.


The final results of Israel’s fourth election in two years were released by the central elections committee on Thursday evening (25 March), confirming yet another political deadlock. The results will become official next Wednesday (31 March), when they will be presented to President Reuven Rivlin. The final count saw Prime Minister Benjamin Netanyahu’s Likud party and his natural allies secure 52 seats, while opposition groups made up of left-wing, right-wing, centrist and Arab parties from across the political spectrum collectively secured 57 seats. In a sign of growing election fatigue, turnout was at its lowest since 2009, measured at 67.4 per cent. The inconclusive result prolongs political instability in Israel, where coalition negotiations could extend for weeks and potentially months longer. The outcome casts further uncertainty on the prospects of securing a national budget; the country has been without one for two years, with the Knesset forced to pass an interim financial package in December 2020 following parliament’s failure to pass a budget by the designated deadline. Elsewhere, the stalemate effectively leaves Netanyahu safe in his current position as he continues in a caretaker capacity. To remain in power, the prime minister will likely be required to gain the support of right-wing and religious hardliners alongside the support of Arab political party Ra’am. The complex manoeuvres needed for such a coalition will be conducted by Netanayhu amid his ongoing corruption trial and an increasingly tense anti-Netanyahu protest movement.

Sub-Saharan Africa


On Friday (26 March), Nairobi-based telecommunications operator Safaricom is launching its 5G mobile telephone network, the first in East Africa. It will initially be available in Nairobi and western parts of the country, including Kisumu, Kisii, and Bungoma. The network has been developed by Chinese Huawei Technologies and Finland’s Nokia. The launch of the 5G service will improve connectivity for users of compatible devices. However, it may also pose emerging political risks. The use of Huawei equipment in 5G networks has become problematic over the past two years due to mounting political tensions between Western governments and China and espionage concerns over Huawei’s alleged links with Chinese intelligence. Such tensions increased markedly under the former US administration and are likely to remain elevated under President Joe Biden. While several European and other US allies have blocked or restricted the use of Huawei equipment in 5G networks, the company has an extensive presence in Sub-Saharan Africa, where it has operations in at least 23 countries and has built about 70 per cent of its 4G networks. Huawei’s involvement in 5G in the region  is unlikely to slow, thanks to its affordability and because the roll-out of previous technologies in the region have been financed through state-backed loans from China, often with fewer conditions than those provided by Western institutions.

However, Western concerns over the past two years have mainly revolved around the use of Huawei’s 5G technology, which a series of Western officials say could provide a backdoor for Chinese intelligence officers to conduct industrial and geopolitical espionage. In light of this, there is a remote possibility that scrutiny will increase in the coming year or two of companies or organisations in Kenya that use 5G and work with or sub-contract for governments that have been the most vocal critics of Huawei, including Australia and the US. Should tensions continue to mount and evidence of espionage through the 5G network grow, it is likely that critical governments will restrict the use of such technology. Security managers of such companies should increase monitoring of government announcements and assess how the likely accelerating roll-out of Huawei technology in the region will affect their operations and strategies.


Authorities are intensifying preparations for the coming into force of the Protection of Personal Information Act (POPIA) on 1 July. The Information Regulator – a government agency enforcing POPIA – said on Wednesday (24 March) that it is finalising a series of guidelines and guidance notes on the law’s implementation by public institutions and private businesses. These include a requirement to appoint so-called Information Officers and deputies, develop codes of conduct, as well as outline the modalities for processing data across borders and how to notify authorities in case of data breaches. A personal information impact assessment will also be required. The documents will be completed by 1 April, and registration of information officers is due to begin on 1 May. POPIA is a data privacy law that aims to protect personal data and regulate how companies manage that information. Among other things, it prohibits companies from obtaining personal data or sharing that data with third parties without express consent. Organisations and staff failing to comply with POPIA are liable to fines of up to ZAR10 million (USD672,000) or 10-year prison sentences. Compliance officers of South Africa-based businesses, as well as companies outside of South Africa working with third-party providers in-country, should take immediate steps to assess how the new law impacts their operations and ensure compliance before 1 July.

Scroll to Top