Geopolitics and Cybersecurity Weekly Brief – 26 October 2020

Executive Summary

The US Treasury Department has issued sanctions against five Iranian entities claiming that they attempted to influence the upcoming US 2020 presidential election: these include the Islamic Revolutionary Guard Corps (IRGC). Most recently Iran was blamed for an email intimidation campaign against Democrat voters in Florida. Continued election-related disruption attempts are expected regularly until 3 November.

Vulnerabilities continue to be a serious issue for software and device manufacturers. Following Microsoft’s major Patch Tuesday release last week, proof-of-concept (PoC) exploits were shared for two major bugs outlined in the release. These will be incorporated into threat actors’ arsenals. It is imperative, therefore, that systems are updated as soon as possible to mitigate the threats from these vulnerabilities: but it is also critical that systems are kept up to date across the board.

In an intriguing development in the darknet landscape, the operators of the Darkside ransomware group claimed to have donated portions of their revenue to various charities. This is not the first time that ransomware groups have claimed to be engaging in more ethical activities; it is, however, noteworthy that this occurred after the US Treasury Department recently released guidance stating that paying a ransom may be illegal if the ransomware group is a sanctioned entity or connected to a sanctioned entity. It is unclear if other ransomware groups will follow Darkside’s example.

In the Americas, the US Department of Justice (DOJ) filed a lawsuit against Google, accusing the tech giant with violating competition law. Eleven states with Republican attorneys general joined the DOJ suit. In Bolivia, there will be a shift back to leftist economic policies after the socialist MAS party candidate Luis Arce secured the presidential election on 18 October. Meanwhile, in Colombia, civil unrest by several opposition factions have spread throughout the country.

Pakistan’s prime minister Imran Khan is facing a considerable challenge from a coalition of opposition parties, calling for his resignation over his government’s failure in addressing the COVID-19 pandemic and the impact it has had on the economy. Elsewhere in the APAC region, Thailand is seeing a surge in anti-government protests. And the National People’s Congress in China passed new legislation on exports that threaten foreign organisations.

The US government has offered conditional financial support for the Three Seas Initiative, which is aimed at improving infrastructure in the Central and Eastern Europe. Fifteen EU states signed a letter extolling the benefits of 5G technology and condemning the growing grassroots-level threats to related communications infrastructure. In Sweden, Huawei and ZTE have been thwarted from developing 5G networks by regulators.

In the Middle East region, normalisation efforts between Israel and regional states are continuing with the latest development being a deal between Israel and the UAE about direct commercial passenger flights. Lebanon’s economic outlook is dire: the IMF forecast further contraction in Q4. Trade relations between Turkey and Morocco are worsening after the former imposed restrictions on Turkey-made products over the next five years.


Attacks and cybersecurity news

The US Treasury Department has issued sanctions against five Iranian entities claiming that they attempted to influence the upcoming US 2020 presidential election. These are the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF), Bayan Rasaneh Gostar Institute (Bayan Gostar), Iranian Islamic Radio and Television Union (IRTVU), and International Union of Virtual Media (IUVM). Groups within the Iranian government operating within these entities are accused of sponsoring, concealing, or being complicit in foreign interference with the election.

One example of this was disclosed on 22 October: the US Department of Justice claimed that malicious actors allied to Iran were responsible for targeting Democrat-registered voters in Florida with threatening emails purporting to be from the far-right organisation, Proud Boys. These had been sent over the course of two days, with widespread media coverage proving an insufficient deterrent to the perpetrators.

Ransomware has reportedly hit Keolis Commuter Services, the rail operator for the Massachusetts Bay Transportation Authority (MBTA) across the Greater Boston area. The rail operator had to shut down some of its systems after it was breached. The attack on Keolis happened on 10 October and caused the service provider to deactivate its entire Boston-area network. Keolis said that no MBTA networks were breached as part of the incident. The company is now working with forensic experts to resolve and investigate the attack, which may have affected several other companies around the world.

Pharmaceutical organisation Pfizer has exposed the private medical data of prescription drug users in the US. The data was found on an unprotected Google Cloud storage bucket that has been exposed for months, or potentially even years. It was concluded that the data belongs to Pfizer’s US Drug Safety Unit, as it related to various brands owned by the company.

Some of the information in the dataset dates to October 2018 – the data was only found in July 2020. The researcher attempted to contact the company several times, with the bucket only being secured on 23 September 2020. When contacted for comment, a Pfizer spokesperson claimed that the company was aware of “a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available.” They also claimed that breach notifications would be sent to affected individuals, but it is unclear if these were sent.


Data security, fraud, and vulnerabilities

Data Security

Researchers recently uncovered large databases being sold on darknet forums containing information about US voters and consumers. There is an alarming amount of detail including a person’s political affiliation, name, number of children, marital status, and mortgage amount and lender name. This type of data can be exploited for social engineering or phishing attacks, as well as spread disinformation about the election. It is possible that this is how Iranian and Russian threat actors gained access to voter information for the campaign detailed above.

The Athens Court of First Instance has ordered a preliminary probe after the telephone data of thousands of Greek citizens has reportedly been stolen. A “massive hacking operation”, as the leak is being described, took place between 1 and 5 September 2020. The data stolen in the attack included information on tens of millions of customers regarding calls made and received along with the corresponding phone numbers. This incident could result in a major national security breach for the Greek government. Technical details about the attack have not been provided.

Indian coronavirus vaccine manufacturer Dr Reddy’s Laboratories has shut down its plants in Brazil, India, Russia, the UK and the US after a cyberattack. The drug-maker also isolated all data centre services to apply remediations after the attack but expected everything to be back up within 24 hours with no foreseeable major impact on its operations. While it has been acknowledged that data was breached in the incident, the company has not revealed the type of attack that occurred.

Dr Reddy’s Laboratories is the contractor for Russia’s “Sputnik V” COVID-19 vaccine, which is about to enter Phase 2 of human trials. In the US, it is also a major producer of generic drugs, including treatments for gastrointestinal, cardiovascular, pain management, oncological, anti-infective, paediatric and dermatological conditions.



Phishing emails masquerading as Amazon Japan have been uncovered. The volume of emails made this campaign notable – rivalling the Emotet botnet which has been the preeminent force in malspam for several weeks. Over one million emails have been delivered since August. The campaign aims to collect the login credentials, personal information, and credit card numbers of Amazon accounts specifically located in Japan.

Amazon is one of the brands most impersonated by cybercriminals. Researchers observed a spike in phishing campaigns impersonating the Amazon brand in the run-up to, and during, Amazon Prime Day on 13-14 October. This was the most significant increase in reported phishing webpages since the COVID-19 lockdown in March.

A phishing campaign has been observed impersonating Microsoft Teams to steal login credentials. The emails claim to be new activity in Teams, making it appear as an automated notification from Microsoft. If the user clicks on “Reply in Teams” they are taken to a phishing page, where they are asked to enter their Microsoft O365 login credentials. These are in turn exfiltrated to the attacker.

Microsoft Teams is an extremely popular communication platform, especially for businesses and schools attempting to maintain communications through remote working brought on by the coronavirus pandemic. Therefore, while this is a standard phishing attempt, attackers may be able to gain access to much more sensitive information via these types of communications platforms than they could before the pandemic.



Following Microsoft’s major Patch Tuesday release last week, a proof-of-concept (PoC) exploit has been shared for one of the bugs: CVE-2020-16947, a remote code execution bug in Outlook 2019 on Windows 10. Another group of researchers released PoC exploits for CVE-2020-16898. These will undoubtedly be incorporated into threat actors’ arsenals. It is imperative, therefore, that systems are updated as soon as possible.

Cisco has released patches for several high-severity vulnerabilities across its Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software. These flaws can be used to launch multiple malicious attacks including denial of service (DoS) or cross-site request forgery (CSRF). Cisco has sent out an additional advisory warning that a flaw in its Discovery Protocol implementation (CVE-2020-3118) was being actively exploited by threat actors. This bug was also featured in an advisory from the US National Security Agency (NSA) claiming that 25 vulnerabilities were under active exploitation by Chinese government threat groups. Users are advised to update to the most recent version of these services to avoid potential exploitation.

Several potentially serious vulnerabilities in MobileIron’s mobile device management (MDM) solutions are now being exploited by numerous threat actors to take over critical enterprise servers and facilitate intrusions into company networks. The first wave of attacks using the exploit code was detected at the start of October. The US NSA has listed the MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers in recent months. MobileIron claims there are more than 20,000 companies that use its MDM solutions. Many of these are Fortune 500 companies. This issue may well be one of the most dangerous security flaws disclosed in recent years.


APT Activity and Malware Campaigns

APT activity

The FBI and CISA have updated an advisory from 12 October to reflect evidence that a Russian threat group known as EnergeticBear is responsible for chained attacks targeting dozens of SLTT government and aviation networks. The group successfully compromised the network infrastructure of at least two of these targeted organisations with information including sensitive network configurations and passwords, standard operating procedures (SOP), IT instructions (such as password reset instructions), vendor and purchasing information, and printing access badges. One of the vulnerabilities exploited by the attackers is the recently disclosed ZeroLogon flaw (CVE-2020-1472) for privilege escalation on Windows Active Directory servers.

There is currently no information to indicate that EnergeticBear has intentionally disrupted any vital operations of any targeted company, and the end goal of the attacks if not yet known. It is speculated that the group may have been attempting to gain access to data and employee accounts for future operations.

Analysis of the Iran-backed MuddyWater APT’s current campaign has linked the group to several intrusions that hit government, telecoms, and computer services sectors in Iraq, Kuwait, Turkey, Georgia, and the United Arab Emirates. The Iranian government has a strategic interest in all the targeted countries.

MuddyWater is known for stealing valuable data from organisations that it manages to breach. While other hacking teams associated with Tehran have gained notoriety for disruptive, data-wiping attacks against Middle Eastern organisations, MuddyWater is almost exclusively deployed for espionage. The group has so far avoided the extra scrutiny that comes from public US indictments: it was not among the alleged Iranian hackers indicted last month for their roles in various attacks, intrusions, and hacking.



A new report into a recent Ryuk ransomware attack has shown that the operators, WizardSpider, leveraged the ZeroLogon exploit for the vulnerability in Windows NetLogon (CVE-2020-1472). This allowed the attackers to escalate privileges and reset the password on the organisation’s Domain Controller, completed less than two hours after the initial phishing attack. The threat actors deployed various tools to deployment Ryuk across the compromised domain in less than five hours. This vulnerability has been widely covered in the press and all clients are urged to update their systems if they have not already.

Kaspersky has analysed a new trend in threat actors deploying the open-source cryptocurrency mining program known as XMRig. The program, often used illegally, is used to consume the computing resources of a system to generate the Monero (XMR) virtual currency.

Lower-tier cybercriminals have begun deploying a Trojan for Windows systems that, when executed on a victim’s device, will install an additional RAT, add a new user, and open RDP on the computer. The Crusis ransomware is then dropped, followed by the XMRig miner.

Once the user’s system is encrypted, the attackers earn cryptocurrency before any other actions can be performed. Because RDP has been opened too, the attackers can then manually study the victim’s network and potentially spread to other systems.

A new global botnet operation, KashmirBlack, has been performing millions of attacks each day, resulting in cryptocurrency mining, spam, and defacements. The botnet has hundreds of thousands of compromised machines linked to it. The botnet’s infrastructure is said to be more sophisticated than most, as it uses DevOps techniques to improve its agility and allow new payloads to be added quickly and easily. This agility also allows the botnet to swiftly change the repositories on which its malicious code is stored, such as GitHub. Its infrastructure is also mainly based on Dropbox, allowing it to hide its tracks.

KashmirBlack has been in operation since at least November 2019 and spreads via an old PHPUnit RCE vulnerability in popular content management system (CMS) software. Researchers claim that the coronavirus pandemic has created more potential victims for the botnet, since many businesses are attempting to create an online presence using various CMS platforms. This is just one more way in which cybercriminals are able to abuse the Covid-19 pandemic: clients are urged to raise awareness among staff to prevent this attack being successful.



Since the collapse of Empire market, Televend has experienced significant growth. Televend specialises in the creation of Telegram vendor bots which buyers can message to see a full list of products offered by each vendor. The move away from centralised markets towards instant messaging platforms has been in observable for some time. However, each time a major market exit scams, faith in the entire darknet market escrow system is further undermined, leading more users to move towards instant messaging platforms.

The operators of the Darkside ransomware group have claimed to have donated portions of their revenue to various charities. This is not the first time that ransomware groups have claimed to be engaging in more ethical activities. Previously, multiple ransomware groups pledged to not attack organisations in the healthcare sector – they did not follow through on this promise, however. It is unclear why the Darkside operators have chosen to publicly announce their charitable donations. However, it is noteworthy that this occurred just weeks after the US Treasury Department released new guidance stating that paying a ransom may be illegal if the ransomware group is a sanctioned entity or connected to a sanctioned entity.


Geopolitical Threats and Impacts

Produced by A2 Global Risk



 On 20 October, the US Department of Justice (DOJ) and 11 states with Republican attorneys general filed a major lawsuit against Google, accusing the company of violating competition law to preserve its monopoly over internet searches and online advertising. Responding to the charges, Google described the lawsuit as ‘deeply flawed’ and said that people use Google ‘because they choose to’. This case against a major US tech company is highly significant, particularly as it has been pursued by US authorities. While Google has faced similar probes into its business practices in other jurisdictions, it has largely avoided antitrust charges in the US, its domestic market. In the past five years, however, scrutiny of Google and other US tech giants such as Amazon, Microsoft and Facebook has increased both domestically and abroad, especially amid concerns over perceived anti-competitive practices, their large market shares, as well as their data handling policies. In the US and UK, right-leaning politicians have also accused tech giants of silencing conservative viewpoints, further increasing calls for probes into and legislation regulating their practices.


 The candidate for exiled former president Evo Morales’ socialist MAS party secured a victory in the presidential poll held on 18 October. The MAS’s Luis Arce reportedly won 55 per cent of votes in the poll, ahead of centrist rival Carlos Mesa. The results mark an outright victory for Arce and prevent a runoff poll. The election result will see executive power shift from the outgoing conservative administration of President Jeanine Añez to a leftist government headed by Arce, Morales’ former finance minister. This ideological shift will likely lead to a reversion to leftist economic policies pursued under Morales, while politically the country is set to once again prioritise relations with leftist governments in Latin America, particularly Argentina and Venezuela, likely to the detriment of the US. More immediately, the outcome will facilitate Morales’ return to Bolivia from exile in Argentina. Morales, however, no longer holds elected office, potentially leading to internal power struggles and conflicts over his role in and influence over the new administration.


 On 21 October, large protests took place in major cities across the country in opposition to the government’s response to the coronavirus (COVID-19) pandemic and broader economic policies. The protesters, made up of indigenous leaders, students, and trade union activists, among others, also demanded action to tackle killings of community leaders and increased funding for the health and education systems. The COVID-19 pandemic and attendant restrictions on travel and assembly have led to few large demonstrations in recent months. In the past week, however, several protests have taken place, including a large convoy of indigenous activists who travelled to Bogotá from south-western departments. While this week’s protests have been overwhelmingly peaceful, demonstrations late last year prompted looting and repeated violent confrontations between activists and the security forces, leading to the imposition of a curfew in Bogotá.




 The Thai government announced on 22 October that emergency regulations imposed on Bangkok have been immediately revoked, one week after they were imposed to suppress mainly student-led protests that called for reforms of the monarchy and the resignation of the prime minister. The lifting of the emergency laws ends the widely ignored ban on political gatherings of five or more people and curbs on media reports deemed as a security threat. The government’s decision to end the emergency laws should be viewed as a bid to regain tactical control of the country’s most serious political crisis in the decades rather than representing a capitulation to the protestors’ demands. Any attempt to reform or otherwise marginalise the monarchy’s role would be deeply resented by powerful sections of the military and almost certainly result in some form of action by units pledged to protect the king. Equally, any easing of pressure on the government by the largely leaderless protest movement would erode its present high level of unity, which may well be the government’s strategy in overtly seeking to reduce tension.


Opposition protests by an 11-strong group of political parties, known as the Pakistan Democratic Movement (PDM), against Prime Minister Imran Khan pose a serious challenge to his administration.  The PDM has also challenged Pakistan’s powerful military, widely seen as supporting Khan’s government. The PDM’s demands that Khan resigns his post and accusations the military are interfering in the country’s political system coincide with the impact of the COVID-19 pandemic on the economy and society and the high cost of such key food imports as wheat and sugar. The military, specifically the army has considered itself as the primary source of stability in Pakistan since independence in 1947, has yet to publicly respond to the PDM efforts to remove Khan and criticise its role in supporting his administration. However, it is certain that the armed forces will seek to protect their status and role in the country if threatened, increasing the likelihood of street-level unrest and violence throughout much of the country.


 The National People’s Congress (NPC) on 17 October passed a new bill controlling the export of sensitive products, services, and technologies. Chinese state news agency Xinhua said that the new law will target any ‘country or region’ that is deemed to misuse export controls and harm China’s national security, and that it will be effective from 1 December. The controlled goods include nuclear and military items, among others, according to Xinhua. NPC delegates suggested that the law should encompass technologies such as computer algorithms and source codes, as well as quantum and 5G communications, according to Chinese state-owned Legal Daily. The development is widely viewed as Beijing’s retaliation against foreign governments that have placed curbs on Chinese technology firms, including Huawei, Semiconductor Manufacturing International, TikTok, and WeChat. It is expected by many to complicate trade, particularly in strategically sensitive sectors. The measure opens up a further avenue for reprisals against foreign interests that are perceived to act against China.


Europe and Russia


During a virtual summit, the US government has given a conditional pledge to help develop infrastructure projects with up to EUR1 billion in financial assistance for countries that are part of the Three Seas Initiative (also known as the Baltic, Adriatic, Black Sea Initiative), a grouping of 12 EU countries fostering closer cooperation. This forms part of a drive to encourage the EU states, mostly concentrated in Central and Eastern Europe (CEE), to modernise transport and energy infrastructures. A sum of EUR300 million would be guaranteed and rise to EUR1 billion if the 12 Three Seas countries collectively accumulate EUR3.4 billion. The pledge comes with a clear warning over growing Chinese influence in the region through a mix of significant investments and loans. It also signals a stronger commitment from the US to countries formerly part of or allied to the Soviet Union. In essence, the significant boost in funding via the Three Seas Initiative can be interpreted as a direct response to the 17+1 format, which refers to Chinese efforts to bolster cooperation with countries in Central and Eastern Europe. In broader terms, it confirms the region’s status as a new realm of geopolitical confrontation between the US and China.


A letter signed by a group of 15 member states including Austria, Croatia, the Czech Republic, Portugal, and Sweden to senior EU officials calls on Brussels to send a ‘clear and loud message’ about the benefits of 5G technology. The letter highlights the ‘increasing activity of the anti-5G movement’ across the continent and the threat this poses for progress towards rolling out the technology. Since the start of the COVID-19 pandemic, conspiracy groups have sought to link national outbreaks with the development of 5G technology. While the claims are often contradicting, they share a common idea that 5G signals accentuate the spread of COVID-19 in communities. No scientific evidence has been presented to support those claims, however, high levels of public distrust have created fertile ground for theories to resonate with larger audiences. An accompanying trend has been the increase of attacks against 5G infrastructure.


On 20 October, regulators banned the use of telecommunications equipment from China-based firms Huawei and ZTE for the development of 5G networks. The Swedish Post and Telecom Authority (PTS) – the government electronic communications regulator – said it reached the licensing decision ahead of a spectrum auction set for next month on the basis of assessments provided by the security service and the Swedish Armed Forces.  A growing number of EU states are reviewing the role China-based companies have in developing mobile networks. While some have sought to adopt a more moderate stance, others have succumbed to US pressure and warnings from Washington over the loss of intelligence sharing if Huawei assumes an important role in developing the crucial technology. The US has repeatedly claimed that Huawei could be used by China to spy on allies; the firm denies the charges.


MENA and Central Asia


A report published by the International Monetary Fund (IMF) on 19 October projected that by the closing financial quarter (Q4) of 2020 the Lebanese economy would contract by 25 per cent. The report also indicated that all countries across the Middle East region apart from Lebanon and Oman would likely undergo a degree of economic recovery in 2021. It attributed the sharp contraction to factors including a huge debt default in March, foreign currency shortages, the Beirut port explosions, and the subsequent resignation of Diab’s government. The forecasts come as the economy continues to deteriorate in Lebanon amid a political crisis that has been ongoing since August.


A deal was signed at Israel’s Ben Gurion Airport (TLV) by Prime Minister Benjamin Netanyahu and a representative from the UAE to allow 28 weekly commercial flights between Ben Gurion to Dubai International Airport (DXB) and Abu Dhabi Airport (AUH) based in the Emirates. The agreement also allows unlimited charter flights between the UAE and Ramon Airport (ETM), located in southern Israel’s Timna Valley. It further authorises 10 weekly cargo flights to fly between the two countries. The ratification of the aviation deal comes after the UAE and Israel signed the Abraham Accords on 15 September, officially establishing economic and diplomatic ties. It marks a significant move towards greater and deeper cooperation between the two countries that will likely work to enhance tourism, trade and businesses prospects in the medium- to long-term outlook.


On 15 October, the Moroccan government announced that they had imposed restrictions on products manufactured in Turkey for a period of five years. Customs duties have subsequently been raised for around 1,200 Turkish products, including some by as much as 90 per cent, while taxes on clothes produced in Turkey have also been increased from 22.5 per cent to 27 per cent. Government authorities also announced that Turkish store chains in Morocco now face strict compliance measures and would be closed if they failed to adhere to the new import trading regulations. The move has been explained by the Moroccan trade ministry as part of a strategy to reconfigure a fair-trade agreement signed by the two countries in 2004, which they say has caused the Moroccan economy to suffer an annual USD2 billion deficit in commercial relations with Turkey. It will come as a further blow to Turkey, whose foreign trade deficit has doubled since January amid a sharp 20 per cent fall in exports caused by severe global lockdown measures.


Sub-Saharan Africa


The Lagos state government website remained inaccessible on 23 October, following a cyberattack claimed by Anonymous. The hacktivist group accused the government of trying to kill one of theirs (an ‘Anon’) during violent protests calling for the dissolution of the now-disbanded tactical police unit known as the Special Anti-Robbery Squad (SARS), a tactical police unit. The incident follows a series of attacks Anonymous has claimed against government-linked websites, such as those of the Central Bank of Nigeria, the Economic and Financial Crimes Commission, and other state government websites including in Edo State. Some confidential SARS documents and Edo government contracts may have been leaked. While the modus operandi used in the attack is unclear, it was likely the result of a distributed denial of service (DDoS) attack, which overwhelms websites with traffic, forcing servers to go offline; this modus operandi is commonly used by Anonymous. While authorities have denied that data has been compromised, some data breaches are likely. This may expose companies that have signed contracts with public institutions to increased reputational and cyber-security risk, particularly in matters which the hacker network deems immoral.


On 19 October, US President Donald Trump said that the state department would remove Khartoum from its list of state sponsors of terrorism, as soon as Sudan has agreed to pay USD335 million in reparations for the families of victims of terrorist attacks on US embassies in Kenya and Tanzania in 1998. Those attacks were perpetrated by al-Qaeda, which had, at the time, was afforded considerable operational and financial support by the Sudanese government in Sudan. The announcement follows months of negotiations between US and Sudanese authorities over Khartoum’s removal from the list. The US has pushed the transitional government, the so-called Sovereign Council, to establish diplomatic relations with Israel in the same vein as the Muslim-majority countries the United Arab Emirates and Bahrain, which established relations with Israel in August and October, respectively. It is unclear whether this condition has been dropped, although it is unlikely to enjoy wide buy-in in Sudan where many remain hostile to Israeli policy towards Palestinians in the Occupied West Bank and Gaza Strip.


Scroll to Top