Geopolitics and Cybersecurity Weekly Brief – 30 November 2020

Executive Summary

Politically, several developments have occurred. In the US, President Donald Trump recommended that ‘preliminary work’ for a formal transition of power to President-elect Joe Begin begins. Meanwhile, Biden announced the first nominations for his incoming administration’s cabinet. Canada and the UK formally agreed to roll over existing trading terms once the UK’s Brexit transition period concludes on 1 January 2021.

COVID-related phishing campaigns (and other cybercrime related to the pandemic) have become commonplace over the last eight months. This week, the FBI recently announced that it had identified numerous spoofed domains impersonating its websites, which could be used in future campaigns such as these, to steal data from US citizens. South Korea’s intelligence agency prevented attempts by North Korean hackers to disrupt South Korean drugmakers’ efforts at developing a COVID-19 vaccine. In Brazil, personal and health information of over 16 million Brazilian coronavirus patients has been leaked online after a hospital employee uploaded a private database to GitHub. President Jair Bolsonaro’s data was involved in the exposure.

Data security remains an issue across the globe. In Russia, the communications regulator Roskomnadzor initiated a case against US-based technology firm Google for failing to remove ‘dangerous content’ from search results. Also this week, researchers reported a spate of Microsoft Office 365 credential phishing attacks using Zoom as a lure, fake emails imitating government agencies offering federal assistance, and cyber-fraudsters targeting Black Friday and Cyber Monday with a significant proportion of retail having migrated online.

Geopolitically, tensions with Iran have ramped up in the past week. Iran’s most senior nuclear scientist, Mohsen Fakhrizadeh, was assassinated in an elaborately planned ambush. Israel has previously accused Fakhrizadeh of being the head of Iran’s covert nuclear weapons programme. Iran is likely to stage a retaliation, which may take the form of a physical attack or even cyberattack. Meanwhile, the Trump administration has continued its ‘maximum pressure’ campaign, announcing that the treasury department will impose sanctions against five entities which have allegedly aided Iran’s missile program.

Amid ongoing tensions with China, there is a high likelihood for impact on commercial interests. Chinese ambassador to Germany Wu Ken offered reassurances that China would remain a key partner to Europe despite the growing public tensions. Meanwhile, in the UK, the draft Telecoms Security Bill has formalised the ban of Huawei equipment for 5G networks. In Australia, China’s commerce ministry said that duties on Australian wine imports will be ‘temporarily’ increased by between 107.1 per cent to 212.1 per cent. In the Americas, direct oil shipments from Venezuela to China have resumed in recent months despite the threat of US sanctions. In the cyber sphere, Chinese threat actors MustangPanda have been distributing malware in spear-phishing attacks. People associated with diplomatic relations between the Vatican and the Beijing administration were targeted, alongside businesses in Myanmar and diplomatic organisations in Africa. The final payload was the PlugX cyber-espionage malware.


Attacks and cybersecurity news

The FBI has warned that there are multiple, recently registered FBI-related domains spoofing its official websites. The bureau believes that these could be used for future malicious activity, specifically to create spoofed emails encouraging targets to click on malicious links or sites.

In October, the FBI warned that attackers were using spoofed US Census Bureau domains in malicious campaigns. The FBI is a prime target for both cybercriminals and nation-state attackers, as it provides access to sensitive information. This makes it likely that these spoofed domains will be used in future malicious campaigns against US citizens or government employees

Following a month of inactivity, the TA416 threat group (also known as MustangPanda) has been actively distributing malware in spear-phishing attacks. These campaigns have been targeting people associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar, and diplomatic organisations in Africa. The final payload appears to be a new variant of the group’s PlugX malware loader. Numerous Chinese APTs have been known to use PlugX for cyber-espionage purposes. These attacks are usually targeted against individuals and organisations of interest to Beijing. MustangPanda has previously been known to disguise PlugX as an Adobe Flash Player installer and deliver it using this technique.


Data security, fraud, and vulnerabilities

Data Security

The personal and health information of over 16 million Brazilian coronavirus patients has been leaked online after a hospital employee uploaded a private database to GitHub. This dataset included usernames, passwords, and access keys to sensitive government systems, such as E-SUS-VE and Sivep-Gripe, two government databases used to store data on COVID-19 patients. Data belonging to users across all 27 states was exposed, including those of high-profile figures such as the country’s president Jair Bolsonaro, his family, seven government ministers, and governors from 17 states. The spreadsheet was removed from GitHub after it was discovered, and government officials changed their passwords and revoked access keys to secure their systems.

Peatix, an event organisation platform, has disclosed a data breach affecting 4.2 million registered users. The data is allegedly being openly advertised and traded across multiple platforms, including Instagram, Telegram, and various forums. The leaked information includes full names, usernames, emails, and hashed passwords. The source of the breach remains unknown, though Peatix claims to have identified the point of entry and secured it.

Unit42 has identified multiple Android applications on the Google Play Store leaking data. The data included trackable, personal information that had been recorded during the use of the app.

Affected apps included Baidu Search Box (5 million downloads). The researchers also flagged an Android SDK known as ShareSDK, from the Chinese vendor MobTech. ShareSDK supports over 40 social media platforms and helps app developers grant access to their users’ social media accounts. While not strictly a violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide. A compliant version of Baidu Search Box became available on Google Play globally in November 2020.


Threat actors are attempting to steal personal information from US citizens with emails imitating government agencies offering federal assistance. One attack lured users with a fake government program offering up to USD5,800 in cash payments to US residents. A second attack imitated an alert from the Pandemic Unemployment Assistance (PUA) program. COVID-related phishing campaigns have become commonplace over the last eight months. As noted above, the FBI recently announced that it had identified numerous spoofed domains impersonating its websites, which could be used in future campaigns such as these, to steal data from US citizens.

There has been a spate of Microsoft Office 365 credential phishing attacks using Zoom as a lure. These targeted US users attempting to host virtual Thanksgiving dinner. The lures state that the user has a video conference invitation. The phishing page steals Office 365 credentials, IP addresses, geographic locations, and checks whether the credentials are valid. At the time of writing, this phishing attack has stolen over 3,600 unique email credentials. Due to the use of numerous landing pages, however, this number could be far greater. Another Microsoft O365 phishing campaign was uncovered a matter of days later, attempting to steal credentials from small and medium-sized businesses in the US and Australia. It combines cloud services from Oracle and Amazon into its infrastructure. The attacks use Zoom invitations as phishing lures, leading victims to login theft pages.

The UK NCSC has warned online shoppers, retailers, and banks that cybercriminals will expand their targeting as shoppers engage with Black Friday and Cyber Monday retail offers. The Christmas shopping season is often the busiest time for online retailers and services. Due to the ongoing COVID-19 pandemic, most people are now shopping online, and attackers have a much wider attack surface. ESET Research intercepted multiple Black Friday spam email campaigns offering significant discounts on recognisable brands Check Point also revealed that phishing emails have doubled throughout November in the run-up to Black Friday and Cyber Monday.



Virtualisation giant, VMware, has released temporary workarounds to address a critical vulnerability in multiple products. If successfully exploited, this could lead to the hijacking of an affected system by executing commands on the underlying Windows or Linux operating system. Prerequisites for exploitation, however, include network access to the administrative configurator on Port 8443 and a password for the admin account. While VMware is still working on releasing security updates to address the vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006. The workaround applies only to VMware Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector.


APT Activity and Malware Campaigns

APT activity

360 Qihoo has disclosed a new cyber-espionage campaign against the Ukrainian government and military targets. The attacks reportedly originate from an APT group located in the area between Russia and Ukraine known as Luhansk (also called Lugansk). This espionage campaign includes watering-hole attacks and spear-phishing attempts that deliver malware, including Quasar RAT and other custom scripts. The Luhansk APT behind the campaign listed above uses similar techniques to Russian groups such as Gamaredon, Sandworm, and FancyBear. Using spear-phishing to infiltrate government and military institutions in Ukraine has been ongoing for many years. The attacks often ramp up in the run-up to and during political events, such as local or national elections or escalations in the continuing conflict.

Security researchers from Trend Micro have identified a new macOS backdoor that is believed to be linked to APT OceanLotus (also known as APT32). The threat actors behind the newly discovered sample are targeting Vietnamese users by hiding malicious payloads within word documents with Vietnamese filenames. Similar to previous versions of the OceanLotus backdoor, the new variant contains two main functions: one for collecting operating system information and communicating with the C&C server, and another for the backdoor capabilities. The OceanLotus threat group is highly active, and is believed to work on behalf of the Vietnamese government.


Trend Micro has released a new report into threat actors using Trojanised open-source software to support the delivery of the Vatet Loader malware. Vatet pushes other payloads like TrojanSpy.Win32.LAZAGNE or the Defray ransomware. The Trojanised software used in recent attacks is called ‘notepad.exe’. Skilled threat actors, from ransomware gang to APTs, often look for open source software they can use to pack in their malware. Due to the close resemblance of the original files, when automated tools analyse samples they can be easily mistaken as a non-malicious file and permitted to pass defence systems.

A new variant of the MooBot malware was discovered leveraging a 0day exploit for Unix-based CCTV digital video recorders (DVR). MooBot is a DDoS malware that has formed a vast Internet of Things (IoT) botnet. The attacks reportedly began in June and patches were released by the end of August. The researchers found that some 6,000 devices had been infected by MooBot. These were mainly located in the US, with others in South Korea, Canada, Japan, the Netherlands, Australia, Germany, the UK, Vietnam, Malaysia, Saudi Arabia, Czech Republic, Switzerland, and China.

The Statinko group has returned with a new version of a Linux Trojan that masquerades as HTTPd, a commonly used program on Linux servers. The malware is responsible for a growing cryptomining and adware botnet that is targeting Linux servers in Russia, Ukraine, Belarus, and Kazakhstan. ESET analysed early versions of the Linux Trojan in a 2017 white paper. The Statinko group reportedly have control over more than 500,000 infected devices. As noted in the source, Statinko has been around for almost eight years and has regularly upgraded its malware to improve its profits. Additional features are to be expected as this threat continues to evolve.

ESET researchers have detected two new Grandoreiro banking Trojan campaigns targeting Italy and France. The emails sent by the campaigns share a common structure: recipients are informed that an invoice that has been unpaid for 30 days must be settled in the next three days before legal action is taken against them. The attackers in this case attempt to impersonate ENEL for Italian targets, and EDF for French targets. The Grandoreiro Trojan has been distributed in various campaigns throughout 2020, with early attacks exploiting fear of the coronavirus. This malware first targeted Brazilian and Mexican users, then moved on to target Spain and Portugal.



A new forum, which includes a breach indexing service, is gaining popularity on the darknet. Like other breach indexing services, it allows members to search for emails included in various data breaches. However, this service also displays the corresponding password, as well as allowing members to search for usernames and passwords. This is not the first breach indexing service to include passwords, however, this latest service allegedly includes over 10 billion leaked credentials. While this figure has not been verified, if true, this would make it one of the larger breach indexing services.

The operators of the DarkSide Ransomware-as-a-Service (RaaS) have announced the creation of a content delivery network (CDN) to store and leak victim data. Previously the DarkSide operators claimed the hosting infrastructure for this CDN be located in Iran, although the current location remains unknown.  The DarkSide operators also announced they are currently working on an updated version of their malware.


Geopolitical Threats and Impacts

Provided by A2 Global Risk



On Monday (23 November), US President Donald Trump recommended that ‘preliminary work’ for a formal transition of power to President-elect Joe Begin begins, instructing the General Services Administration (GSA) to launch initial protocols for the transition. In a separate development on Monday, Biden announced the first nominations for his incoming administration’s cabinet. Monday’s developments provide important milestones for the incoming Biden administration. Since the 3 November election, Trump has repeatedly alleged electoral fraud and pursued multiple legal challenges to the election results. These challenges, however, have been mostly unsuccessful and senior Republican lawmakers have increasingly called for transition proceedings to begin, building pressure on Trump to initiate the transition. Biden’s initial cabinet nominees signal a large degree of continuity from the Obama administration, with the incoming president largely selecting former officials over his past Democratic Party rivals for the presidency for cabinet positions.


Direct oil shipments from Venezuela to China have resumed in recent months despite the threat of US sanctions, media outlets reported on Friday (27 November) citing vessel tracking data and internal documents from Venezuela’s state-owned oil giant, PDVSA. Tankers have transported crude from Venezuelan ports to the north-eastern Chinese ports of Bayuquan and Dalian, while two vessels owned by Chinese state-owned oil company PetroChina loaded oil in Venezuela earlier this month. PetroChina and fellow state-owned oil company China National Petroleum Corp (CNPC) suspended direct shipments from Venezuela in August 2019 after the US government expanded its sanctions on PDVSA. Vessels continued to ship Venezuelan oil to China indirectly, however, particularly through the use of cargo transfers at sea from shipments destined for Malaysia. News of the resumption of direct shipments between Venezuela and China is likely to frustrate authorities in Washington, who applied the measures as part of a broader strategy to limit revenue to the government of Venezuelan President Nicolás Maduro, which the US considers illegitimate. In the immediate outlook, the US is likely to consider imposing new sanctions on Venezuela’s oil sector, which the incoming Biden administration is unlikely to remove until Maduro’s administration advances towards free and fair elections.


On Saturday (21 November), Canada and the UK formally agreed to roll over existing trading terms once the UK’s Brexit transition period concludes on 1 January 2021. The two sides also announced that they would begin work on a bespoke bilateral trade deal as early as 2021. Annual Canada-UK trade in goods and services is worth USD27 billion (CAN35.5 billion / GBP20.3 billion). The agreement announced on Saturday allows for the continuation of bilateral trade under the terms of the EU-Canada trade agreement, CETA. For Canada, the deal ensures continuity in trade with the UK, its fifth-largest trading partner globally and largest in Europe. In the UK, meanwhile, the deal will be particularly welcomed by the automotive, manufacturing, and agriculture industries, which all have sizeable bilateral trade flows with Canada.





China’s commerce ministry on Friday (27 November) announced that with effect from Saturday duties on Australian wine imports will be ‘temporarily’ increased by between 107.1 per cent to 212.1 per cent. The measure was introduced ostensibly as a result of Australian producers receiving subsidies that harmed China’s domestic wine industry. China is Australia’s largest single wine market, accounting more than 40 per cent of exports. Any sustained reduction in exports to China would severely damage Australia’s wine sector, valued at around AUD45.5 billion (USD33.05 billion) and sustaining some 164,000 jobs. China’s action is in line with its steady increase in economic pressure on Australia, reflecting its apparent efforts to force Canberra to adopt more conciliatory diplomatic policies towards Beijing. There are growing indications that many Western countries and blocs such as the EU will coordinate their diplomatic and economic response to China’s efforts to dictate the terms of how its conduct is assessed.


Ha Tae-keung, a conservative member of South Korea’s national assembly who was briefed by intelligence officials, said that the country’s intelligence agency has prevented attempts by North Korean hackers to disrupt South Korean drugmakers’ efforts at developing a COVID-19 vaccine. Ha’s claims are credible, given that they follow Microsoft’s allegations on Friday (13 November) that three hacker groups backed by the North Korean and Russian governments had attempted to breach the networks of seven major pharmaceutical firms and vaccine researchers in Canada, France, India, South Korea and the US. Pyongyang is thought to have hired up to 6,000 hackers, most of them based in countries including China and Russia, according to Yonhap News Agency. Additionally, North Korea faces a ‘very high’ level of humanitarian crisis severity – the highest of a seven-tier crisis assessment scale – due to food and water shortages and inadequate medical infrastructure, according to a recent annual report by the Geneva-based international NGO Assessment Capacities Project (ACAPS). Instability risks in North Korea have escalated from the combined impacts of the COVID-19 pandemic, recent flooding, and long-standing sanctions. Greater instability in North Korea increases the risk of cyberattacks by North Korean state-backed threat actors, particularly on pharmaceutical businesses involved with COVID-19 research.


Taipei and Washington on Friday (21 November) signed a five-year agreement creating the US-Taiwan Economic Prosperity Partnership Dialogue, which will be held yearly. The dialogue emphasised sectors for increased cooperation, including technology such as 5G, semiconductors, as well as investment screening. Beijing claims Taiwan as a renegade province, and the dialogue is certain to increase tensions between the US and China. However, the dialogue does not amount to a long-planned Free Trade Agreement (FTA), progress towards which was enabled by the lifting of a ban on US pork containing the additive ractopamine. The dialogue also comes against the backdrop of an outgoing Trump administration that is increasing its signalling to the Chinese government by strengthening ties with Taipei on various fronts. Beijing on Monday (23 November) threatened an unspecified response to a reported but unconfirmed visit to Taiwan by a US Navy admiral, and a visit to Taiwan by US Environmental Protection Agency head Andrew Wheeler is anticipated.


Europe and Russia


On Tuesday (24 November), the government outlined its request to parliament for additional powers to oversee telecommunications operators’ security policies. Under the Telecoms Security Bill, operators could be forced to remove components from ‘high-risk’ vendors when developing 5G telecommunications networks. Chinese firms Huawei and ZTE have been designated as ‘high-risk’. Ofcom, the telecommunications regulator will assume more responsibilities and oversee telecommunications firms’ security policies; failure to comply with the rules could mean fines of ‘up to 10 per cent of turnover or GBP100,000 a day’. The draft law formalises an earlier decision by the UK to ban purchases of Huawei equipment for 5G networks. Complementary legislation is expected to follow the adoption of the Telecoms Security Bill, tightening requirements on the measures firms should take to design networks, protect them from cyber-attacks, and conduct security audits. In recent days, Huawei commissioned independent research to demonstrate its contribution to the UK economy; a report published by the research firm Oxford Economics showed that Huawei supports 51,000 jobs and is responsible for a GBP3.3 billion contribution to GDP. Increasing US pressure on allies in Europe helps explain the hardened stance on Huawei in recent months. While initially adopting a more moderate stance, which involved a phase-out of core components supplied by Huawei, the UK government decided on a full removal of equipment across all 5G networks by 2027.


On Monday (23 November), communications regulator Roskomnadzor initiated a case against US-based technology firm Google for failing to remove ‘dangerous content’ from search results. According to Roskomnadzor, Google failed to remove up to 30 per cent of what it considers ‘dangerous content’, some of which was found to be extremist and pornographic in nature. Probes may culminate in an administrative fine of up to RUB5 million (USD65,670). While relatively low when compared to other fines levied against Google elsewhere, it still represents tightening domestic regulations that carry a financial burden in the event of non-compliance. Beyond the financial implications, foreign firms may also be prevented from operating; professional business platform LinkedIn is blocked in Russia after a court ruling found it breached domestic rules, which require all data relating to Russian nationals to be stored in the country. In August, Russian regulators fined Google RUB1.5 mn after finding the firm did not block content banned in the country. Last week, lawmakers presented draft legislation, which could give the government powers to restrict internet access to US-based social media firms deemed to have discriminated against Russian media services. The legislation was prompted in part by the labelling or suspension of accounts belonging to Russian outlets by prominent US technology firms, including Facebook and Twitter.


During a telephone call with business representatives on Tuesday (24 November) Chinese ambassador to Germany Wu Ken offered reassurances that China would remain a key partner to Europe despite growing public tensions. The statement seeks to address concerns that China would focus inwardly on its own market as the US and Europe are expected to draw closer once Joe Biden officially assumes the US presidency in January. While China is a key economic partner to a number of EU countries, export-dependent Germany relies strongly on the Chinese market. Biden will inherit a series of domestic and foreign policy challenges, including China’s relations with the West. Growing focus on this relationship has been reflected from EU leading nations as well; last week French foreign minister Jean-Yves Le Drian and Heiko Maas, his German counterpart, published an opinion piece in The Washington Post calling for Biden to help present a united front against countries such as China, Russia, and Iran. This dynamic should ‘not exclude dialogue and cooperation’ but probably implies more alignment on security and trade issues. This will depend on the consensus Biden manages to build among allies and his administration’s commitment to protecting the liberal democratic model against any perceived threats.


MENA and Central Asia


On Friday (27 November) the Iranian defence ministry confirmed the assassination of Mohsen Fakhrizadeh, the country’s most senior nuclear scientist who headed the ministry of defence’s research and innovation organisation. Israel has previously accused Fakhrizadeh of being the head of Iran’s covert nuclear weapons programme. The elaborately planned ambush occurred when Fakhrizadeh was travelling with his wife, alongside three vehicles holding his security personnel, in the Absard area outside Damavand city. Semi-official Fars News Agency indicated that Fakhrizadeh was killed by a remote-controlled machine gun that was detonated during the ambush. Iran’s PressTV said on Monday (30 November) that the weapons collected from the site bore the ‘logo and specifications of the Israeli military industry’. Neither the US or Israel have officially claimed responsibility for Fakhrizadeh’s death, though the two countries will likely be the centre of focus for Iranian retaliation. Possible targets over the coming weeks include US military and diplomatic facilities in neighbouring Iraq. Across the wider Middle East, Iranian proxies could potentially target US or Israeli foreign nationals, personnel and businesses; there is a risk of both small scale and large incidents as well as cyberattacks. Retaliation attacks could also be launched across South Asia, Southeast Asia and Africa, while incidents in Europe and the US are also a possibility.


During a virtual Beirut Institute event on Wednesday (25 November), U.S. Special Envoy for Iran Elliott Abrams confirmed that the treasury department will impose sanctions against five entities which have allegedly aided Iran’s missile program. The designations affect two China-based companies, Chengdu Best New Materials Co. and Zibo Elim Trade Company, alongside three Russia based companies, Nilco Group, Elecon and Aviazapchast. Abrams indicated during Wednesday’s event that the Trump administration will continue to implement sanctions over the coming weeks on entities believed to be supporting Iranian arms, weapons of mass destruction and human rights violations. Abrams notably stated that the succeeding administration should anticipate that sanctions cannot simply be ‘switched off’, likely referencing the fact many over the past 18 months have been imposed as counter-terrorism designations. Such designations will make them harder to disassemble – a potential focus for President-elect Joe Biden who is likely to seek to lift some penalties in order to re-establish JCPOA negotiations with Iran.


Sub-Saharan Africa


The Canada-based International Air Transport Association (IATA) said in a report on Tuesday (24 November) that it expects ‘deep industry losses to continue’ into next year. While IATA anticipates that net losses will amount to USD118 billion in 2020, a delayed resumption of air travel in 2021 will mean net losses to the tune of USD38 billion. In large part, this is due to a slower recovery of air travel than previously expected due to second and third waves in COVID-19 infections in Europe and the US. Furthermore, the outlook remains very uncertain due to probable complications with the roll-out of vaccine programmes, key for a resumption of air travel for some airlines, and reduced capacity due to cost cuts this year. IATA does not anticipate a recovery to 2019 levels before 2024. In Africa and the Middle East, the drop in demand and capacity has been among the steepest; for Africa, the drop in demand between 2019 and 2020 has been 72 per cent, while the drop in capacity for the same period has been 62.8 per cent. Furthermore, the recovery of air travel is likely to be slower in the region, due to a lack of cold chain facilities which are needed for the roll-out of vaccination programmes, as well as scarce fiscal space to pay for such programmes over the coming two years.


The US Department of State on Monday (23 November) announced a six-month pilot visa rule that will allow US consular services to require some visa applicants to pay a bond as a condition for visa issuance. The new rule, which will be in effect between 24 December and 24 June 2021, is targeted at countries whose nationals have a high rate of overstaying their visas – above 10 per cent in 2019 – including tourist (B-2) and business travel (B-1) visas. Fifteen out of 24 of those countries are in Africa, including Angola, the Democratic Republic of the Congo, and Sudan; other countries include Afghanistan, Iran, and Syria. The bonds will range between USD5,000 and USD15,000, and ultimate decision-making powers will lie with the consular office and depend on the specific circumstances of the visa applicant. The new rule will not apply to those travelling under the Visa Waiver Program, which allows nationals from countries included in the programme to visit the US for up to 90 days without requiring a visa. The six-month pilot programme is likely to hamper travel to the US for some nationals of the named countries, and increase the cost of business travel during the stated time frame, at least. While the incoming administration of President-elect Joe Biden is widely expected to reverse many of the travel restrictions imposed by its predecessor, it is unclear if it will be able to do so before the end of the programme.

Scroll to Top