Attacks and cybersecurity news
A Catholic bishop and a priest in Togo, among others, have been revealed as the latest victims of spyware created by NSO Group. This is the first time that the Pegasus spyware is known to have been used against members of the clergy. WhatsApp alerted Bishop Benoît Alowonou and five other critics of Togo’s government about the spyware on their phones. It is currently unknown who is responsible for the attack but some of the victims believe that the Togolese government is to blame. All the victims were public critics of Togo’s President Faure Gnassingbé, and see this as an attempt to frustrate organisation by pro-democracy activists in Togo. NSO Group and WhatsApp are engaged in a legal battle, in which WhatsApp accused the Israeli firm of facilitating attacks against at least 1,400 users. NSO Group has denied the allegations, stating that it is not responsible for the actions of its ‘sovereign customers’.
The Emotet botnet remains active and continues using its ‘hashbusting‘ mechanism for malware loaders. Hashbusting ensures that the malware has a different hash on each system that it infects, rendering hash-based detection useless. Illustrating this: between 29 July and 3 August, there were 57,686 new hashes. The botnet was reportedly inactive on 3 August: the first time in two weeks since its return that was no malspam sent by any of the Emotet Epochs. It started spamming again on 6 August, with minor upgrades to two of its Epochs detected by researchers. Successful Emotet infections, however, continue to distribute the Qbot banking Trojan.
On 9 August, as presidential elections were taking place in Belarus, it was reported that various social media websites, including ‘Minsk Facebook’ and Messenger, YouTube, Instagram, WhatsApp and Viber had been blocked in the country, along with ‘two major grassroot-driven platforms’, Online-Platforma Golos and ZUBR. According to official reports, two Belarusian government websites had been hit by DDoS attacks earlier in the day. However, these claims were posted on government Telegram channels and are believed to be providing cover for the blocks on social media. The presidential elections have been taking place amid increasing tensions across Belarus, and large anti-government demonstrations have been seen on the streets. While President Alexander Lukashenko is almost certain to win another term, he has faced stiff competition from Svetlana Tikhanovskaya, who has been running in place of her jailed husband, Siarhei Tsikhanouski, a prominent anti-government activist.
The Chinese government has updated its national censorship tool, the Great Firewall (GFW), to block encrypted HTTPS connections which are used by interception-proof protocols. This update came into effect at the end of July and is only targeting HTTPS traffic being set up with new technologies such as TLS 1.3 and ESNI (Encrypted Server Name Indication). HTTPS traffic using older versions of the same protocols, such as TLS 1.1 or 1.2, or SNI (Server Name Indication), are still allowed through the GFW. The update has been introduced because in older set-ups, Chinese censors can infer which domain a user is trying to connect to by looking at the plaintext SNI field in the early stages of connection. In new set-ups, however, the SNI field can be hidden by ESNI, making it harder to control which content the Chinese population can access.
Researchers have uncovered a series of new business email compromise (BEC) campaigns that use spear-phishing attacks to steal Office 365 account credentials. Since March 2020, this campaign has reportedly targeted over 1,000 companies worldwide, mainly located in the US and Canada. The group behind these attacks has been dubbed WaterNue and has primarily targeted business executives, particularly from the financial sector. There are several BEC criminal gangs that specialise in spear-phishing, harvesting credentials, and carrying out post-exploitative activities, such as wire fraud. By targeting a user’s Office 365 credentials, attackers have access to Outlook email clients or an organisation’s SharePoint server.
COVID-19 Cybersecurity Update
A group of threat actors has stolen millions of dollars in fraudulent small business loans and unemployment insurance benefits during the COVID-19 pandemic. The group gathered personal data on the intended victims by leveraging data taken from a US consumer data broker, Interactive Data. These scammers shared detailed personal and financial records of Americans on a free web-based email service which could be accessed by anyone with the username. Several hundred individuals are believed to have stolen funds with these fake loan applications and fraudulent unemployment insurance claims. Interactive Data has confirmed that it ‘identified a handful of legitimate businesses who are customers that may have experienced a breach.’ It also claimed that there was an ongoing law enforcement investigation into the matter.
Data breaches, fraud, and vulnerabilities
Data Breaches
The Blacklist Alliance has exposed the sensitive and personal data of its customers. The company helps telemarketing firms concerned with lawsuits surrounding the Telephone Consumer Protection Act (TCPA). This law restricts the making of telemarketing calls that use automatic phone dialling systems, and artificial or pre-recorded voice messages – also known as robocalls. The TCPA forbids companies from contacting consumers unless they have been given prior express consent. The leaking of this data could have adverse consequences for ongoing lawsuits being defended by Blacklist clients.
Security researcher Bob Diachenko has found an exposed MongoDB database belonging to Hugo, an app that provides micrologistics services to users in Central America. Before the researcher could responsibly disclose the exposure to the company, however, the dataset was hijacked by an unknown threat actor and a ransom note left in its place. Diachenko claims that over one million users are affected, with details at risk including usernames, email addresses, hashed passwords, partial credit card numbers, driver information, and ‘much more’.
Kentucky’s unemployment system has suffered its second data exposure in four months. It was discovered after a user reported being able to view another claimant’s personal information – such as their former employer and health data. The Office of Unemployment Insurance is reporting this as a precaution but claims that no personally identifiable information was exposed.
Nine text files have been leaked on an unnamed darknet forum. The files contain the details of over 100 delivery drivers and 579 customer credentials for UberEats. Data believed to have been exposed includes login credentials, full name, contact number, trip details, bank card details, and account creation date.
An unidentified threat actor has leaked dozens of sensitive internal documents, security reports and customer PII data belonging to the Transnational Bank Kenya (tnbl.co.ke). The data was leaked via a shared Google Drive folder that was posted to the r/IntelligenceFiles subreddit.
Ransomware
In a report that underlines the successes of 2020’s new ransomware data theft trend, McAfee has reported that the Netwalker operators have made more than USD25 million from ransom payments since March 2020. This puts the group in line with other successful ransomware operators, such as Ryuk and REvil. This week, the NetWalker leaks blog announced several major victims including Apollo Tyres, the seventh-largest tyre manufacturer in the world. REvil’s leaks blog also revealed data from several victims in various countries.
The Maze operators announced an attack on Japanese optical imagery giant, Canon. The attack has affected numerous services including its email, Microsoft Teams, US website, cloud storage services, and other internal applications. The attack began on 30 July and outages lasted until 4 August 2020. On 7 August, Canon released an internal message to employees confirming that it had been hit by ransomware. The message claims that the company has hired a cybersecurity organisation to aid in their recovery.
The Maze operators also released around 50GB of data which they claim to have stolen from LG Electronics. This data appears to contain source code for firmware versions of LG products, such as phones and laptops. Maze claims that it did not execute the ransomware module to encrypt LG networks but that it did steal the company’s data.
Fraud
An Outlook WebApp credential harvesting campaign we reported last week after it targeted a Cyjax member of staff has continued. The emails arrive from SendGrid, an email marketing service, and masquerade as alerts stating ‘Alert: You have a new Voice Message’ from the organisation for which the target works. Despite Cyjax initiating takedown proceedings with SendGrid and against the attacker’s domain infrastructure, however, the scam remains online, and more users are falling for the attacks. There are now 1,510 victims from several governments and private firms.
New samples of the MoqHao Android malware have been found that impersonate Mizuho Bank in Japan. Users are tricked into downloading an update for their Mizuho banking app which is actually used to steal credentials and commit wire fraud. The messages some users received were as follows: ‘[MIZUHO] The customer has detected unauthorized access to Mizuho Bank by a third party. Please be sure to update your account.’ A malicious URL linking to a typosquatted domain is used to disseminate the fake app update. MoqHao is a common Android infostealer and banking Trojan that is distributed by the Roaming Mantis botnet. Cyjax analysts have uncovered MoqHao recently being distributed in fake Sagawa Express, JapanPost, Swiss Post, La Poste, and Posti apps.
Vulnerabilities
Google has released patches to address over 50 vulnerabilities in Android. Two updates were released, the first of which was released on 1 August patching 14-high-severity vulnerabilities in the Framework, Media Framework, and System components. The second was released on 4 August and addressed 40 vulnerabilities in the AMLogic, Kernel, MediaTek, and Qualcomm components of Android. Google claims that the most severe of these issues is a high-severity vulnerability in the Framework component which could allow a remote attacker to use a specially crafted file to execute arbitrary code within the context of an unprivileged process.
Multiple vulnerabilities have been discovered in Qualcomm’s Snapdragon Digital Signal Processor (DSP) chip. These could allow threat actors to take control of almost 40 per cent of all smartphones in circulation, as well as spy on users and create unremovable malware that evades detection. The vulnerable DSP chip is found in almost all Android phones, including devices from Google, Samsung, LG, Xiaomi, and OnePlus. Apple’s iPhones are not affected by these flaws.
While Qualcomm has patched all six vulnerabilities, mobile vendors must still implement and deliver security fixes to their users to mitigate the chances of attack. Consequently, Check Point has not yet published the technical details of the vulnerabilities, to give the vendors time to deploy patches.
Tencent has issued a security advisory for a command injection vulnerability in OpenSSH. This is caused by incorrect filtering of special characters. Currently, there are no patches, workarounds, or mitigation steps for this issue.
Security vulnerabilities have been found and patched in popular online meeting service and events site, Meetup. The combination of a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) bug could have allowed a threat actor to gain administrator privileges and provided access to the profiles of millions of members.
Two vulnerabilities have been found in the Newsletter WordPress plugin that could allow threat actors to take over vulnerable websites. Newsletter has been downloaded over 12 million times and is actively being used on over 300,000 websites. Only 151,449 users have installed the updates for Newsletter since their release. This leaves around 150,000 websites still at risk.
A high-severity vulnerability has been found in Facebook’s official chat plugin for WordPress websites. The plugin has over 80,000 active installations which could allow attackers to intercept messages sent by visitors to the vulnerable sites’ owners. Facebook patched the flaw with the release of Facebook Chat Plugin version 1.6. The plugin has only been downloaded 25,657 times since then, leaving at least 54,000 WordPress sites using the plugin exposed to attacks.
Two vulnerabilities have been discovered affecting Nautilus ATMs. These can be exploited to force machines to dispense cash in a jackpotting attack. The vulnerabilities are found in an ATM’s operating software: a decade-old version of Windows that is no longer supported by Microsoft. The threat actor would need to be connected to the same network as the ATM for the attack to be successful. Nautilus ATMs are often standalone machines found in stores, rather than at banks. This could make it easier for an attacker to connect to the same network as the ATM because security surrounding the machine is likely to be weaker than it would be at a bank. A patch is available for this flaw, but it is unclear on how many machines it has been installed.
We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:
- Seven vulnerabilities in Microsoft Azure Sphere. These bugs are ‘chainable’ and could allow for privilege escalation, arbitrary shellcode execution, information disclosure, and denial of service.
- Remote code execution (RCE) vulnerability disclosed in the Nexus Repository Manager. Products affected include: Sonatype Nexus Repository Manager 3 OSS; Sonatype Nexus Repository Manager Pro, versions prior to 3.25.1.
- Two vulnerabilities impacting the SoftPerfect RAM Disk. Successful exploitation could lead to the arbitrary deletion of files and information disclosure.
- Multiple vulnerabilities disclosed in Delta Electronics ICS products. Successful exploitation can lead to unauthorised access or modification of information, execute arbitrary code, and denial of service.
- Multiple vulnerabilities have been disclosed in Power Line Communications (PLC) signals, Advantech, Geutebrück, and Delta Electronics ICS products.
- A new vulnerability has been disclosed in TeamViewer that could compromise user passwords. Successful exploitation could allow an attacker to relay an NTLM authentication request to their system allowing for offline rainbow table attacks and brute force cracking attempts.
APT Activity and Malware Campaigns
APT activity
Threat researchers have analysed recent Russian and Chinese APT campaigns and shared related indicators of compromise that were linked to FancyBear and MustangPanda, two state-aligned threat groups that have been operating for several years. Security experts expect to see more attacks orchestrated from FancyBear, MustangPanda, and other state-sponsored groups, in the run-up to events such as the 2020 US Presidential Election and the 2021 Tokyo Summer Olympics. Organisations and agencies at risk of being targeted must implement best practices, information sharing, coordinated planning around cybersecurity incidents, and regular examination of critical systems.
US Cyber Command has issued a security alert for a new malware, dubbed TAIDOOR, that has been attributed to state-sponsored Chinese threat actors. TAIDOOR has reportedly been deployed in industrial espionage campaigns and intelligence gathering. Governments, corporations, and NGOs have all been targeted. In relation to the disclosure, US CISA added that: ‘Chinese government cyber threat actors are actively exploiting trust relationships between information technology (IT) service providers – such as managed service providers and cloud service providers – and their customers.’
A new campaign has been linked to APT35 (also known as CharmingKitten or Phosphorus). Several domains and IP addresses began resolving to the same infrastructure that Microsoft had previously sinkholed. It appears that APT35 has registered additional domains on the same dedicated servers that had been sinkholed by Microsoft. These were attributed to the group based on their location and naming conventions used. APT35 is an Iranian cyber-espionage group that uses deception and impersonation tactics in its attacks: these have targeted the US, UK, and multiple countries in the Middle East. The newly registered domains masquerade as Google services, Instagram, and Office 365.
Malware
A new wave of AgentTesla malspam is being delivered in ABB group-themed emails. The phishing emails arrive from mailboxes hosted by Endurance Group, an email marketing and web-hosting service based in the US. ABB is a Swiss-Swedish multinational that operates primarily in robotics, power, heavy electrical equipment, and automation technology. Analysis of the attacker’s C&C server (smtp[.]urban.co[.]th) revealed a compromised site that has been used for other AgentTesla attacks, and HawkEye distribution, since June 2020. Stolen credentials are exfiltrated over SMTP (Port 587). Cyjax analysts also identified a possible link between this campaign and a recent sale on the darknet. On 31 July 2020, a threat actor named drumrlu offered a database of ABB Group’s information. Allegedly there were 192,000 records for sale.
A new sample of the ZLoader banking Trojan was recently dropped by a CobaltStrike Beacon – the threat simulation software that is regularly co-opted by cybercriminals and APTs. This is an innovation in the ZLoader operator’s TTPs. Their use of CobaltStrike is a concern as it generally indicates more sophisticated cybercriminals are leveraging the malware. The incident in which ZLoader was deployed has not been disclosed, and it is believed that this may be a sign of a new targeted campaign. ZLoader has been distributed in over 100 phishing campaigns since the start of 2020.
A new sample of malware, dubbed GOSH, that targets Linux systems, has been linked to the threat group FIN7. The malware is written in Golang and has reportedly been in use since 2017. It is a cross-platform compatible remote access Trojan (RAT) that works for both Linux and Windows 64-bit systems. Notably, it has similarities with a FIN7 malware shared in a 2013 RSA report and has 0/60 detections on VirusTotal, making it fully undetectable. FIN7 (also known as Carbanak) is a well-established financially motivated cybercriminal group that has been a persistent part of the threat landscape for many years. As noted in the RSA report, FIN7 operators are not confined to a compromised organisation’s Windows environment. They generally target Windows systems but can migrate to Linux systems to establish persistence and gain backdoor access to the network.
Darknet
This week the main admin of Torum retired and shut down the forum, which had been a staple of the darknet for some time. On 8 August, a PGP-signed notice was posted on the main link of the hacking forum informing all users that the site is being mothballed for the foreseeable future, possibly permanently. Torum has been in operation for three years.
The IP addresses, usernames and hashed passwords for over vulnerable 900 Pulse Secure VPN servers were leaked on the darknet. This leak was posted by a disgruntled initial access broker who claimed access to their victims was being re-sold by other users. This leak also included the SSH key for each server, recent VPN user logins (including cleartext passwords) and hashed admin passwords. Although this list of vulnerable Pulse Secure VPN servers has only been made public recently, it has likely been circulating in small private cybercrime groups for some time. Therefore, many of the organisations named in this leak may have already been compromised.
Cerberus v2 has now been sold, having been offered last week. The identity of the buyer is not yet known. However, it is likely they will make an appearance soon as they attempt to salvage the reputation of Cerberus among potential customers. Crucially, this means Cerberus is likely to continue to pose a threat.
Finally, another darknet market has launched this week called PotLuck. While the numbers of new darknet markets continue to grow, most are struggling to build a significant customer base. Indeed, the darknet market landscape has remained relatively static for several months now, with Empire still the dominant force, as predicted by Cyjax in its Q2 2020 darknet report. Ultimately, none of the markets established in recent weeks is impacting the wider darknet market landscape and PotLuck is likely to have the same issue.
Geopolitical Threats and Impacts
In partnership with A2 Global Risk
Americas
On 6 August, US President Donald Trump announced the re-imposition of a 10 per cent import tariff on some aluminium products from Canada. The tariff applies to raw, unalloyed aluminium products produced at smelters and was re-imposed after Trump accused the Canadian aluminium industry of flooding the US with imports. Trump had first imposed a 10 per cent tariff on Canadian aluminium in 2018 over ‘national security’ concerns, however it was removed last year following a trade truce between Washington and Ottawa. The latest tariffs have prompted a stern response from Canada, with deputy Prime Minister Chrystia Freeland announcing retaliatory tariffs on CAD3.6 billion (USD2.7 billion) worth of US aluminium products on 7 August. The tariffs are set to come into effect on 16 September and affect US exports including aluminium bars, refrigerators, bicycles, and washing machines. The likelihood of further escalatory tariff impositions in the short-to-medium term is assessed as low, however, the US duties and Canadian countermeasures are likely to remain in place until November’s election. Companies with interests in the North American aluminium market should adjust operational and financial planning to account for the retaliatory tariffs.
Also on 6 August, President Trump signed two executive orders instructing US companies to cease doing business with two major Chinese-owned apps, popular video-sharing service TikTok and multi-purpose messaging app WeChat, by 20 September. In a statement, Trump said that the spread of China-based apps in the US threatens the ‘national security, foreign policy, and economy’ of the US. The moves, which are highly likely to face legal challenges, mark the latest deterioration in bilateral ties between Washington and Beijing related to advanced digital technologies, following disputes over Huawei’s involvement in 5G networks worldwide and TikTok’s US operations. Most significantly, the announcement broadens US scrutiny of WeChat, a major multi-function messaging service used in China which is also popular among the Chinese diaspora. The moves elevate the risk of retaliatory actions from Beijing against US technology companies and apps, in the short-to-medium term outlook. US companies partnering with TikTok and WeChat should monitor updates on legal challenges while adjusting operations and planning to account for the imminent ban.
The day before the signing of the executive orders, US Secretary of State Mike Pompeo had urged US companies to distance themselves from ‘untrusted’ Chinese apps and other digital services, amid rising Sino-US tensions, particularly related to digital technologies. Launching the so-called ‘Clean Network’ of countries and telecoms operators, Pompeo set out a five-point approach to ‘safeguard’ US assets. Proposed measures include removing ‘untrusted’ Chinese apps from US app stores, limiting Chinese smartphone manufacturers’ access to popular US apps, and encouraging the US Federal Communications Commission (FCC) to ban Chinese telecoms carriers from the US market. The announcement widens Washington’s hostile approach to Chinese-owned and operated technologies, amid concerns over potential espionage risks and China’s accumulation of data on US citizens and companies. More broadly, the issue further escalates diplomatic and commercial tensions between Washington and Beijing, already marred by disputes over the novel coronavirus (COVID-19) pandemic, Hong Kong’s political status, and the treatment of ethnic Uyghurs, among other bilateral and international issues. Companies with interests in the US economy, particularly in the telecoms sector, should assess how the announcement impacts operations and strategy, and carefully weigh the operational, financial, and reputational implications of compliance.
On 4 August, a former engineer at Google’s self-driving car unit, Anthony Levandowski, was sentenced by a federal court in San Francisco to 18 months in prison for trade secrets theft. In January 2016, prior to leaving Google to lead a rival project run by ride-hailing giant Uber, Levandowski downloaded 14,000 Google files onto his laptop. In a plea agreement, Levandowski admitted accessing downloaded content after his resignation from Google, including a spreadsheet containing details on project timelines and technical challenges of Google’s self-driving car unit. The prison sentence adds to punishments facing Levandowski for his theft of trade secrets; arbitrators have previously ordered him to pay USD179 million to Google’s parent company, Alphabet, forcing Levandowski to declare bankruptcy. The case highlights some of the numerous legal, financial, and reputational implications of trade secrets theft, and the importance of strict data-handling procedures to limit the risk of insider threat.
On 3 August, popular US-based videoconferencing app Zoom announced that it would cease direct sales in China from 23 August. Zoom said its local partners in China – Bizconf Communications, Suiri Zhumu Video Conference, and Systec Umeet – would continue to offer its commercial service to users in China, saying it would provide ‘better local support’. Zoom has benefited from a global surge in demand for videoconferencing services amid the novel coronavirus (COVID-19) pandemic. The San Jose-headquartered company, however, has also come under scrutiny in the US for its policies related to China. In April, the company admitted that some call data had been rerouted through China, despite calls being placed elsewhere. In June, Zoom came under scrutiny again after it suspended, and later reinstated, the account of a US-based group of Chinese pro-democracy activists. The measures come several months after Zoom halted new free user registrations in China, and are likely an attempt to separate its Chinese operations from its broader service offering. Companies with interests in the Sino-US trading relationship, particularly in the IT industry, should monitor updates related to Zoom, Huawei, and TikTok, and assess the impact of these on operations and strategy.
APAC
On 6 August, Hong Kong police arrested and charged 24 pro-democracy advocates for their respective roles in organising or attending a vigil in June held to commemorate the 1989 protests in Beijing’s Tiananmen Square. The 2020 peaceful vigil was banned by the police ostensibly due to regulations linked to the coronavirus pandemic. Thousands of other people also attended the banned vigil and numerous other illegal demonstrations during months of protests in 2019. The latest arrests, which do not appear to be directly linked to China’s imposed national security law (NSL) that came into force after the June vigil, will serve as a test of the local judiciary’s continuing independence. While many local and foreign companies have overtly welcomed the seeming stability that has followed the introduction of the NSL and Beijing’s direct intervention into Hong Kong’s legal and legislative systems, they remain concerned over their potential impact on commercial law and the heightened reputational risk of operating in the territory. Further, the latest arrests are certain to be criticised by many of Hong Kong trading partners in Western and other democracies, adding to the territory’s already volatile relationship with these countries.
Police arrested one of Hong Kong’s leading media owners on 10 August under the national security law (NSL) imposed by China last month. Jimmy Lai, owner of the Apple Daily newspaper and extensive other media holdings, is a pro-democracy activist and critic of the local and Beijing governments. He was detained under the NSL for alleged ‘foreign collusion’ and other offences, including fraud. His two sons and several other company employees were also detained in the first use of the NSL against media in the territory. Lai’s past actions and statements made him an obvious target for the NSL, and the charges he faces are sufficiently serious for the authorities in China to demand he be tried in their court system. Such an outcome would greatly increase concerns among local and foreign residents over their security in Hong Kong, almost certainly accelerating the migration of individuals and commercial interests out of the territory. As there is no realistic prospect of either the local or central government reversing or moderating their actions against those it identifies as opponents, further arrests can be expected, potentially including other foreign nationals, in the six-month outlook.
Phonemaker Vivo, the Chinese headline sponsor of the Indian Premier League (IPL), the most lucrative cricket tournament in the world, has withdrawn from the 2020 tournament in the United Arab Emirates. The Confederation of All India Traders, a large organisation representing small businesses, and Swadeshi Jagran Manch, the cultural and political affiliate of the Hindu nationalist Rashtriya Swayamsevak Sangh that has close ties to the Modi government, commended the decision. Both had campaigned for the Board of Control for Cricket in India to sever ties with Vivo. The decision comes as Sino-Indian tensions have intensified over border clashes in the Himalayan Aksai-Chin Ladakh region in June and against the backdrop of rising Hindu nationalism in India. Growing bilateral tensions have prompted the Indian authorities to ban Chinese apps over national security concerns, logistics firms to suspend shipments over clearance delays for Chinese goods at Indian ports, Indian officials to review business agreements with Chinese firms, as well as Indians to protest and call for boycotts of Chinese products. Businesses with interests in Sino-Indian trade should monitor the situation for developments and factor growing hostility towards Chinese businesses in India into their strategic and operational planning.
The Japanese government on 4 August warned that it would respond if South Korea seized the assets of a Japanese company to compensate a group of Korean wartime forced labourers. The statement came after the expiry of a notice period after which a South Korean court can begin liquidating the assets of Nippon Steel valued at approximately KRW400 million (USD335,000). Japanese state-owned broadcaster NHK said that Nippon would appeal the seizure of the assets. The move marks a further fraying of bilateral relations which have already been adversely impacted over territorial and other disputes. Nippon Steel in October 2018 lost a reparations suit to four plaintiffs who said they had been forced to work for an antecedent of the company when Korea was under colonial Japanese rule. Tokyo allegedly instructed Nippon to refuse the payments, claiming that all reparations during the colonial era were settled under the terms of the 1965 treaty that established bilateral diplomatic relations. The suit culminated in a bruising trade dispute between the two countries that included export restrictions and boycotts. The progress of the suit will be of utmost interest to other Japanese firms in South Korea that are facing about 20 similar reparation suits pending in South Korean courts. South Korean firms with interests in Japan should monitor the outcome of the suit and factor potential diplomatic and commercial reprisals into their strategic planning.
On 9 August, Indian Minister of Defence Rajnath Singh announced a list of 101 items of military equipment whose import will be progressively banned over the next four years from December 2020. The list includes a wide array of military equipment, such as small arms and light weaponry, armoured fighting vehicles, unmanned aerial vehicles, and dual-use navigation systems, which the armed forces will need to procure through India-based private companies. Singh said that INR4 trillion (USD53.3 billion) worth of contracts would be affected in the list over the next six to seven years and warned that the list would likely be expanded. The progressive import ban is part of Prime Minister Narendra Modi’s Atmanirbhar Bharat policy, which aims to make the Indian economy self-reliant amid growing friction with China, the US-China trade war, and the COVID-19 pandemic which has disrupted international supply chains. Companies reliant on weapons exports to India should consult the defence ministry’s list of items and review their strategies accordingly.
Europe
Greece and Egypt this week signed a deal designating their respective exclusive economic zones in the Eastern Mediterranean. The agreement effectively cancels the Turkey-Libya memorandum signed in 2019, which designated maritime borders between the countries at the expense of both Greece and Egypt. Turkey said the deal was null and void as it included areas located within its continental shelf. The deal fulfils important geopolitical objectives for both countries. Indeed, the agreement nullifies the contentious memorandum between Turkey and the Tripoli-based Government of National Accord, viewed by both Greece and Egypt as illegal. It also strengthens Egypt-Greece bilateral relations, demonstrating to the international community that there can be a peaceful resolution of differences in the eastern Mediterranean within the framework of the United Nations Convention on the Law of the Sea (UNCLOS).
For Greece, it forms part of a broader effort to proactively engage diplomatically with friendly nations in response to what it perceives as consistent Turkish threats undermining its territorial sovereignty. In June, Greece and Italy signed an agreement of ‘historical significance’ delimiting the exclusive economic zone (EEZ) between the countries. The deal also lays out the foundations for the commercial exploration of natural resources located in each country’s EEZ. Extractives firms will likely be encouraged to enhance exploration efforts in the region as a result.
On 3 August, the Russian finance ministry said it would launch a process to terminate an agreement with Cyprus that effectively avoids double taxation. Russian officials said this would make it more profitable for people to transfer money back to Russia, while ‘restructuring one’s holding structures through Cyprus will, of course, become disadvantageous’, according to deputy finance minister Alexei Sazanov. Negotiations will be held on 10-11 August between officials from both countries in a bid to reach an agreement towards forging a new treaty. This comes as President Vladimir Putin said earlier this year that all interest and dividend payments leaving Russia should be taxed at 15 per cent, a considerable increase from the current rate of 2 per cent. If the new terms sought by Russia were to be accepted, these would be taxed at 15 per cent; Cyprus is seeking some exemptions. The changes will impact Russian holding firms based in Cyprus as well as owners of patents and trademarks. Foreign firms operating in Russia will also be affected since they use dividends as a legitimate way of sending profits from Russian subsidiaries to parent companies abroad.
UOKiK, Poland’s anti-trust body, has fined Russia-based energy firm Gazprom PLN213 million (EUR50 mn) for failing to cooperate with an investigation focusing on the Nord Stream 2 pipeline, which upon completion will transport natural gas from Russia to Germany. In particular, the watchdog said the fine was issued because Gazprom did not comply with EU legislation and a requirement to obtain approval from member states when a consortium was established to develop the pipeline. The fine underscores the heightened regulatory and political pressure facing the project. Washington has consistently opposed Nord Stream 2 over concerns that it will enhance Europe’s reliance on Russia for energy imports. In Europe, countries are split on Nord Stream 2. Eastern European nations, including Poland and Ukraine, view it as a potential liability to domestic energy markets as well as a way through which Russia can advance its foreign policy objectives. Companies involved in Nord Stream 2 should factor the latest developments relating to US sanctions and fines in Poland into risk planning.
The UK government has advised pharmaceutical firms to stockpile six weeks’ supplies of drugs on UK soil to mitigate the risk of disruption at the end of the Brexit transition period on 31 December. The letter from the Department of Health and Social Care (DHSC) also states that ministers will not be requesting an extension to the transition period. Meanwhile, the British Medical Association, which represents doctors, has called on the government to promptly clarify the terms of the future EU-UK relationship to avoid the ‘potentially devastating impact’ a no-deal Brexit would have on the National Health Service. This comes as talks to reach an agreement that sets out trade conditions after Brexit remain at an impasse. Despite stating that it does not intend to request an extension to the EU, it remains unlikely that the government will pursue this course of action if talks fail. A more pragmatic approach will most probably prevail as both sides are keen to avoid facing the economic upheaval of a no-deal Brexit amid already dire forecasts. Nevertheless, companies should plan for all eventualities and regularly update contingency planning to factor the latest political developments.
MENA and Central Asia
The US treasury department said in a statement released on 6 August that sanctions had been imposed on three individuals and a company, accusing them of smuggling fuel and drugs between Libya and Malta and subsequently contributing to instability in Libya. The decision will mean that any US assets of those sanctioned will be frozen while Americans are banned from any trading or financial dealings with them. A2 Global advises logistics companies with shipments in these ports to exercise thorough due diligence to mitigate the risk of their cargo being compromised by illicit smuggling activities. Companies are also advised to factor the new sanctions into existing compliance programmes and ensure full adherence with any restrictive measures.
A lawsuit filed in Washington DC by Saad Aljabri, a former intelligence official for Crown Prince Mohammed bin Salman (MBS), has alleged that the prince orchestrated a hit-squad to kill him. Aljabri, who has been under security protection in Toronto since fleeing Saudi Arabia in 2017, has said that MBS was attempting to silence him as he possessed ‘damning information’ that could jeopardise his relationship with the US and the Trump administration. The court document shows that this included information on corruption and a team of mercenaries named the Tiger Squad, who have previously been connected to the 2018 murder of journalist Jamal Khashoggi, who was killed inside the Saudi consulate in Istanbul.
The plot to kill Aljabri allegedly took place around 14 days after the death of Khashoggi but was apparently foiled after Canadian border control became suspicious of the hit-squad as they entered the country via Toronto’s Pearson International Airport. The suit marks the first time that a senior Saudi official has publicly accused MBS, Saudi Arabia’s de-facto leader, of carrying out an international programme to silence dissidents and critics of his regime. Given the lack of evidence presented in the court file, law experts have indicated that the likelihood of a US court proceeding with a trial is low, particularly as neither MBS or Aljabri are based in the US. Furthermore, the Saudi government will not be required to answer the allegations until MBS comes to the US. Despite this, the allegations are likely to dampen relations between Canada, where Aljabri is based, and Saudi Arabia. Businesses managers with interests in Canada and Saudi Arabia are advised to continue monitoring developments and update contingency plans in preparation for possible escalation in tensions over the coming weeks.
On 5 August, the Wall Street Journal reported that Saudi Arabia has built a facility for the purpose of extracting uranium ‘yellowcake’ ore. Processed yellowcake ore can be used to enrich uranium, which is needed to power nuclear plants. If the ore is enriched further, it can then be used for nuclear weapons. The factory was constructed with the help of China in a remote desert area located in the northeast region of Al Ula. Western officials based in the country have corroborated speculation over the site’s establishment in recent weeks. The facility has not been acknowledged by Saudi officials, underlined in a statement recently released by the energy ministry who ‘categorically denies’ all knowledge. It is worth noting that despite this denial, the ministry accepted that it has current contracts with China for uranium exploitation in other parts of the country. The production of yellowcake, a key component needed for nuclear weapons, will likely escalate particular tensions with the US who has been active in its efforts to curtail a nuclear development programme in Saudi Arabia and the securement of weapons-grade nuclear material.
A pair of huge explosions that occurred around 1800 local time on 4 August in the Haifa port, located in central Beirut, Lebanon, have killed at least 100 people and injured 4,000 according to the head of Lebanon’s Red Cross, George Kettaneh. These figures are likely to rise in the coming days as rescue efforts continue. President Michel Aoun said the explosion was caused by 2,700 tonnes of ammonium nitrate, which is an industrial chemical primarily used for fertiliser. Aoun indicated that the chemicals were left unsecured in a warehouse for six years after being confiscated by port authorities in 2013. It remains unclear whether the blasts were triggered accidentally or intentionally. The supreme defence council has declared a two-week state of emergency in the capital.
Large areas of the port, which is the country’s largest, have been completely destroyed, rendering the key import site unusable for the foreseeable future, particularly as the country has little financial means to begin rebuilding in the short-medium term. This also includes the destruction of silos containing around 85 per cent of the national grain reserve, according to trading company MENA Commodities. The country is heavily reliant on imports, and the loss of such a strategic port marks a critical setback for an economy which is already at the brink of collapse. Additional spikes to food prices are likely, which will compound the already inflated prices due to the ongoing currency crisis. As speculation grows over the reason why such large amounts of a highly volatile chemical were left unsecured by government authorities for years in a densely populated area, anti-government protests will likely expand in the coming weeks.
Residential neighbourhoods surrounding the port, including parts of Ashrafieh and Gemmayze, were also severely damaged, likely leaving tens of thousands homeless. Many businesses in these areas were destroyed. Hospitals in central Beirut which were already overwhelmed and experiencing a shortage of staff and medical supplies due to COVID-19 will now struggle to operate; hospitals including St Georges were forced to close due to the extent of the damage.
While it remains unclear how the explosions were triggered, the possibility of an attack was notably addressed by President Donald Trump, who stated on Tuesday (4 August) that a ‘bomb of some kind’ was likely involved. Israel, a key rival of Lebanon, has been quick to deny any role in the explosion and offered humanitarian assistance on Tuesday following weeks of escalating tensions between the two countries. The incident will likely escalate national and regional tensions in the short-medium term while the impact of the explosion on the economy will be extensive with long-term delays on many forms of commerce. Staff in the area are advised that toxic gases released from the explosion present a health risk; individuals should stay indoors for the next 12 hours or wear a facemask if travelling outside.
The Lebanese foreign affairs minister Nassif Hitti submitted his resignation on 3 August. Explaining his decision to resign, Hitti referenced the government’s ongoing failure to progress with reforms, indicating that a lack of political will to enact ‘structural and comprehensive’ changes had effectively prevented these from happening. Following the announcement, President Michel Aoun named Charbel Wehbe as the new foreign affairs minister. Wehbe has been Aoun’s diplomatic advisor since 2017 and previously held the role of Director of Political Affairs at the Ministry of Foreign Affairs.
Hitti’s resignation is the latest sign of political discord as the country struggles to enact reforms and reach an agreement on the scale of financial losses that have been accrued between the government and banks. As a result, talks with the IMF, which began in May, to secure financial aid and prevent the country from full-scale financial collapse were suspended in early July. From the outset of negotiations, the IMF has underlined that no aid will be provided without proof that reforms have been successfully implemented.
The loss of confidence from a notable government figure will likely provide further incentive for wider social unrest, which has been gathering pace over the past two months as COVID-19 lockdown restrictions have relaxed. The chance of an agreement with the IMF is increasingly low in the short-medium term outlook given the likelihood for the political paralysis to continue. Violent protests, particularly across urban centres such as Beirut and Tripoli, are likely to take place during this time frame as anger grows amid worsening economic conditions, further exacerbated by the impact of COVID-19.
As of 10 August, almost a dozen officials and parliamentarians have resigned in protest over the explosion at Haifa port. Those who have resigned include one MP from the Lebanese Democratic Gathering, three MPs from the Lebanese Kataeb Party and an independent MP. Another resigning MP, Neamat Efrem, stated that he would be implementing a suspension on all parliamentary activities until a session was held to bring about early elections and shorten parliament’s terms. This likely comes after a speech made by Prime Minister Hassan Diab on 8 August in which he pledged to propose early elections. The Minister of Information, Manal Abdel Samad and the Environment Minister, Damianos Kattar also resigned on 9 August.
The resignations come amid large-scale and violent protests across the capital Beirut in the days following the explosion. Hundreds of protesters were wounded in clashes with police involving stone-throwing and tear gas, while one riot police officer died during unrest on 8 August. Live ammunition was reportedly fired in central Beirut during the protests. Protesters also stormed government ministries on 8 August, and on 9 August a fire broke out outside Parliament Square, the location of the Lebanese parliament, amid further clashes. While a session date to bring about an early election has not been confirmed, it is likely that once this long-standing demand is met, the violence and crowd level of protesters will subside.
Algerian President Abdelmadjid Tebboune on 2 August ordered an investigation into a series of alleged sabotage incidents across the country. The government claims that disasters in the past month, including forest fires that spread throughout hundreds of hectares of land and water shortages, were deliberate and organised acts aimed at causing instability in the country. Prime Minister Abdelaziz Djerad has confirmed this view, stating that the water shortage was caused by an unspecified act of sabotage at a desalination plant that supplies Algiers and neighbouring provinces and that several people were caught setting the forest fires. He also noted that some electricity poles were vandalised. The exact locations of the affected areas were not given. An investigation into the various incidents may be an attempt to redirect blame away from the government amid complaints about the fires and water shortages; it may also be indicative of an emerging sabotage campaign that would suggest an escalation of anti-government sentiment and a probable increase in strike and protest activity in the coming one to three month period.
Sub-Saharan Africa
The Chad government announced on 3 August that from 22 July it had initiated a temporary slowing of the country’s internet speed to curb the proliferation of messages ‘inciting hate’ on social media. The measure is set to be ended soon, although the exact date has not been specified. However, telecommunications officials cited anonymously by AFP said that the curbs had been imposed due to the circulation of a video showing a Chadian military officer in a violent confrontation with two mechanics. The video remains accessible on Facebook and WhatsApp, where some users have noted the ethnic background of the soldier, who is from the same community as President Idriss Deby. The president on 31 July accused the usage of virtual private networks (so-called VPNs) and WhatsApp in stoking ethnic divisions. The development comes after Chad in 2019 lifted a social media ban that had been in place for 16 months. The ban had been imposed shortly after the country’s parliament proposed a constitutional amendment that would have permitted Deby to retain his position until 2033. Activists accused the ban, which Deby imposed ostensibly for security purposes, of being used to silence dissent. A previous eight-month shutdown had been imposed in 2016 after a contested presidential vote in which Deby was elected for a fifth term. Businesses should anticipate impeded internet connectivity around periods of heightened intercommunal tensions and civil unrest.
Prolonged negotiations over the disputed Grand Ethiopian Renaissance Dam (GERD), which is being constructed on the Blue Nile around 15km from the Ethiopian border with Sudan, have stalled after Egypt and Sudan pulled out of the talks. The development comes amid an escalating rift with Ethiopia over water access. Both Egypt and Sudan are concerned that the dam’s construction would create significant water shortage issues; Sudan has also raised issues over the structure of the dam and its safety. The collapse in negotiations signals another blow to the possibility of an agreement in the short-term outlook. It also elevates the chances for regional conflict, although this is a low probability scenario. Companies with ties to the Grand Ethiopian Renaissance Dam project should monitor the situation for updates and factor potential delays into the timetable given the ongoing dispute.
The Namibian government has launched a trial plan that involves the partial re-opening of borders to foreign visitors from selected countries with comparatively low infection rates between 3 August and 17 September. This comes as the country moved to Level 5 – the lowest level of the country’s lockdown strategy – and plans to fully reopen points of entry on 18 September. The move is indicative of efforts to salvage the normally busy tourism season while continuing to suppress the propagation of coronavirus (COVID-19) in the country. An estimated one million people visit the country, a popular destination due to its native wildlife and diverse landscapes, each year. However, nuances for incoming visitors will remain in place as they will be required to stay at their initial point of entry for a seven-day period and present a negative COVID-19 test on arrival. This likely means that people will need to remain in the capital Windhoek as the Hosea Kutako International Airport (WDH) is presently the only operating point of entry. Staff with plans to visit the county should be informed of current restrictions and plan trips accordingly. Check if any documentation is needed before travel and be prepared to show proof of a negative COVID-19 test upon arrival.
On 3 August, South African supermarket giant ShopRite announced that it was considering selling ‘all or a majority stake’ of its business in Nigeria. The company announced that it is re-evaluating its operating model and had begun a formal process to consider a potential sale. ShopRite operates 26 outlets across Nigeria, employing around 2,000 staff. The company has been in the Nigerian market for 15 years, however, while it has continued to witness strong performance growth in South Africa, sales outside of its home country have decreased in the past year. The company has also faced non-commercial challenges in Nigeria, including looting of its stores in 2019 in response to xenophobic attacks against foreign citizens in South Africa. The company’s decision is also likely prompted by the novel coronavirus (COVID-19) pandemic. Restrictions imposed to halt the virus’ spread have prompted significant economic disruption, thereby likely reducing clients’ disposable income for the company’s offerings in Nigeria. Companies with interests in Nigeria’s retail industry should monitor updates on ShopRite’s potential sale and assess the impact of developments related to ShopRite on the broader supermarket sector and its supply chain.
A2 Global Risk is a political and security risk management consultancy with offices throughout Asia-Pacific as well as in London, United Kingdom. Contact our teams at our main regional offices to discreetly discuss how we can assist you and your organisation navigate safely and securely through challenging times.
Hong Kong
Email: [email protected] Phone: +852 2987 7926 |
London
Email: [email protected] Phone: +44 (0)203 102 4050 |