Geopolitical and Cybersecurity Weekly Brief – 6 December 2021

In the Americas, a suspected Chinese advanced persistent threat (APT) group has over the past three months breached four US defence and technology firms, it was revealed on 2 December. Globally at least 13 organisations across industries including defence, health care, energy, and transportation have been breached. The report indicates an escalation in alleged cyber-espionage carried out by Chinese state affiliated APTs against entities worldwide.

Elsewhere, hundreds of fake accounts used by China-linked operatives to spread misinformation regarding the COVID-19 pandemic have been removed by Facebook. The campaign began in July this year and was intricately supported by hundreds of other accounts. 600 Facebook and Instagram profiles were removed in total.

In Asia, the US-based lodging platform company Airbnb has 14 homes available for rent in China’s Xinjiang region on land owned by the Xinjiang Production and Construction Corps (XPCC). Meanwhile, a 29 July tender document published on the Henan provincial government’s procurement website describes plans for a system that can gather individual files on ‘suspicious people’ including journalists and international students, according to a Reuters news agency report on 29 November. Files would be assembled on persons of interest coming to Henan via the use of 3,000 facial recognition cameras connecting to several national and regional databases.

The Japanese electronics multinational Panasonic has disclosed a security breach in which an unauthorised third party gained access to its internal network. While the compromise was reported on 26 November, Panasonic states that it detected the intrusion on 11 November.

In Europe, food producers based in Russia have expressed concern over tensions along the Belarus-Poland border after attempted migrant crossings in recent weeks. The migrant crisis prompted Poland to shut multiple crossings along the border, while trucks seeking to enter Belarus from Poland are facing significant delays at four out of six crossings currently operational. On 29 November, the French finance ministry said that the government will extend stricter measures on foreign ownership of strategically important firms by a year. Under the current measures, which were imposed during the COVID-19 pandemic, foreign firms must receive approval from the government if they seek to acquire a stake in excess of 10 per cent in listed firms operating in sectors including health, new technologies, aerospace, and media.

Phishing threat actors are using the latest COVID-19 variant, Omicron, as lures in their attacks. A phishing campaign is currently targeting the UK: two samples are masquerading as the National Health Service (NHS) and using NHS branding.

In the Middle East and Central Asia, UK-based Cable.co.uk – a platform comparing broadband providers’ prices and services –ranked Turkmenistan as having the slowest Internet speeds in the world, according to its latest survey of fixed-line broadbands in 211 countries; the survey was published in September but was picked up by several news outlets on 2 December and 3 December. Internet speeds, on average, in the Central Asian state were around 0.5Mbps. At those speeds, it takes over 22 hours to download a movie file that is 5GB in size. By comparison, the country assessed to have the third-fastest speed was Iceland, where at 191.83Mbps, a 5GB file would take just over three minutes. The Bailiwick of Jersey had the fastest internet speeds at 274.27, followed by Liechtenstein at 211.26.

An SMS phishing (smishing) campaign is targeting Iranian Android users. The attack uses sophisticated social engineering, impersonating the Iranian government, to lure its victims. This attack typically starts with an SMS message which claims to be from the Iranian government concerning a complaint filed against the recipient by the authorities.

In Sub-Saharan Africa, the Ethiopian government on 1 December claimed that the Ethiopian National Defense Force (ENDF) had recaptured Lalibela, Shewa Robit, and Chifra, as well as eight smaller urban areas, in Afar and Amhara regional states, which had been held by rebels of the Tigrayan Defence Forces (TDF) over the past few weeks. The armed forces of both DR Congo and Uganda on 30 November confirmed conducting a joint operation against positions of the Allied Democratic Forces (also known as Madinat Tauheed Wau Mujahideen, ADF) – an Islamic State-affiliated non-state armed group, originally from Uganda but with a presence in eastern DRC.

Attacks and cybersecurity news

A threat actor, active since at least 2017, has been running thousands of malicious servers in the entry point, middle relay and exit point positions of the Tor network to deanonymise Tor users. The attacker has been dubbed KAX17, and at its peak, it ran over 900 malicious servers as part of the Tor network. Servers added to the network must usually have contact information so admins and law enforcement can contact server operators to file abuse reports or report misconfigurations. This is largely unpoliced, however, with many servers going up with no contact information. A pattern in some of the Tor relays with no contact information dating back to 2017 was identified by researchers and grouped under the KAX17 umbrella. Attackers generally only register exit points: KAX17, however, registers entry and middle points. Researchers believe this is due to the threat actor trying to collect information on users connecting to the Tor network and attempting to map their routes inside it. The researchers describe this threat actor as “non-amateur level and persistent”, with signs pointing to a nation-state level and well-resourced group.

Canada’s Office of the Secretary to the Governor General (OSGG) announced on 2 December that it is investigating “‘unauthorized access to its internal network”. The Canadian Centre for Cyber Security is also investigating this incident and has yet to share any details on how the breach happened or its scope. The OSGG has been in contact with the Canadian Office of the Privacy Commissioner (OPC) and announced that protecting the personal data of those associated with OSGG is a priority. Due to the limited information provided by both OSGG and the Canadian Centre for Cyber Security, it is difficult to establish how the threat actors gained access to the internal network and what they were able to steal subsequently. Despite this, although the attack type has not been specified, due to the way the incident is being discussed, we can rule out certain things, such as ransomware.

Hundreds of fake accounts used by China-linked operatives to spread misinformation regarding the COVID-19 pandemic have been removed by Facebook. The campaign began in July this year and was intricately supported by hundreds of other accounts. 600 Facebook and Instagram profiles were removed in total. In particular, the accounts appear to have been used to spread claims that the US pressured scientists to blame China for the virus. These were then amplified by employees of Chinese state-run companies and entered the domestic news cycle. Disinformation regarding the COVID-19 pandemic – its origins, the virus itself, vaccines, and more – has been a major problem for governments and health agencies worldwide since early 2020. This operation was only discovered after the Swiss authorities stated in August that they had no record of any biologist called Wilson Edwards. This was too late, however, to prevent many large Chinese media outlets from reporting the claims of US pressure as if they had been made by a reputable and real-life scientist.

Researchers have observed an increase in phishing campaigns targeting German banking credentials. Multiple high-volume campaigns have used customised, threat actor-owned landing pages that spoof major German banks such as Volksbank and Sparkasse. The attacks are ongoing and impact hundreds of organisations. Multiple industries are being hit, but most of the targeting has focused on German companies and employees of foreign entities located in Germany. The phishing emails pretend to be account administration information and contain links or QR codes that direct the victim to a geo-fenced credential harvesting page. This ensures that only users in Germany are redirected to the phishing page.

Data security, fraud, and darknet

Data Security

A newly discovered botnet, dubbed EwDoor, is attacking AT&T enterprise network edge devices. The botnet targets devices that are unpatched against CVE-2017-6079, a four-year-old critical severity Blind Command Injection vulnerability affecting EdgeMarc Enterprise Session Border Controller (ESBC) edge devices. EdgeMarc devices support high-capacity VoIP and data environments, and so are required to be publicly exposed to the Internet, increasing their exposure to remote attacks. The attacks started on 27 October, with roughly 5,700 infected devices found to be part of the botnet before it moved to a different C2 server. All of the infected devices appeared to be located in the US.

User Hollistic-K1l|er has leaked what is claimed to be the entire voter database of Honduras on Raid Forums. According to other users in the thread, the data contains the names and dates of birth of over 6.5 million Hondurans. It is possible there is other data; however, Cyjax has not verified the database. Hollistic-K1l|er Is a fairly reputable data broken on the Raid Forums. They have posted similar databases in the past. It is, however, unclear how the user came into possession of this data. Cyjax has not observed any public sources discussing a data breach in Honduras.

Fraud

The Japanese electronics multinational Panasonic has disclosed a security breach in which an unauthorised third party gained access to its internal network. While the compromise was reported on 26 November, Panasonic states that it detected the intrusion on 11 November. According to the Japanese media, the threat actors had access to Panasonic’s network for more than four months between 22 June and 3 November. Panasonic has reported the incident to the relevant authorities and has taken measures to prevent access to its network from external servers. It has also brought in a third-party investigative company to look into the attack and establish whether the information outlined in the Mainichi and NHK reports was really compromised.

Threat actors have stolen an estimated $120 million in Bitcoin and Ethereum from decentralized finance (DeFi) platform, Badger. The organisation confirmed the attack and has frozen its platform while it investigates the breach. Several users on Badger’s Discord channel claim the attackers exploited a vulnerability in the platform’s user interface to gain access to user accounts and steal funds, but these allegations have not yet been confirmed. Members of the Badger Team have also allegedly told users that they believe the issue was caused by someone inserting a malicious script in the UI of their website. The company is still investigating the incident, including looking at how the attacker managed to access Cloudflare via an API key that should have been protected by two-factor authentication.

Phishing threat actors are using the latest COVID-19 variant, Omicron, as lures in their attacks. A phishing campaign is currently targeting the UK: two samples are masquerading as the National Health Service (NHS) and using NHS branding. The Omicron variant’s high transmissibility and the potential ineffectiveness of existing vaccines against it could have been tailor-made for use in a phishing lure: relying on message recipients’ fears. These new attacks simply continue the trend of using COVID-19 as a lure, something that has been seen since the start of the pandemic.

Darknet

Cannazon, a darknet marketplace primarily focused on selling marijuana products, has shut down. A message signed with the market’s official PGP key explained on 23 November that the admins are officially retiring, with the market being taken offline on 29 November. Cannazon was hit by a significant DDoS attack at the start of November, which reduced its uptime. After this, the admins reduced the number of orders and kept the marketplace partially offline to mitigate the issue, but this resulted in users fearing an exit scam. Already other markets are attempting to fill the void. Most notable among these is AlphaBay, which re-launched earlier this year; the admins announced they would be waiving vendor bonds – fees vendors pay to sell on a specific market – for vendors moving from Cannazon. However, many darknet users are still distrustful of the re-launched AlphaBay because the original was taken offline in a high-profile law enforcement operation.

A new ransomware group, known as Rook, has established a data leaks site. At this time, only one victim has been named on this site; Otbasy Bank, a financial institution based in Kazakhstan. A small sample of data has already been leaked from this organisation, with the Rook operators claiming more victims will be named soon. It is notable that the first victim linked to the Rook ransomware is based in Kazakhstan. Russian cybercriminals often deliberately avoid targeting organisations in CIS countries as a way of avoiding unwanted attention from local law enforcement entities. This indicates that either the operators of the Rook ransomware are not based in the CIS region, or they are relatively inexperienced.

Customer data from multiple UK-based telecoms providers has been leaked on Raid Forums. Affected providers include Direct Save Telecom, Think It Simple and POP Telecom. Customer data present in this leak includes names, addresses, SIM card information and account details. This leak appears to be related to a group operating a darknet data leaks site known as P0llux Leak. The operators of this site state that organisations refusing to pay will have their data leaked. At this stage, it is unclear if the operators behind this site utilise ransomware, or if they are simply a data-theft-extortion group.

APT activity, malware campaigns, and vulnerabilities

APT activity

Three threat groups from India, Russia, and China are using an RTF (rich text format) template injection technique in phishing attacks. The novel method is used to retrieve malicious content from remote URLs. It was first observed in March 2021 and has gained traction since then. These types of RTF template injections are easily done using a hex editing tool, and are not widely detected by antivirus scanners. This makes them easy to perform and allows for detection evasion. As a result, the technique is extremely valuable to many threat actors, including those that are potentially less sophisticated. Researchers expect the use of this type of compromise to rise significantly in the near future. Users can mitigate the chances of compromise by not downloading or opening RTF files sent in unverified or spam emails.

The WIRTE threat group has been linked to a campaign that has been using malicious Excel 4.0 macros against the Middle East and other regions. The attacks, ongoing since at least 2019, have targeted high-profile public and private entities, such as diplomatic and financial institutions, government, law firms, military organisations, and technology companies; these have been located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey. Analysis of the campaign, toolset, and methods by researchers resulted in attributing WIRTE with low confidence to pro-Palestinian motives; furthermore, it is suspected of being part of the GazaCyberGang threat group. Unlike other affiliated groups, however, WIRTE has better operational security, stealthier techniques, and avoids detection for an extended period.

Malware

Researchers have published an analysis of a recent SMS phishing (smishing) campaign targeting Iranian Android users. The threat actors behind this attack leveraged sophisticated social engineering, impersonating the Iranian government, to lure their victims. This attack typically starts with an SMS message which claims to be from the Iranian government concerning a complaint filed against the recipient by the authorities. The victim is redirected to another malicious page that downloads an APK file to install a fraudulent app. Once the requisite details have been entered, the malware operators can steal a plethora of data from infected devices. This campaign is thought to have been so effective because it plays on the fears of the Iranian citizenry concerning the authoritarian nature of the country’s government.

Four Android banking Trojans have been spread through Google Play Store between August and November 2021. In total, these Trojans have resulted in over 300,000 infections through various dropper apps posing as utility applications and taking full control of infected devices. The apps delivered the Anatsa (TeaBot), Alien, ERMAC, and Hydra Trojans. Once installed, the malware steal user passwords and SMS-based 2FA codes, as well as capturing keystrokes, screenshotting, and stealing funds from bank accounts with a tool called Automatic Transfer System (ATSs). These new campaigns indicate an increasing sophistication in threat actors’ techniques when targeting Play Store users with their attacks.

Vulnerabilities

Researchers have found 226 potential vulnerabilities across nine popular WiFi routers, even those that are running the latest firmware. Tested routers include those made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, which are used by millions of people. The TP-Link Archer AX6000 had the most flaws: 32 in total. This was followed by the Synology RT-2600ac with 30. The tests were carried out with a focus on small firms and home users. The routers were all tested for more than 5,000 CVEs and other security issues, with findings showing that many of the routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware. All of the manufacturers have responded by releasing firmware updates. Users are advised to change the default password when first using these devices, enable the automatic update function, and apply the latest security patches from the vendors.

A vulnerability in the Variation Swatches for WooCommerce plugin has been found. The bug, tracked as CVE-2021-42367, could enable the injection of malicious web scripts and lead to site takeover if successfully exploited. Around 80,000 retail sites are impacted by the vulnerability. Variation Switches is designed to allow retailers to show different versions of a product. However, vulnerable versions of the plugin can also grant users without administrative permissions (such as customers or subscribers) access to the plugin’s settings.

Geopolitical Threats and Impacts

Americas

UNITED STATES & CHINA – CHINESE APT ALLEGEDLY BREACHES CRITICAL US ORGANISATIONS

A suspected Chinese advanced persistent threat (APT) group has over the past three months breached four US defence and technology firms, a report by cybersecurity firm Palo Alto Networks revealed on 2 December. Globally at least 13 organisations across industries including defence, health care, energy, and transportation have been breached. The extensive cyber-espionage saw threat actors’ steal organisations’ passwords to intercept sensitive communications. Palo Alto Networks identified around 600 cases of systems in the US running software vulnerable to threat actors, which includes two products made by multinational technology firm Zoho. Exposed entities include 23 universities, 14 state or local governments, and 10 health care organisations.

The report indicates an escalation in alleged cyber-espionage carried out by Chinese state-affiliated APTs against entities worldwide. US entities in critical research and defence-related sectors are more likely to be targeted given high geopolitical tensions between the strategic adversaries. At this juncture, the scale of the attacks appears lower than earlier in 2021. Several Western and Western-allied governments in July accused Chinese state-sponsored threat actors of ‘malicious cyber activity’, including alleged exploitation of zero-day vulnerabilities in Microsoft’s Exchange software to exfiltrate inbox data. The upwards trend in cybersecurity threats, especially against crucial infrastructure, is tied-in with overarching national security concerns. Businesses should ensure cybersecurity measures are commensurate with this rapidly evolving threat environment.

REGIONAL LATIN AMERICA – CUBA, ECUADOR IMPOSE TRAVEL RESTRICTIONS OVER OMICRON

Cuba and Ecuador have announced travel restrictions following the discovery of the new Omicron SARS-CoV2 variant in South Africa last week, and the World Health Organization (WHO) classifying it as a Variant of Concern. From 4 December, Cuba will require travellers from eight Southern African countries – Botswana, eSwatini, Lesotho, Malawi, Mozambique, Namibia, South Africa, and Zimbabwe – to present proof of vaccination, three PCR tests taken prior to and after arrival, and undergo a seven-day quarantine. Ecuador, whose restrictions come into force on 1 December, will ban entry altogether for anyone who has been in or travelled via the aforementioned countries, as well as Egypt. Mexico’s President Andrés Manuel López Obrador has so far said that he is not worried about the new variant.

The latest restrictions imposed in Cuba and Ecuador are likely to be echoed by other countries across the region, particularly those badly hit by the COVID-19 pandemic so far, such as Argentina. Nevertheless, the responses may not be the same across Latin America, which Obrador’s statement suggests. Regardless, as the new variant continues to spread across the world, there is a high likelihood that new restrictions, including flight suspensions, may be imposed over the one- to two-week outlook. This comes at a bad time for aviation and tour operators ahead of the busy Christmas holiday season, when international travel commonly surges, and governments across the region are under high pressure to address the economic damage left by the pandemic. Nonetheless, we advise caution for expatriate workers planning to return home for the holidays, as stringent travel restrictions may be imposed at very short notice over the coming month. Such restrictions are also likely to expand beyond African countries, particularly if outbreaks in Europe and elsewhere continue to accelerate due to Omicron.

APAC

CHINA – REPORT UNDERSCORES XINJIANG-RELATED BUSINESS RISKS AHEAD OF BEIJING OLYMPICS

US-based lodging platform company Airbnb has 14 homes available for rent in China’s Xinjiang region on land owned by the Xinjiang Production and Construction Corps (XPCC), an investigation by US news outlet Axios revealed on 30 November. The XPCC is a large paramilitary organisation that has long controlled much of Xinjiang and is sanctioned by Washington under the Global Magnitsky Act for complicity in genocide and forced labour. The listings make Airbnb vulnerable to regulatory risk under US law, according to the report. Airbnb said it believes that the sanction does not apply to these listings and that it implements guidance provided by the US Department of the Treasury to comply with sanctions. Although Airbnb had not previously discussed the listings with the treasury’s Office of Foreign Assets Control (OFAC) – the agency in charge of sanctions compliance and enforcement – the company said that ‘OFAC rules require Airbnb to screen the parties we are transacting with, not the underlying landowners.’

Sponsors of the Beijing 2022 Winter Olympics such as Airbnb and companies with ties to Xinjiang are already under heightened public scrutiny amid calls for diplomatic boycotts of the Games, scheduled for February 2022, over alleged human rights abuses. The report also underscores complexities in regulatory compliance and due diligence. The US sanctions ‘prohibit all transactions’ that ‘involve any property or interests in property’ of the XPCC. The Airbnb listings reportedly only garnered USD6,500 over the past 12 months, with five of them having zero reservations during this period. However, the listings highlight reputational, financial, and liability risks associated with even small-scale operations in Xinjiang. Although Airbnb says that its China operations contribute ‘minimal[ly]’ to its revenues, the company’s withdrawal of its sponsorship or any statements deemed critical of the ruling Chinese Communist Party (CCP) would likely be met with Chinese reprisals, such as boycotts. Reputational pressures are likely to increase in the short term (<1-3 months) given the recent release of leaked papers linking calls for measures targeting Uyghurs in Xinjiang to speeches by top CCP members in 2014, including President Xi Jinping.

CHINA – REPORT UNDERSCORES UPSWING IN SURVEILLANCE RISKS, INCLUDING TO FOREIGNERS

A 29 July tender document published on the Henan provincial government’s procurement website describes plans for a system that can gather individual files on ‘suspicious people’ including journalists and international students, according to a Reuters news agency report on 29 November. Public access to the document has since been disabled. Files would be assembled on persons of interest coming to Henan via the use of 3,000 facial recognition cameras connecting to several national and regional databases. It is unclear whether the system is currently in operation. However, the contract was allegedly awarded on 17 September to Chinese technology company Neusoft and required to be completed within two months of signing. US-based surveillance research firm IPVM first identified the Henan document and said it was unique in pinpointing journalists as surveillance targets and supplying a method for authorities to rapidly locate them and impede their work. Several segments of the tender explicitly refer to ‘foreign journalists’.

While unsurprising, the report underscores an upwards trend of risks associated with confiscation, expropriation, nationalisation, and deprivation (CEND), and surveillance to expatriate personnel in China on the grounds of ‘national security’. China’s mass surveillance programme, including its ‘Skynet’ CCTV monitoring system, has rapidly expanded under Chinese President Xi Jinping. Approximately 54 per cent of the world’s 770 million CCTV cameras are in China, meaning that China has around 415.8m cameras. Cameras have increased under the pretext of disease control efforts during the COVID-19 pandemic. The report also highlights the practical ramifications of an upswing in nationalism and potential xenophobia. The ruling Chinese Communist Party has over the past year increasingly galvanised and exploited such sentiments to divert public attention from governance failings. Censorship and harassment of foreign journalists that worsened since Xi took power in 2013 have recorded an uptick since the onset of the pandemic. Businesses with interests in China, particularly in the media sector, should assess the impact of expanding and increasingly sophisticated surveillance structures on the security of their staff, assets, and operations.

Europe and Russia

BELARUS, POLAND & RUSSIA – MIGRANT BORDER TENSIONS CAUSE LOGISTICS DISRUPTION FOR RUSSIAN IMPORTERS

Food producers based in Russia have expressed concern over tensions along the Belarus-Poland border after attempted migrant crossings in recent weeks. The migrant crisis prompted Poland to shut multiple crossings along the border, while trucks seeking to enter Belarus from Poland are facing significant delays at four out of six crossings currently operational. Many of the trucks in question are transporting goods used in the production of food products in Russia. Similar delays have been reported on Belarus side of the border for trucks heading towards the EU.

An estimated 10 per cent of Russia’s imports transit through Belarus and Poland. The prolonged border delays has led to an increase in the cost of goods, affecting production. One source quoted by Reuters said that each additional day of delay adds EUR500 in transport costs, while using different routes costs between EUR300 and EUR400 more. An industry group that includes several multinationals, including Danone and Nestlé, has appealed to the Russian government for help. Heightened demand for consumer goods ahead of the Christmas and New Year holidays means that if unresolved, the current situation might cause widespread supply chain disruption. Companies exporting goods to Russia should conduct a review of supply chains to identify any potential bottlenecks that may cause delivery delays. Logistics operators offering transport services that include east/west and west/east links between Russia and other European countries should assess the impact of ongoing disruption into operational planning.

FRANCE – GOVERNMENT EXTENDS FOREIGN INVESTMENT SCREENING MEASURES FOR ANOTHER YEAR

On 29 November, the finance ministry said that the government will extend stricter measures on foreign ownership of strategically important firms by a year. Under the current measures, which were imposed during the coronavirus (COVID-19) pandemic, foreign firms must receive approval from the government if they seek to acquire a stake in excess of 10 per cent in listed firms operating in sectors including health, new technologies, aerospace, and media.

Prior to the coronavirus pandemic, the threshold for such transactions was set at 25 per cent. The measure does not apply to EU or EEA-based companies. Across Europe, governments have introduced more robust screening on foreign investments over concerns that struggling firms in sensitive sectors would be vulnerable to foreign takeovers that may undermine national security. Evidence of a hardened approach was the French government stance on the attempted acquisition of leading retailer Carrefour by Canada-based Alimentation Couche-Tard in January 2021, dealing a blow to the almost USD20 billion acquisition bid. Companies seeking external investment should ensure full compliance with government regulations on foreign investment. Increased scrutiny on investments in strategically important industries will likely continue after the one-year extension of the existing measures.

MENA and Central Asia

TURKMENISTAN – COUNTRY RANKED AS HAVING THE SLOWEST INTERNET SPEEDS IN THE WORLD

UK-based Cable.co.uk – a platform comparing broadband providers’ prices and services –ranked Turkmenistan as having the slowest Internet speeds in the world, according to its latest survey of fixed-line broadbands in 211 countries; the survey was published in September but was picked up by several news outlets on Thursday (2 December) and Friday (3 December). Internet speeds, on average, in the Central Asian state were around 0.5Mbps. At those speeds, it takes over 22 hours to download a movie file that is 5GB in size. By comparison, the country assessed to have the third-fastest speed was Iceland, where at 191.83Mbps, a 5GB file would take just over three minutes. The Bailiwick of Jersey had the fastest internet speeds at 274.27, followed by Liechtenstein at 211.26.

Slow Internet connectivity in Turkmenistan reflects broader regional trends, where there is generally poor investment in the telecommunications sector, outdated infrastructure, sclerotic bureaucracies, and political influence and meddling. The lack of private sector engagement is another factor which has undermined modernisation of institutional, legal, and regulatory frameworks. Geography also plays a critical factor. Landlocked Turkmenistan, like its regional neighbours, is situated far from major subsea fibre-optic lines which further complicates access to backbone infrastructure and landinpoints. The main barrier, however, is the government’s dominance on the telecoms sector, where state-run agencies are subject to the political influences of a government that is deeply controlling information. These factors contribute to the high costs associated with Internet access, which businesses need to factor-in when assessing operational outlays. Prior to any investment decisions, it is advisable to conduct an enterprise-wide risk assessment to identify communications infrastructure issues that may impact business.

Sub-Saharan Africa

ETHIOPIA – GOVERNMENT CLAIMS STRATEGIC GAINS IN TIGRAY, SIGNALLING SHIFT IN MOMENTUM

The government on 1 December claimed that the Ethiopian National Defense Force (ENDF) had recaptured Lalibela, Shewa Robit, and Chifra, as well as eight smaller urban areas, in Afar and Amhara regional states, which had been held by rebels of the Tigrayan Defence Forces (TDF) over the past few weeks.

Apart from Chifra, where Al Jazeera correspondents reportedly gained access and confirmed the government’s statement, the other claims cannot be independently corroborated due to the government’s severe restrictions on media in the affected areas. However, it follows similar claims of strategic gains by the ENDF against positions held by TDF and its ally, the Oromo Liberation Army (OLA), since Prime Minister  Abiy Ahmed deployed to the frontline on 22 November, and may signal a shift in momentum after TDF and OLA forces appeared to be making significant strategic gains over the past month and were threatening the capital Addis Ababa as well as critical infrastructure, such as the A1 highway. Meanwhile, Abyi, who has increased his number of media appearances wearing military fatigues, called on the TDF and OLA to surrender peacefully and spokespeople of the Tigray People’s Liberation Front (TPLF) and TDF have been absent from media reporting over the past week. Nevertheless, while the government is currently demonstrating confidence that it is controlling the war, similar, false claims over the past year undermine its credibility. This includes denials over several months that Eritrean forces were active in Tigray, as well as a claim in December 2020 that the TPLF and TDF would imminently be defeated. This indicates a realistic possibility of TDF/OLA tactical retreat in order to regroup and seek to intensify attacks against the ENDF over the coming month. This suggests that the country’s stability risk will unlikely change anytime soon, and operations managers should continue to monitor updates.

DR CONGO & UGANDA – MILITARIES CONDUCT JOINT OPERATIONS AGAINST ISLAMIC STATE AFFILIATE

The armed forces of both countries on 30 November confirmed conducting a joint operation against positions of the Allied Democratic Forces (also known as Madinat Tauheed Wau Mujahideen, ADF) – an Islamic State-affiliated non-state armed group, originally from Uganda but with a presence in eastern DRC. The joint operations, which were conducted near the Congolese city of Beni, North Kivu province, included air and ground-artillery strikes on four presumed ADF positions. The security forces are continuing the operations this week, with additional raids and security checkpoints in the area. No casualties have yet been confirmed from Tuesday’s incidents.

The operation marks the first time in four years that Ugandan forces officially entered Congolese territory and comes amid an intense and broad crackdown on suspected ADF militants in Uganda following the twin-suicide bombings in Kampala on 16 November. The group has also intensified its operations in eastern DRC over the past two years. It is unclear what material impact the operation, using artillery fire, will have on the ADF’s presence in the highly forested region. What is more clear is that the operation is unlikely to be isolated or short-lived, likely signalling a protracted security force deployment in this border area, as well as in the city of Beni. Security managers of staff should factor the likely increased security presence and probable roadblocks and security checks into staff journey-management plans and security threat assessments, and seek clarity on trip feasibility with the local authorities.

Scroll to Top