Search dyami insights

Date: 29/11/2023 Where: Netherlands Who’s involved: NXP, Chimera Group (threat actor) What happened? The details of a substantial cybersecurity incident were revealed to Dutch press on 24/11/2023 involving Eindhoven-based microchip designer and manufacturer, NXP. The company was infiltrated by Chinese hackers from a group known as 'Chimera', likely giving the group access to sensitive information for nearly three years. NXP only became aware of the incident when KLM Airlines subsidiary, Transavia, uncovered the group’s activities in one of their investigations. The investigation confirmed that Chimera had access to NXP’s system from at least the end of 2017 to spring 2020. Hackers targeted chip designs and company secrets, stealing email boxes and sensitive data. The attackers gained access through employee accounts using credentials leaked on the darkweb, mixed with the use of brute force tools and publicly available information. Along with NXP, at least seven Taiwanese chip companies and the airline Transavia were also affected. Despite NXP's efforts to enhance security, the company suffered another data breach in 2023, showing ongoing vulnerability to cyber attacks. Analysis: The Chimera Group, previously thought only active since 2018, is a suspected China-based threat actor primarily targeting the semiconductor industry, though this incident shows that they have also targeted airlines, with potential other campaigns yet to be revealed. The hackers worked with stolen account information from previous data breaches and scraping publicly available data from Facebook and LinkedIn. According to the AIVD, the attack is indicative of a large-scale, well-coordinated campaign. This is consistent with an advanced persistent threat (APT), and possibly a state-supported threat actor. Details are still unknown about exactly what the impact of the breach will be. Some of the information leaked could have included personal information of clients and employees, lending itself to further attacks. Further attacks did come in another incident that occurred in July of 2023, and was reported on 5/9/2023. More data was stolen that included customers' names, email addresses, phone numbers, and other personal details. The specifics of the compromised data were not fully detailed in the public reports, and no threat actor identified. Conclusion While NXP insists that these breaches were minor, the delays in detection, reporting, and inability to publish details of the impact are troubling. The effectiveness of Chimera Group represents a significant and ongoing challenge in the realm of global cyber security, as few threat actors have been so hyper-focused on an industry that is so important to both consumer and defense sectors. The ability to remain undetected for extended periods while accessing sensitive information, including chip designs and corporate secrets is potentially devastating. The incident, being so largely shaped by information shared by Transavia, demonstrates the need for additional transparency between not only individual corporate entities, but industries. One can anticipate that there will be a broader impact on the semiconductor and airline industries as more information is made public and the scope of the campaign is uncovered. This series of incidents serves as a stark reminder of the critical need for robust cybersecurity strategies and the constant vigilance required to counter such advanced and persistent threats.

Written by Mark Bruno In May 2023, Danish critical infrastructure experienced what has been described as the "largest cyber attack" against it in its history, targeting 22 companies in the energy sector. The tools utilized were extremely sophisticated and had the potential to enable external control over portions of the energy grid. This attack was linked to Russian threat actors, Sandworm – an entity also known as Unit 74455 within Russia’s GRU. Another attack against a major institution, attributed to a Russian threat actor, was the recent ransomware attack on the Industrial and Commerce Bank of China by the LockBit ransomware gang. The attack had a huge impact on the Treasury market in both the US and China, temporarily displacing $9 billion at their Financial Services Division in New York. LockBit, while not associated with the Russian government, is a criminal organization that has operated with relative immunity, as long as their attacks are primarily focused outside of Russian territory. This perceived tolerance by the Russian authorities is a common trait among several ransomware groups. Both events are emblematic of two kinds of cyberattack coming out of Russia: those explicitly carried out by the state, and those tolerated or encouraged by the state. Both threats have been exacerbated and become an essential part of Russian operations as the nation finds itself increasingly isolated from the international community. State-Backed VS. State-Tolerated While these particular events seem brazen, Russian cyber operations are certainly influenced by its increasing international pariah status. Facing global isolation, Russia actively resorts to destructive cyber activities as a tool of geopolitical influence, while doing nothing to discourage actors that contribute to these goals voluntarily. State Backed Russian state-backed threat actors have been confirmed to operate in positions within the General Staff of the Main Intelligence Directorate (GRU). This means that they answer to the highest offices within the Defense Ministry–they are uniformed military intelligence. The most infamous of these threat actors is a team known to cybersecurity professionals as Sandworm, active since at least 2009, and has been known over the years by numerous names, including ELECTRUM, Telebots, IRON VIKING, BlackEnergy Group, Quedagh, Voodoo Bear, and IRIDIUM. Sandworm’s advanced capabilities have been used to attack critical infrastructure such as power grids, hospital networks, and financial systems throughout EU and NATO member states. Russia’s Foreign Intelligence Service (SVR) has its own array of threat actors as well, who answer directly to the office of the President. Among their assets is a threat actor commonly known as Cozy Bear. Cozy Bear has been in operation since at least 2008, targeting government, thinktank, and research institution networks in EU and NATO member states, as well. The Internet Research Agency is a Russian entity that was allegedly dissolved after the coup attempt by Yevgeny Prigozhin–who founded it. Established in 2013, its focus was using the cyber realm to reinforce information and psychological operations to advance strategic and tactical objectives for the Russian Government. This was done particularly through the use of disinformation in Social Media. Despite claims of its dissolution, the tactics and strategies employed by the IRA continue to be relevant in discussions about cybersecurity, information warfare, and the integrity of political processes in the digital age. State Tolerated Russia has a history of utilizing non-state-backed cyber assets and taking advantage of pro-Russian hacktivism, especially in the context of the conflict with Ukraine. The Kremlin has been known to leverage relationships with cybercriminal groups, using them indirectly to conduct cyber operations that align with state interests. Russia's robust cybercrime ecosystem provides a pool of skilled individuals and resources that can be mobilized for state-aligned objectives, including espionage, misinformation, and disruptive cyberattacks. An advantage for encouraging such activity is a chance for deniability to delay an escalation of conflicts or sanctions, while creating confusion and instability. The gray zone tactics are beneficial for both kinetic and constructing narratives. Some of these individuals and groups are incredibly powerful for-profit enterprises that hold international organizations’ infrastructure hostage through Ransomware, or sell stolen data and malware to those who might use them for criminal purposes. The most famous of these is LockBit, who have attacked various industries globally, with the healthcare and education sectors being major victims. The United States, India, and Brazil are among the top targeted countries. Other threat actors are dedicated to the interferences and nuisance-level threats caused through Distributed Denial of Service (DDoS) attacks or defacements. A DDoS is an attack wherein a digital service is overwhelmed with fake requests until it is shut down. Pro-Russian hacktivists conduct cyberattacks supporting Russian geopolitical goals in this capacity. These groups often target Western entities or those opposing Russian interests. Among the most famous of these entities are pro-Russian cybercriminal groups, KillNet, Anonymous Sudan, and NoName057(16). At any given time, these groups are involved in conducting dozens of DDoS and defacement attacks on websites, almost always based on Russian strategic objectives. By using non-state actors, Russia can engage in cyber activities while maintaining plausible deniability. These assets have been involved in targeting critical infrastructure in countries opposing Russian interests, demonstrating the potential for significant disruption. What Are They Capable Of? A question that gets asked a lot by outsiders is “what are the real consequences of these sorts of attacks?” The effects of cyber tactics seem more obvious in traditional warfare when paired with conventional weapons, electronic warfare, or intelligence-gathering operations. Just this month, reputable cybersecurity firm Mandiant released a report about Sandworm executing a cyberattack that crippled infrastructure in an area simultaneously targeted by a missile strike, very likely increasing its lethality. However, it can technically be argued that no one has died in the history of cyber warfare in respect to attacks that remain in that domain. There is no way to “hack combatants to death”. But when hospital services are interrupted, when the power or heating infrastructure is impacted on winter nights, when supply chains are interrupted during times of war or global pandemics, can that point truly be defended? NotPetya, a novel malware deployed by Sandworm, was part of a campaign initiated on June 27, 2017. It represented one of the most aggressive and widespread cyber attacks in history. The event inflicted severe disruptions in various sectors, including banking, airports, and power companies, and is considered one of the most destructive cyber-attacks ever. Initially targeting Ukraine, it rapidly spread globally, affecting over 80 companies in Ukraine, and at least 2,000 organizations worldwide. NotPetya, an advanced version of an older ransomware called “Petya”, connected the already potent malware strain to a highly aggressive viral worm. Unlike ransomware utilized by many for-profit and criminal gangs, NotPetya was never intended to honor ransoms, and effectively destroyed the file systems on whatever network it touched. 49,000 computers belonging to Danish logistics giant, Maersk, were taken offline. The company claims that its repair costs alone totaled over 300 million USD. Another similar disruption was caused by Cozy Bear in their infamous 2020 SolarWinds hack, a sophisticated supply chain breach involving the SolarWinds Orion system. Orion is a valuable target, as it allows large enterprises to manage their information assets and software suites. The compromise of Orion led to one of the most extensive and complex cyber operations against both the US government and the private sector. It impacted a significant portion of SolarWinds' customers, a number of which were based in Europe, including key government agencies and numerous private entities. The attack's far-reaching implications affected governments around the world, highlighting the heightened vulnerability and interconnected nature of global cybersecurity. On September 6, 2022, KillNet launched a Distributed Denial-of-Service (DDoS) attack on the website belonging to the Port of Nagoya, Japan. The port, one of the country's largest, is significant for international shipments of heavy machinery, and the single largest in operation with the Toyota corporation. This assault overwhelmed the website with malicious traffic, rendering it inaccessible for approximately 40 minutes. The attack, while brief, indicated the port's vulnerability to cyber threats. On July 4, 2023, the port was targeted by a ransomware attack conducted by the LockBit group. This resulted in significant operational disruptions, halting more than half of the container shifting operations and causing a failure in the port's unified terminal system. The attack impacted major logistical operations, and led to a shutdown of the port's activities for over two days, illustrating the substantial impact of ransomware on critical infrastructure. These events demonstrate a growing threat posed by cyberattacks, where both unsophisticated DDoS and more impactful ransomware attacks can cause significant operational disruptions and economic consequences. The involvement of groups like Killnet and LockBit illustrates the escalating sophistication and impact of cyberattacks aligned with geopolitical interests. A Cornered Bear As Russia becomes increasingly sidelined on the global stage, its propensity to engage in or tacitly endorse destructive cyber activities grows. This tactic serves as a powerful tool in asserting influence and disrupting perceived adversaries, with fewer diplomatic repercussions, and much lower practical costs. Russia's sophisticated state-backed operations, coupled with its tolerance of rogue cyber gangs like LockBit or KillNet, form a two-pronged strategy in cyberspace that offers an increasingly potent-but-deniable arsenal to a regime with a gradually shrinking list of options. About the author: Mark Bruno Mark Bruno is a noncommissioned officer in the United States military, where he serves as a Combat Medic and a Public Affairs Representative. He holds a Master’s Certificate in Information Assurance from the University of Maryland, and a Bachelor of Science in Communication from the State University system of New York. All statements made in this article are his own, and do not reflect any policies or positions of the United States Department of Defense.

Date: 23/11/2023 Where: Netherlands, Dutch interests overseas. Who’s involved: Partij voor de Vrijheid (PVV), Geert Wilders, Dutch companies and citizens What happened? On 22/11/2023, the Netherlands voted in a general election to elect a new House of Representatives (Tweede Kamer). The PVV, a radical right nationalist party headed by populist Geert Wilders, won around 37 seats, ahead of GL-PvdA with 25 seats and the former largest party VVD with 24 seats. They are expected to form a right-wing government with the VVD, NSC and BBB. In his victory speech, Geert Wilders said he will seek to govern for the whole of the Netherlands within the framework of constitutional law. However, the PVV is strongly opposed to Islam and asylum seekers. He claims that Islam represents a fascist doctrine that is contrary to the pluralistic society of the Netherlands. The PVV election manifesto mentions that the party is seeking to exit the 1951 UN refugee convention, withdraw temporary asylum permits of Syrian refugees, and also ban the Koran in addition to closing Mosques and Islamic schools. Shortly after the result it became known that Moroccan, Turkish and muslim societies shared concerns about their future and rights in the Netherlands after the win of PVV. Analysis: The election of Geert Wilders is the latest in a radical right shift across Europe. His hardline stance against immigration and his comments have proved incendiary in the past. Geert Wilders has had multiple Fatwas – a formal, non-binding ruling issued by an Islamic institution – against him and has been living under police protection for almost 20 years. In 2018, Wilders announced a Muhammad cartoon contest which caused anger in the Islamic world and protests in Muslim-majority countries, especially in Pakistan where blasphemy is forbidden by law. While the formation of a governing coalition is unknown, the victory of Wilders may cause (violent) reactions in Muslim-majority countries against him or Dutch interests, and therefore present a heightened terrorism risk to the Netherlands and Dutch interests abroad. Intelligence agencies have raised their threat levels against terrorism across Europe since 2019, citing the capability and intent of radical extremist groups targeting citizens. As such, there may be an elevated threat to Dutch companies from extremist groups both in the Netherlands and Dutch interests based Muslim-majority countries. The risks of terrorism have increased elsewhere in Europe as a result of inflammatory rhetoric. Earlier this year, Quran burnings in Sweden also caused large protests in Muslim-majority countries. In Iraq, the Swedish embassy was stormed, the Swedish ambassador expelled, and a working permit of Swedish telecom company Ericsson withdrawn. In Pakistan, the Swedish embassy was closed due to security concerns likely connected to the Quran burnings. It has also led to Swedish citizens being targeted by extremist groups and lone terrorists, such as the fatal attack on two Swedish football fans in Belgium. Sweden’s prime minister Ulf Kristersson said that “Swedish interests have never been more threatened than now”. Conclusion The election victory of Geert Wilders raises concerns for Dutch interests in the Netherlands and around the world, given his openly anti-Islam rhetoric and policies against asylum-seekers. Dutch companies, citizens and broader interests could be targeted. As the outcome of the coalition negotiations is yet to be seen, definitive consequences are hard to estimate at this time. However, vigilance and a recognition of the vulnerability of Dutch interests abroad are recommended.

Aircraft Manufacturers have a proven history of converting commercial airliners into military aircraft. This started during World War II where aircraft like the Douglas DC-3 airliner was converted to a C-47 Cargo transport and later on as an AC-47 ‘Gunship’ and EC-47 Electronic Warfare. Another well known example is the Boeing 707 airliner into the E-3 Sentry AWACS and KC-135 Airborne Tanker used by the USAF. Over the past decade, there has been a growing military interest in a distinct sector of civilian aviation, namely business aviation. This leads to a rising aviation security concern in the Misidentification of Business Aircraft perceived as a Military aircraft. Traditionally the Business Aviation aircraft were mainly used by the military for VIP transport, but along the way some types have been modified for Airborne Intelligence, Surveillance, Reconnaissance, Electronic Warfare, Special Operations Support, etc.. Additionally, unlike bespoke military aircraft, modified business aircraft have two other advantages: a global pool of spare parts and an extremely high dependability in comparison to military aircraft. With the current number of conflicts growing world wide, more and more business aircraft are being used by the military. Especially in the Middle-East, Black Sea, Baltic States and around Taiwan. The risk of Misidentification is growing rapidly. There are also companies that support the military through Contractor Owned, Contractor Operated (COCO) Intelligence, Surveillance & Reconnaissance (ISR) operations in support of DoD entities and USG agencies. An example of this is the United States Special Operations Command (USOCOM) that uses subcontractors that operate a fleet of COCO ISR aircraft like the Bombardier Challenger 605 and the Challenger 650 Aerial Reconnaissance and Targeting Exploitation Multi-Mission Intelligence System (ARTEMIS). These aircraft are flying regular missions along the Poland-Belarus border to monitor Russian ground force activities. As well as in the Indo-Pacific theater in support of U.S. Special Operations Command Pacific (SOCPAC). The Bombardier Challenger 650 technology demonstrator is outfitted with the ARTEMIS multi-sensor surveillance suite. (Photo: via U.S. Army) Such are the similarities between some military and corporate jets, it is not always easy to tell them apart. Some examples; Civil type Military type Mission role Gulfstream G550 EC-37B Compass Call Electronic Warfare C-37 A/ B VIP / Special Air Mission Bombardier Global Express 6000 E-11 BACN Battlefield Airborne Communications Node Bombardier Challenger 605 Challenger 605 ARTEMIS intelligence, surveillance, and reconnaissance Learjet 35A C-21 pax and cargo airlifts. Dassault 900LX Envoy IV CC Mk1 VIP transport by the RAF (The Global 6000 /E-11 BACN ,Battlefield Airborne Communications Node USAF photo) Misidentifying a business aircraft as a military aircraft can have serious consequences, as it may lead to harassment by hostile actors in international airspace, intercepts and potential shootdown, confusion, or even security concerns. Here are some potential reasons for such misidentifications and steps to prevent them: Reasons for Misidentification: Similar Appearance: Some business jets may have a similar appearance to certain military aircraft, especially if they share design features or are painted in similar colors. More and more COCO ‘Business’ aircraft are being used and flown near airways operated by the regular business aircraft. The radar signature as well as the exterior look alike, the flight profiles differ as these often fly large holding patterns or ‘zig-zag’ patterns. Lack of Information: Limited or unclear information about the aircraft, especially in situations where radar or other identification systems may not provide detailed data. Communication Failures: Miscommunication or lack of communication between air traffic control (ATC) and military authorities. Or between ATC and the Business aircraft. Another scenario is that a Business Aircraft experiences an enroute problem for which it enters a holding to troubleshoot the situation. If this is not properly coordinated with ATC, the holding pattern of the business aircraft can look similar to the operational flight condition of a ‘military’ aircraft that often flies holding patterns when conducting their mission. Flight plan / Flight plan deviation Due to GPS Spoofing or navigational equipment failure. Use of similar flight numbers with multiple digits, which change with each landing and take-off made in the course of a day, will likely continue to cause flight number designation errors by both pilots and controllers. In selected circumstances, this could lead to misidentification of aircraft. What happens when you get intercepted by a military aircraft? Most military forces have a standard intercept protocol. Air Defense Sectors monitor air traffic and could order an intercept in the interest of national security or defense. Intercepts during peacetime operations are vastly different from those conducted under increased states of readiness. The interceptors may be fighters or rotary wing aircraft. The reasons for aircraft intercept include; Identify an aircraft; Track an aircraft; Inspect an aircraft; Divert an aircraft; Establish communications with an aircraft. Approach Phase. As a standard protocol, intercepted aircraft are usually approached from behind. While it is common for interceptor aircraft to operate in pairs, there are instances where a single aircraft may carry out the intercept operation. The intercepting aircraft bears the responsibility for ensuring a safe separation between itself and the intercepted aircraft, and this separation will be diligently maintained throughout the operation. Identification Phase. Interceptor aircraft will commence a controlled approach toward the target aircraft, maintaining a distance no closer than deemed necessary for positive identification and the collection of essential information. Additionally, the interceptor may conduct a flyby of the intercepted aircraft while obtaining data at a distance considered safe, taking into account the performance characteristics of both aircraft. Post Intercept Phase An interceptor may make efforts to establish communication using standard ICAO signals (ICAO Annex 2; Rules of the Air). In situations where time is critical and an immediate response is required from the intercepted aircraft, or if the intercepted aircraft remains non-compliant with instructions, the interceptor pilot may initiate a divert maneuver. During this maneuver, the interceptor will fly across the flight path of the intercepted aircraft, maintaining a minimum separation of 500 feet and starting slightly below the intercepted aircraft's altitude, in the anticipated direction of the intercepted aircraft's turn. While crossing the flight path, the interceptor will rock its wings (during daytime) or flash external lights/select afterburners (at night). Following this, the interceptor will roll out in the expected direction of the intercepted aircraft's turn before returning to confirm compliance. The intercepted aircraft is expected to execute an immediate turn toward the intercepting aircraft. If the aircraft of interest fails to comply, the interceptor may conduct a second climbing turn across the intercepted aircraft's flight path, again maintaining a minimum separation of 500 feet and starting slightly below the intercepted aircraft's altitude. During this maneuver, flares may be deployed as a warning signal for the intercepted aircraft to comply immediately, turn in the indicated direction, and leave the area. The interceptor is responsible for ensuring safe separation during all intercept maneuvers, with a paramount focus on flight safety. Preventive Measures: Perform a Risk Assessment concerning the planned flight route prior to the flight, related to overflight risk, conflict zone update, military exercises in the area of your planned route. Therefore monitor airport and airspace-specific notices, bulletins, circulars, advisories, prohibitions and restrictions prior to departure. Check if the departure and destination airport are also (frequently) used by COCO aircraft. Enhance communication protocols between ATC and military authorities to ensure accurate information exchange and identification of aircraft. In the event of a communication failure make sure to follow the correct ‘loss of communication’ procedures. That the correct transponder code and flight ID is set. Make sure that the flight crew and operations crew are trained on a recurrent basis Security Awareness, ‘how do I look to the outside world’ and training to maintain familiarity with the preventive procedures as well as the loss com procedures. These can consist of the company SOP’s, aircraft manufacturing procedures and ICAO Annex 2; Rules of the Air. Confirm the identity and authority of the passengers (high profile ‘target’ passengers for the countries the flight will overfly) reroute the flight plan when required.

On December 3, 2023, Venezuela’s government plans to hold a national referendum to establish a new Venezuelan state to incorporate the entire Essequibo region of Guyana into its territory. The announcement sparked a legal reaction from Guyana, which called for the International Court of Justice (ICJ) to intervene. Besides the ongoing legal proceedings in the Hague, the referendum is likely to go ahead. Given Venezuela’s ongoing domestic political difficulties and commitment to elections in 2024, the referendum could create new instabilities in the region and extend Maduro’s hold on power. The Essequibo Dispute The legal dispute between Guyana and Venezuela goes back to 1899. The Essequibo territory, which roughly contains two-thirds of current Guyana, was awarded to British Guyana by the Arbitral Award. Since then, Venezuela declared the award illegitimate because of the absence of Venezuelan negotiators. In 1966, just months before the independence of Guyana from the United Kingdom, Venezuela and the UK negotiated the Geneva Agreement, which established a regulatory framework that should be followed by both parties in order to find a solution for the Essequibo border dispute. There are growing disagreements between Venezuela and Guyana over the oil exploration operations by large oil companies in offshore areas in the disputed territory. In 2015, the situation deteriorated since ExxonMobil, one of the world's largest oil companies, announced the discovery of a new oil deposit in Essequibo, signing a beneficial agreement for the foreign company with the Guyanese government. The discovery of new oil deposits has revived Venezuelan claims over Essequibo resources and land, calling the concession to the U.S. oil giant ExxonMobil a “new form of imperialism.” In response, in 2018, Guyana asked the International Court of Justice (ICJ) in The Hague to review the border dispute and confirm the validity of the current borders drawn by the 1899 arbitration. However, Venezuela openly rejects the jurisdiction of ICJ over the dispute. In October 2023, Guyana announced the discovery of a significant oil and gas reserve in an ExxonMobil well situated in disputed waters. A few days later, Venezuela responded by scheduling the December 3 referendum on the Essequibo dispute. This triggered Guyana to, once again, seek the ICJ intervention to preserve its sovereignty and territorial integrity and prevent the referendum from being held. Although Venezuela rejects the ICJ's jurisdiction, the court called on the Maduro government to counter arguments on the dispute to support its stance. Venezuela was represented by Vice President Delcy Rodriguez. Hearings of Guyana and Venezuela delegations were held at ICJ on November 14 and 15, respectively. Political reforms in Venezuela? The reopening of the dispute over Essequibo sovereignty comes with "questionable" timing from Venezuela. Indeed, while the dispute appears to be justified by new significant oil discoveries and disagreements over concessions, it is also a strategy employed by Maduro to divert domestic and international attention from recent developments in Venezuelan politics. On October 17, 2023, after resuming long-suspended negotiations, the Venezuelan government and the opposition reached an agreement that guaranteed opposition participation and the competitiveness of the next presidential election, scheduled for mid-2024. The negotiations, facilitated by Norway, were held in Barbados, in which Venezuela also agreed to release more than 250 political prisoners and lift the bans on opposition candidates for the 2024 elections. While the United States was neither a mediator nor a party included in the deal, its influence is undeniable. On October 18, 2023, only one day after the conclusion of the negotiations, the United States announced the temporary easing of some of the sanctions imposed on the Venezuelan oil, gas, and gold sectors in exchange for competitive elections in 2024. The easing of diplomatic and economic tensions with the U.S. represents a chance for Venezuela to relieve itself of the "maximum pressure" imposed by the U.S. in 2019. Lifting U.S. sanctions, however, is tied to fulfilling the electoral commitments Venezuela pledged in the Barbados agreement. However, the leading opposition candidate in the elections, María Corina Machado, is still excluded from the electoral race. Moreover, Maduro's government has not recognized the primary election as legitimate. The US has announced that it will withdraw the suspension of sanctions if Maduro’s regime does not have fair elections. While the prospect of competitive elections sounds promising, during Barbados' negotiation Venezuelan government and opposition signed a second accord, which binds both sides to support Venezuela's current stance in the territorial dispute with Guyana. This second deal could prove particularly relevant in the current circumstances, as it prevents any form of internal political opposition to Maduro's eventual plan to annex Essequibo. Referendum Propaganda While the referendum is going ahead, the campaign for the referendum is heavily influenced by the Venezuelan government’s control of social media outlets. President Maduro, under pressure to hold an election, is attempting to divert attention away from the upcoming elections by drumming up nationalist sentiment. On December 3, Venezuelans will be asked if they reject the 1899 arbitration and the ICJ's jurisdiction and if they oppose Guyana's unilateral appropriation of Essequibo's territorial waters. Venezuelans will vote on the creation of the new state of Guayana Esequiba in the disputed area, whose residents will be granted full Venezuelan citizenship status. However, it is unlikely to be a transparent vote. In preparation for the referendum, a massive propaganda campaign for the Essequibo dispute is spinning on Venezuelan social media. To the tune of propaganda slogans such as "el Esequibo es nuestro" or “El sol de Venezuela nace en el Esequibo,” the Venezuelan government is seeking popular support for the December referendum, urging the population to "decide sovereignly and democratically their future." The Venezuelan government has also accused the US of provocation. On November 8, Venezuelan Foreign Minister Yván Gil issued a statement accusing Guyana of conducting joint military operations with the United States in the Essequibo Strip to protect foreign, largely U.S.-based energy companies wrongfully exploiting resources in disputed territorial waters. However, Guyana's Minister of Foreign Affairs, Hugh Todd, denied any allegations of military expansion in the Essequibo Strip, blaming his Venezuelan counterpart for spreading disinformation and false accusations to sway domestic and international public opinion in favor of Venezuelan claims. Outlook It is very likely that the December 3 referendum will take place. The validity of the outcome of the referendum is hard to prove due to the lack of transparency of the Maduro regime. The referendum on Guyana Essequibo comes at a very delicate time for Venezuelan domestic politics. Maduro would seem compelled to grant the opposition to the promised electoral improvements, especially to maintain the advantages of U.S. sanctions lifted. Yet, the deadline for implementing electoral and democratic concessions, set for late November, is approaching, and no electoral reforms or improvements have been put in place.

Who’s involved: Houthi rebels in Yemen, Israel, United States, shipping companies, international community. What happened? On 31/10/2023 the Shia rebel group called the Houthi declared war on Israel from Yemen in support of the Palestinian terrorist organization Hamas. On 08/11/2023 the Houthi fired their first missiles towards Israel but they were intercepted by the US Navy. From 09/11/2023 to 20/11/2023 the Houthi have launched several missiles and drones at Israel. All have been intercepted or have landed in the Sinai desert. The Houthi declared on 19/11/2023 that they would seize any Israeli vessel passing by Yemen on the Red Sea. On the same day the Houthi rebels used a helicopter to land on the shipping vessel the “Galaxy Leader” and took control of the ship taking 25 crew members hostage. The Houthi leadership claimed that the vessel is Israeli owned. The Israeli government quickly came with the reply that the ship is not under Israeli flag but is British owned and operated by Japan. Japanese authorities acknowledged that the ship is operated under the Japanese company NYK and that the crew is from several different nationalities of which none are Israeli. It is however believed that an Israeli billionaire might be part owner of the vessel, but this has not been confirmed. The Houthi rebel group receives logistical and weapon’s support from Iran. Israel has blamed Iran for staging the seizure of the vessel, but Iran has denied any involvement. The Red Sea shipping lane that continues on into the Gulf of Aden is an important shipping lane, with over 21.000 vessels per year going through it from China and the Gulf to Europe and vice versa. Consumer goods and oil are shipped through the Red Sea on large cargo vessels. Analysis: It is likely that the Houthi will try and seize multiple vessels that are supposedly under Israeli control. This will have a huge impact on the world economy as the shipping lane through the Red Sea is vital for the flow of goods. If shipping companies no longer dare to risk their vessels, crew and shipment to go through the Red Sea or the Gulf of Aden it will severely damage the world economy. When previously the cargo vessel “Ever Given” was stranded in the Suez Canal on 21/03/2021, for six days only, it already had an enormous amount of impact on the economy that extended into billions of dollars of additional costs and losses. Goods were perishing on board, shipments came in too late at their port of call, deliveries were delayed and some ships traveled all the way around the southernmost point of Africa taking two extra weeks to travel. From the early 2000’s to 2017 Somali pirates would frequently seize ships around the Horn of Africa between the Red Sea and the Gulf of Aden. This severely impacted the world economy and forced shipping companies and national governments to take measures against piracy in the region. Ships would take alternate routes, hire mercenaries to protect their vessels, insurance companies upped their policy payments and several European and United States Navy vessels patrolled the area. A recurrence of such a situation is likely to have more of an impact now that the Houthi are involved. In contrast to the Somali pirates the Houthi rebels are well armed and equipped and receive logistical support from Iran. If there is any form of combat involved the stakes are much higher than with the Somali pirates who used simple fishing boats and had outdated weaponry. Conclusion This new phase in the war between the Yemeni Houthi rebels and Israel has taken the conflict into a whole new realm. By seizing cargo vessels, allegedly connected to Israel, there is a chance of direct disruption of the world economy since the shipping lanes in the Red Sea are vital for transporting consumer goods, food and oil across the world. It is unclear how far the Houthi will go to emphasize their point, but at the same time it is also unclear how far Israel and the United States will go to prevent any further seizures. Open combat with the Houthi in Yemen and on the Red Sea will undoubtedly lead to even more disruption in the shipping lanes, but the international community will be hard pressed to just stand by and watch as the Houthi continue their campaign.

Date: 20/11/2023 Where: Myanmar, Laukkaing, Shan State Who’s involved: Myanmar Junta, Three Brotherhood Alliance, People’s Republic of China What happened? On 27/09/2023, the Three Brotherhood Alliance, an alliance between the Arakan Army, Myanmar National Democratic Alliance Army and the Ta’ang National Army, launched coordinated attacks on military outposts and installations in the northern Shan state in Myanmar. The name of the mission, “Operation 1027” is intended to expel the military from the area and regain control of the state for opposition forces. According to reports from a newspaper based in Thailand, the Irrawaddy, the Three Brotherhood Alliance has taken 90 military outposts, 4 towns, as well as two key trade routes to China. There is currently a standoff over the city of Laukkaing, a hive for unregulated gambling, human trafficking and illicit goods. The military junta has been unable to push back against the armed groups. The military has instead launched airstrikes and artillery bombardments of towns and villages thought to hold insurgent groups, with many hundreds of civilians fleeing. Former General Myint Swe spoke at an emergency meeting with the military junta suggesting that this is the most serious contest of the military’s power after the coup in February 2021. On 10/11/2023, the Chinese foreign ministry said that it will ensure stability on the border. China has traditionally acted as a power-broker in the Shan state, a region in eastern Myanmar on the border with China, with its ability to exert influence over different groups because of ethnic and trade ties. However, the city of Laukkaing has become a center for criminal gangs, scam centers, and money laundering. It has been reported that thousands of Chinese nationals and other foreigners from around the region have been forced to work there. China is seeking to clampdown on transnational criminal groups with the military unable to control cross-border criminal activity. The escalation of violence under Operation 1027 has led to civilian casualties and the displacement of 200,000 people nationwide. This has led to over 2 million civilians fleeing the fighting since February 2021, according to the United Nations. There are increasing calls for humanitarian aid to enter the country and both sides to respect international humanitarian law. Analysis: The Myanmar civil war since February 2021 has killed over 4,000 civilians and displaced 1.8 million refugees, and there are no signs of stopping. Research published by the Security Force Monitor has documented several human rights abuses committed by the Myanmar military junta. The new offensive represents the biggest battlefield challenge to the military junta’s rule since the coup in February 2021. Capturing Laukkaing will bring some gains for the opposition parties for the Three Brotherhoods Alliance to expel the military from the Shan state and bring it into their control. While this is not a lethal blow, this would cut off a significant source of income for the military junta and create challenges for leadership of the military. Sensing Myanmar's military weakness, other armed groups in the country have also stepped up attacks. This could overstretch the junta’s military capacity as a result. The armed groups have also seized a large amount of weaponry from retreating military units, including tanks, a howitzer and ammunition. The junta may have to accept ceding control of the country to the groups in order to launch counter attacks. In any case, the military’s failures are obvious for armed groups resisting the regime and may lead to groups launching attacks to seize on the weakness. China’s seeming unwillingness to intervene in the Shan state to support the military could indicate a decline in support for the regime. China’s economic interests in Myanmar include investments in rare earths, and the construction of multiple oil and gas pipelines flowing into the Bay of Bengal. China cultivated a close relationship with the military junta for protection of its economic assets. However, the growing transnational crime from Myanmar and the inability of the military junta to contain it could push China to see other players to maintain stability on its border. How lethal this attack proves to be for the Myanmar military, depends on the response of the Myanmar military, and whether it is able to fight a multifront counter insurgency. It is still well-armed, with Russian places and artillery and has fought counter-insurgencies in Myanmar since the 1960s. The military junta leadership is internally quite resilient to outside challenges however. Given its ordinance and expertise, it will likely step up bombing campaigns and mount heavy counter offensives against all rebel groups in the north and in the east. The fighting is therefore likely to intensify in the coming months as both sides try to seize the initiative. Conclusion The escalation of the conflict in Myanmar is leading to more violence in the country, with more refugees fleeing the country. The appearance of success of the armed groups offensive has given the Three Brotherhood Alliance more ammunition and achievements against the regime, which could lead to other groups seizing on the junta’s vulnerabilities. China’s influence in the country remains important, but its capacity to limit further escalation remains limited given the military junta’s capacity for military self-reliance. The escalating violence is likely to lead to more civilian deaths and refugees fleeing violence, in a conflict that has killed over 4,000 civilians and displaced 1.8 million.

Date: 17/11/2023 Where: New York (USA), China Who’s involved: Industrial and Commerce Bank of China (ICBC) Financial Services Division, Lockbit Ransomware gang What happened? On 8/11/2023, ICBC's Financial Services (FS) division in New York City was hit by a ransomware attack, leading to disruptions in specific systems within the division. ICBC FS immediately isolated the impacted systems to contain the incident. The attack was so extensive that it disrupted not only financial services systems, but also the corporate email, forcing employees to switch to Google Mail. On 9/11/2023, the ransomware attack caused disruptions in US Treasury markets. Some traders were unable to place or clear trades through ICBC and received emergency notices about connectivity issues. The blackout caused by the ransomware attack led to a temporary $9 billion debt to BNY Mellon, significantly larger than ICBC Financial Services' net capital. ICBC's parent company in China provided a cash injection to help repay BNY Mellon and manually processed trades with the custody bank's assistance. On 10/11/2023, ICBC confirmed details of the attack and made them public. The company stated it was investigating and progressing with recovery. The bank successfully cleared Treasury trades executed on November 8 and repo financing trades done on November 9. However, some market participants reported unsettled trades, affecting market liquidity. On 13/11/2023, A LockBit ransomware gang representative claimed that ICBC paid a ransom. This claim is not independently verified, and ICBC has, as of 17/11/2023, not immediately responded to requests for comment. On 14/11/2023, ICBC's management team flew to the US to address the fallout. Analysis: LockBit is a sophisticated threat actor, operating primarily as a Ransomware-as-a-Service (RaaS) model, enabling affiliates to carry out attacks using its malware in exchange for a share of the profits. Since its emergence in 2019, LockBit has rapidly evolved into one of the world's most prominent ransomware threats, known for its aggressive tactics. The group's activities often target critical infrastructure and major corporate entities, resulting in significant operational and financial impacts. It's widely speculated in the cybersecurity community that the group operates with a degree of impunity within Russia, as long as their attacks are primarily focused outside of Russian territory. This perceived tolerance by the Russian authorities is a common trait among several ransomware groups. LockBit has targeted businesses in several sectors throughout the European Union, including real estate, manufacturing, and logistics. In 2021, LockBit targeted Irish corporation Accenture, one of Europe’s largest IT consultancy firms. The ransom demanded by LockBit was 50 million dollars. Upon failing to pay the ransom, massive amounts of the exfiltrated data was leaked, which included proprietary information from an unspecified number of firms. This particular incident is unique in that a major Chinese institution was attacked by an entity that has some degree of cooperation with the Russian government. US and Chinese authorities are both likely to respond with some degree of force. The costs of cyberattacks globally continue to rise. Paired with the recent DP World Australia attack, this is likely the second event in only two weeks to have over one billion dollars in potential impact. The attackers exploited a vulnerability known as Citrix Bleed, which allows attackers to hijack authenticated connections and bypass authentication measures. These hijacked sessions can persist even after patching, enabling further network penetration and escalation of privileges. The attackers could potentially have access to ICBC’s systems in the future. Conclusion: While the specific financial implications for ICBC's parent company in China are not expected to be crippling due to the swift response, the attack underscores the growing cybersecurity threats to global payment networks and financial institutions. As global payment systems increase interconnectivity, even between entities in Chinese, North American, and EU markets, the potency of cyberthreats such as ransomware will increase. The incident raises concerns about the resilience of the Treasury market and is likely to attract regulatory scrutiny. The event also has the potential to open doors for international cooperation in the field of cybersecurity enforcement. While the US and China have a history of being competitors in the cyber domain, the need for cooperation in this incident may establish some of the legal precedence for a combined response.

Dyami Insights Analysis The Chinese Communist Party under Xi Jinping seeks regime security above all else, with China’s security services accusing its own citizens and foreign businesses of espionage. On November 12, BusinessEurope, a representative of commercial lobby groups from around Europe, warned that Beijing’s anti-espionage laws threaten to push decoupling with China. The CCP counter-espionage law effective from July 1, broadened the definition of espionage, which could mean any organization perceived as unfriendly by the PRC. The definition of what constitutes a ‘threat’ is intentionally vague as well, and gives Chinese authorities a wide breadth to detain any foreign interests on suspicion of espionage. This drive for securitization poses risks to European businesses and governments need to recognize the significance of this shift in managing security threats. Regime Security above Development The Chinese leadership under Xi Jinping is moving away from economic development to a focus on national security. To this end, Chinese security officials investigated US management consultancy firms, Bain and Company and Mintz Group on charges of being “accomplices in overseas bribery, espionage, and extraction of national secrets and intelligence”. Chinese security officials confiscated mobile phones, laptops, and detained employees. These consultancy firms work in the field of business intelligence, providing information on Chinese companies for foreign business organizations, which grew along with China’s emerging, but notoriously opaque, economy. The primary reason is that Chinese authorities are wary of information gathering for perceived intelligence purposes. Chinese authorities investigated US-owned Capvision for allegedly paying Chinese military and high technology experts to obtain state secrets and intelligence. Capvision works with Chinese financial institutions for foreign companies to provide insights into commercial sectors. The state secrets were allegedly stolen by the company, by violating the national security law for the pursuit of economic interests. China’s priority of state security makes this harder and riskier for European companies attempting to make financial decisions in the country. China’s perceived threats to national security also extend to the financial sector. On November 3, China’s Ministry of State Security, the intelligence and secret police agency of the CCP, pledged to actively protect the country’s financial stability as a matter of national security. In a WeChat post, the Ministry of State Security suggested that some countries had been actively spreading bearish sentiment about China’s financial assets and undermining investor confidence in the country. This came as investments began leaving China due to stalling economic growth, low interest rates, and rising geopolitical tensions with the US. In light of China’s current government neglecting to improve job prospects for new graduates, or addressing the yawning inequality between coastal and inland regions, Xi’s political coalition has doubled down on regime security above all else. Trade Deficits in EU-China relations As Chinese authorities’ anti-espionage investigations into US companies come as US-China relations worsen, there are also concerns that European businesses could be targeted. EU policy on China is shaped by national priorities and does not speak with a single voice, yet there is a transition taking place. China’s close relations with Russia over its war in Ukraine, tensions over Taiwan, and Xinjiang human rights abuses are pushing EU member states and EU institutions to take a harder stance on China’s economic dependencies. Another weakening point in the relationship is the ballooning trade deficit with China (see fig. 1 and 2). The EU trade deficit with China has widened from €200 billion in 2020 to €400 billion in 2022. This has led to the EU Commissioner for Trade, Valdis Dombrovskis, arguing that the trade deficit with China was too large and needed to be brought down. This has triggered complaints of unfair trade practices, and a lack of access to China’s market for European companies. EU policy has reacted by creating a number of protectionist measures on China’s imports into the EU. The EU Commission’s launch of an investigation into state-subsidies into Chinese-made electric vehicles in Europe in September 2023, marked an aggressive turn in trade relations between the EU and China. There are also more EU commission plans down the road to investigate more anti-subsidy probes on wind turbine technologies made in China. Dider Reynders, the acting EU competition commissioner, said that cheap Chinese imports could threaten European businesses, and suggested a similar probe into state-aid funding for wind turbines. Beijing quickly shot back that these were “protectionist” measures from Brussels, accusing the EU of weakening domestic productivity rather than China’s state-subsidies. President Xi Jinping has appealed to Germany’s president Olaf Scholtz directly to put brakes on the looming trade war with Beijing. However, the trade deficit and EU calls for protectionism is likely to become louder in the future. More confrontational protectionist voices in member states could find a good audience in the growing urgency over China’s dominance of supply chains, critical minerals, and a potential clash over Taiwan. In this case, European businesses could be seen as security risks to the Chinese state. Dangers of Decoupling The intelligence alliance, Five Eyes, warned that a total decoupling of western economic links to China is unrealistic. However, China's Communist Party's turn to regime security above economic ties under Xi Jinping poses acute security threats for European organizations in China. EU-China relations are still at a crossroads, but growing hawkishness of EU-China trade relations indicates that Chinese authorities may pose a threat to European interests in China in the future.

Do you want to join our team and start your career in the security and intelligence world? Dyami is searching for one or two intelligence/research analysts for the first 2024 internship period (February to June/July)! Who are we? In a world with ever-growing and ever-evolving risks, organizations need bespoke and agile solutions to fulfill their duty of care and protect their operations, both at home and abroad. Dyami, a full-service strategic security provider, lives by its mission statement of enabling you to thrive; safely and successfully. To do this, our team provides strategic outlooks and analyses, security risk and threat reports, travel security advice, aviation services, and diverse types of training. At dyami, you will be working alongside a team of analysts and security experts with backgrounds in the private, public, and non-profit sectors. Job Description: The intern will work within the intelligence unit at dyami and report to the Lead Analyst. Your responsibilities and taskings will include: Following and analyzing current and emerging local, regional, and international security trends. Contributing to research, identifying security-related issues in volatile environments and conflict regions. Helping with research and risk assessments for stakeholders. Contribute to Dyami’s intelligence cycle. Assists in the day-to-day operations of a start-up company. Who are we looking for? Someone with a great ability to critically analyze qualitative information and to be a team player. Good organizational and communication skills, including writing clearly and concisely. Someone who is preferably enrolled in or have recently graduated from a master in security studies, conflict studies, international relations, intelligence/crisis management, journalism, or any related field. Excellent command of English, both spoken and written. Fluency in any additional languages is a strong plus. A flexible attitude is essential, as Dyami B.V. is a young and rapidly growing company. You also must possess an international mindset; intercultural sensitivity is important. Please note: you have to be located in the Netherlands and able to reach our office in Utrecht. What we offer: Practical learning opportunities to apply your analytical capabilities to real-world situations. An opportunity to develop professional analytical writing skills. Substantial feedback on your work by a variety of experts. Exposure to intelligence and security and risk management research methodologies. Exposure as an analyst on our website, social media, and through the extensive network of our team. The opportunity to work in a young and growing company. Internship allowance: This internship offers €350.00 gross a month for a 40-hour work week. Interested? If you are interested in applying for this position at dyami, please send the following documents: A CV; A brief cover letter that mentions your main topic(s) of interest (max one page and can be attached as email text); One writing sample of around 2 pages, preferably about a specific country, conflict, or current geopolitical situation. This can be an extract of previous (academic) work. Please send your application to: alessia@dyami.services, with the topic “Application Intelligence/Research Analyst internship. (YOUR NAME)” before December 10, 2024. This internship follows conventional 09:00-17:00 work hours, Monday through Friday. The start date is in February 2024 and it is expected to end in July 2024.

Date: 13/11/2023 Where: Australia (Sydney, Melbourne, Brisbane, and Fremantle) Who’s involved: Dubai Ports International (DP World) Australia, Australian Government, Undisclosed Threat Actor What happened? There was a significant cyber security incident first detected late on Friday, 10/11/2023 involving major Australian ports operated by DP World Australia, the country’s largest container terminal operator. They are responsible for handling 40% of maritime freight at their respective ports. This incident has led to the shutdown of ports in Melbourne, Sydney, Brisbane, and Fremantle. Activities from DP World Australia were halted from 10/11/2023 until 13/11/2023. DP World Australia considered the incident so significant that it took its systems offline for quarantine. The Australian government has acknowledged the severity of the situation, describing it as a “significant cyber security incident” that could last several days. The response is being coordinated at a governmental level, with efforts underway to assess the full extent of the impact on port infrastructure. On the morning of 13/11/2023, DP World Australia said that they would resume operations in a “gradual manner” as the investigation continues. No additional details about a specific threat actor or what systems were impacted have been provided at this time. Statements are still being published about hundreds of containers holding up traffic. Analysis The fact that DP World Australia had to disconnect its systems from the internet suggests a breach with potential for extensive network infiltration, possibly a ransomware attack or an advanced persistent threat (APT), a highly skilled threat actor that may have been planning the attack for some time. The lack of ransom demands, however, might indicate a different motive such as espionage, disruption, or a state-sponsored attack aiming to destabilize critical infrastructure. Considering the scale and impact, this could be the work of a sophisticated cybercriminal group or a state-sponsored entity. The choice of target – a major port operator – hints at possible geopolitical motivations, suggesting the involvement of a nation-state actor or an APT group with backing from a nation-state. China is regarded as Australia’s primary regional competitor in exports. Given its recent history of engaging in cyberespionage with many of its neighbors–including The Philippines, Malaysia, Japan, and Singapore–a China-based APT would be a highly plausible culprit. That said, China is not the only nation housing threat actors with these capabilities, and isn’t the only regional power that would stand to gain from crippling these shipments. As well, the two nations recently have engaged in talks to improve relations, and a state-sponsored incident like this would be ill-timed. DP World is no stranger to controversy. In the context of the war between Russia and Ukraine, DP World is considered a “sponsor of war” by the Ukrainian government, as they are one of the most notable logistics companies that did not cease business with Russia in light of the invasion. Alignment with Russia, or even the perception of it, has been the impetus for many organizations to sustain cyberattacks, though admittedly none known of this severity. Conclusion While the situation at the DP World Australia’s ports is still ongoing, it represents the latest example of the vulnerability of global supply chains to various types of disruptions that can be perpetrated through cybersecurity-related incidents. The lack of clarity regarding the identity and motives of the threat actors means that recommendations for response and mitigation are limited for the time being. While the possibility of a China-based APT as the perpetrator aligns with the broader context of regional competition and recent cyber espionage activities, the absence of concrete evidence calls for caution against premature attributions. This incident also sheds light on the geopolitical dimensions of cyber warfare, where entities like DP World, which have significant international presence and political connections, can become focal points of cyber conflicts due to their strategic importance and affiliations.

Date: 10/11/2023 Who’s involved: Hezbollah, Mossad, Jewish community in South America, drug cartels. What happened? On 08/11/2023 the Brazilian police, in combination with the Israeli secret service Mossad, arrested two individuals with links to the Iranian-backed terrorist organization Hezbollah on suspicion of wanting to conduct a string of terrorist attacks in South America. On 09/11/2023 the Brazilian Minister of Justice denied any Israeli involvement in the case and said it had been an ongoing operation that had started before 07/10/2023. Since the Palestinian terrorist organization Hamas conducted an attack on Israeli territory on 07/10/2023, killing 1400 Israeli civilians, Israel has been waging a war against Hamas in the Gaza strip. Multiple South American countries have openly condemned Israel for the killing of civilians in Gaza and have recalled their ambassadors. Bolivia, Chile and Colombia have been very vocal in their disapproval of Israel’s retaliatory actions against Hamas. Argentina and Brazil have openly protested against Israel’s actions but have not been as outspoken as the former mentioned countries. Hezbollah is known to have deep ties in South America by aligning itself with the Brazilian drug cartel The First Capital Command. Together they smuggle drugs, laundry money and ship weapons across the globe. Hezbollah is known to have more ties with drug cartels across Europe and Africa in order to finance their operations. Iran, which gives military, financial and logistic support to Hezbollah, has in the past sent IRGC (Islamic Revolutionary Guards Corps) advisors to South America in order to help set up a terrorist network. In the 1990’s Hezbollah conducted several terrorist attacks in Argentina targeting Jewish and Israel-aligned institutions. On 17/03/1992 a suicide bomber detonated himself close to the Israeli embassy in Buenos Aires killing 29 people and wounding 242. On 18/07/1994 a suicide bomber detonated himself inside the Jewish Community Center in Buenos Aires killing 80 people and injuring over 300. On 19/07/1994 a man on a Panamanian flight detonated himself and killed all 21 passengers of which 12 were Jews. Investigators found that Hezbollah mainly operates in the Triple Frontier area, which is the three way border between Brazil, Argentina and Paraguay and has a large Muslim population and is also a popular area for drug cartels to operate in. There are large Jewish communities in South America with Argentina and Brazil having the two biggest communities. The Jewish community has issued warnings to its members that since the Hamas attack on 07/10/2023 there has been an increase of nearly 700% in antisemitic behavior across South America. Analysis: Even though it is not widely known, South America is home to large groups of Jewish people. After the pogroms in Eastern Europe at the end of the 19th century large groups of Jews found a new home in South America. After the Second World War there was a new influx of Jewish people who decided that Europe was no longer safe for them. It is estimated that there are over 300.000 Jews residing in South America, with the majority in Argentina and Brazil. This has led to terrorist organizations that claim to fight for the Palestinian cause, focussing some of their operations into South America. The other reason terrorist organizations have an interest in South America is the fact that they can make a lot of money smuggling drugs and weapons for and with the drug cartels. Even though Iran funds and arms Hezbollah in large amounts, the organization feels the need to have another stream of income and the drug trade is the easiest way for a terrorist organization to get large sums of money. This also means that they can use the trade routes and infrastructure of the cartels and they can share knowledge on how to avoid law enforcement detection. With the drug cartels being a multi-billion dollar industry that works transnational and transcontinental this means there is a lot of knowledge and power at disposal for groups like Hezbollah. With the ongoing conflict between Israel and Hamas it is likely that pro-Palestinian terrorist organizations like Hezbollah will target Jewish communities across the globe. If local South American leaders openly show support for the Palestinian side and condemn Israel it is likely that this will lead to South America becoming a breeding ground for antisemitic sentiments, where in the past this was not the case, even under far-right dictatorships across the continent in the second half of the twentieth century. With security agencies across Europe and North America heightening their vigilance on terrorist activities aimed at Israel or the Jewish community it is likely that groups like Hezbollah will try and find other places to conduct terrorist attacks. South America seems to be high on the ladder of importance for Hezbollah because it already has support and an infrastructure in place there. Conclusion: It is imperative for the Jewish community in South America to keep a close eye on security issues regarding the Israel-Hamas war. Terrorist organizations like Hezbollah can easily find their way to weapons, explosives and manpower in the so-called Triple Frontier in cooperation with the First Capital Command drug cartel. It is not unlikely that a terrorist attack against the Jewish community or Israeli interests will take place in Argentina or Brazil. The attacks in the 1990’s show that Hezbollah has the capabilities and willingness to conduct large scale attacks in South America. The recent arrests in Brazil only show that the Hezbollah network is still in place. The Israeli secret services are capable, but with the vast network and connections Hezbollah has it is unlikely that Israel will be able to entirely neutralize the terrorist threat to the Jewish community in South America.