Search dyami insights

Date: 27/3/2024 Where: Peru Who’s involved: INC RANSOM, RansomEXX, Peruvian Ministry of Defense What happened? Since the night of March 24th, the RansomEXX Ransomware gang has claimed to have stolen nearly 800GB of data from the Peruvian Ministry of Defense. The following day, another ransomware group, INC Ransomware, claimed to have also successfully attacked the Ministry, specifically the Army. This claim was that a smaller amount of data (500 GB) was taken. Previews of the leaked information do seem to confirm that both groups have come into possession of personally identifiable information. Both seem to come from the same data. Analysis: If RansomEXX was the threat actor responsible for the initial attack, it would be their first ransom carried out in nearly four months. Their last claimed successful attack was in early December, against Kenya Airways. RansomEXX has been active since at least 2018 and is linked to the cybercriminal group, Gold Dupont. RansomEXX is a very sophisticated threat actor in the ransomware space. Both groups use a ransomware-as-a-service (RaaS) model, which means that the groups sell their tools to other threat actors for a cut of the ransom proceeds. Other large groups such as LockBit operate similarly. The RansomEXX and INC Ransomware groups deploy multi-extortion activities, which include stealing victim data and threatening to leak it online unless their demands are met. Their messages to victims typically involve leveraging the threat to their reputation, which is significant when dealing with a government institution. While ransomware groups primarily target sectors like education, healthcare, and industrial services due to their high dependency on continuous operations and data availability, military departments are not typically the primary focus of most ransomware campaigns. The incident has largely remained out of Peruvian news. The motivation behind targeting sensitive sectors, including potentially military departments, involves a combination of factors such as the perceived ability to pay large ransoms and the critical nature of the services they provide. There is no indication that the incident is connected to any motivation outside of a still undisclosed amount of money from the ransom. Conclusion: The simultaneous ransomware attacks on the Peruvian Ministry of Defense by INC Ransom and RansomEXX mark a notable escalation in the landscape of cyber threats against military institutions. This incident highlights the evolving brazenness of ransomware gangs, who are increasingly targeting high-value and sensitive sectors for substantial financial gains and potential geopolitical leverage. This incident not only reveals that vulnerabilities present in the private sector are also in national defense structures, and suggests a future scenario wherein nationstates can deploy more deniable assets to steal data from adversaries. The overlapping claims by both ransomware groups suggest a possible convergence or competition within the dark web’s criminal ecosystem, complicating the response strategies for affected organizations.

Date: October 2023 - September 2024 Who is involved: Ukraine, Russia, US, EU, Iran, North Korea, China In this report: What has been happening? Expectations Conclusions What has been happening? In order to get an understanding of where the war is likely going, it is important to look at the major events and factors that have happened and influenced the war in the past months. Eastern front Arguably the front that saw the most Russian successes, albeit minor ones. While the  taking of the town of Avdiivka in the Donetsk Oblast was majorly covered and presented as a key event in the war, on the bigger scale it did not make a significant difference. While Russia hoped for a major breakthrough, the Ukrainian army, Zbroini syly Ukrainy (ZSU), has managed to stabilize the lines right behind Avdiivka. Russia now seems to be focused on taking as much ground as possible before the mud season starts again in Ukraine. Russia is now focusing its attention on the Kharkiv Oblast’s town of Kupyansk, to take it and use it as a staging ground for another attempt at taking Kharkiv. Until now, Russia’s attempts have however been unsuccessful. On the other hand, Ukraine has not made any territorial gains for months, and seem to prioritize digging in and damaging their enemy as much as possible, as opposed to performing assaults and taking ground back. Attacks on energy infrastructure As announced, Ukraine has managed to ‘bring the war to Russia’. Ukrainian strikes have reached further into Russia than they have before, striking important industrial and some military targets. The refineries struck so far produce collectively around 30% of Russia’s oil output. However, not all of these refineries were put out of action. Due to these strikes, Russia has stopped its gasoline export for six months to most of its customers, such as Libya, Nigeria and Tunisia, starting in March 2024. Russia has also increased its attacks on Ukrainian energy infrastructure, military factories and ammunition depots, often employing Iranian-made drones. In March, the biggest attack since the start of the war took place and was carried out with approximately 150 drones and missiles targeting the energy infrastructure. It managed to cut off energy supplies for more than a million Ukrainians, with Kharkiv being especially affected. Emergency power outages have been implemented to reduce the load on the energy network. Airstrikes also targeted the western areas of the country, which were previously quieter. The attack temporarily cut off the main power line for the Zaporizhzhia nuclear power plant, although it was restored shortly after. Western slowness in supplying air defense systems has impacted Ukrainian ability to fend off these attacks, while the supply flow of Iranian-produced drones for Russia remains steady. Foreign support for Russia Russia has been seeking support from many countries in an effort to develop new economic and military ties and counter Western support for Ukraine. North Korea has been openly supportive of the Russian offensive in Ukraine and has supplied Russia with more than 10,000 containers of artillery shells and military equipment since the start of the conflict, in exchange for food and other types of aid. North Korean military factories are producing at full capacity to support Russian operations. Russia is also allegedly providing North Korea with fuel and technological knowledge that could expand North Korean satellite and nuclear-powered submarine capabilities. China has maintained a more ambiguous stance on the war, at times posing as a mediator and refusing to supply lethal weapons to Russia. Nonetheless, Russia has strengthened its economic cooperation with China to which it has redirected trade to lessen the impact of Western sanctions. China has benefited from cheap Russian oil and gas and has supported Russia with non-lethal weapons. Iran has been supporting Russia with UAVs and weapon systems, even opening a factory of Iranian drones in the Russian region of Tatarstan and offering newly developed models to its army in January 2024. Reportedly, Iran is also considering transferring ballistic missiles and related technology but the deal is not yet definitive. Foreign support for Ukraine Western support for Ukraine is currently vacillating. The US government has struggled with approving new bills to aid Ukraine as the Republican Party has been opposing government bills both in the Senate and the House of Representatives, of which it retains majority. This has been the case with especially a $60 billion aid bill that has been stuck since August 2023. This has further strained Ukraine’s situation, as military aid has been delivered too late according to Ukrainian needs and has complicated the situation on the battlefield. The European Union has started stepping up its support to Ukraine to try to fill the gap left by the US, with some difficulties. At the beginning of February, the EU managed to approve a €50 billion financial support package for Ukraine after overcoming Hungarian opposition. European countries have also stepped up military aid and agreed on a €5 billion fund for a collective boost to military aid. Moreover, the European Commission is elaborating a plan to use the interests earned by Russian frozen assets to fund the purchase of military equipment to support Ukraine. On the other side, European economic ties with Ukraine have sparked rage among farmers in many countries, especially Poland. Polish farmers, challenged by cheap Ukrainian imports, repeatedly blocked the border with Ukraine to demand a stop to these imports. Crimea The Crimean peninsula has become a hotspot for military activity. The island houses the Russian Black Sea fleet and the Kerch bridge, which connects it to Russia, and it is in range of Ukrainian systems. From Special Forces raids to complex airstrikes, Crimea has seen some of the most successful actions in the past months. These included targeting and destroying ships in port and striking officers quarters and military leadership buildings. Crimea is one of the two supply routes for Russian troops near Kherson and those stationed in Crimea itself. All of these supplies transfer over the Kerch bridge, explaining why it is a priority target. Ukraine hit and damaged the bridge a couple of times during the war, but until now it has not fully destroyed it. If successful in this task, it would force Russia to supply its entire Southern front and Crimea itself through the territories it occupies in Ukraine. As the most effective way for Russia is railroad supply, this would put the continuity of these supplies at great risk. Russian volunteers fighting Russia Reminiscent of last year, another incursion into Russia is (at the time of writing) occurring, performed once again by Russian nationals. The timing of these incursions, which started on 12 March, was likely due to the upcoming elections, in order to contrast the image of domestic order under the control of the Russian government. A key difference this year is that an extra brigade joined the action – the Siberian battalion. This battalion was established to recruit people from the Siberian minority groups, who are unequally affected by the war and are relatively more likely to be sent to and killed in Ukraine. They joined the fighting against the Kremlin alongside the Freedom of Russia Legion, and the Russian Volunteer Corps. The number of people in these groups is relatively small, likely thousands, compared to the Russian military. This means that even though the groups are successful in the Belgorod and Kursk regions, the territorial gains are not significant. However, the group’s activity does force Russia to move troops to these regions and away from Ukraine, helping the latter in their war effort. Black Sea Albeit often overlooked by the media, the Black Sea is where Ukraine arguably has booked its biggest successes in the past year. The Black Sea between Crimea and Odessa used to be a common missile launching site for the Russian Black Sea Fleet. From there, it would target the more western cities of Ukraine such as Odesa and Lviv. These missiles going for Western Ukraine would even overfly or closely pass by Moldovan airspace. Ukraine has sunk over 33% of the Russian Black Sea fleet, severely impacting its capabilities. Ukraine also recaptured or relieved the oil platforms in this section of the Black Sea, destroying or taking Russian Electronic Warfare systems. Robotyne The town of Robotyne, the endpoint of the Ukrainian counteroffensive last year, now sees combat action with Ukraine on the defensive. Russia has tried to take this settlement, presumably to start a collapse in the Southern defenses of Ukraine. To note is the use of over 60 year old T-55 tanks in an assault role, which up until then had only been seen in an improvised artillery role. As of writing, the Russian assaults have not been successful. Krynky Krynky is a small foothold near Kherson held by Ukraine, across the Dnipro river. Even after extensive fighting, the ZSU managed to hold onto the small town. It was first thought that the small town was used as a staging ground for operations on the Russian-held side of the river, but it seems that Ukraine holds on to it as a ‘thorn in the side’ of Russia, as well as to inflict maximum damage to any Russian units sent to reconquer the town. It is unclear how large the cost is for Ukraine to be present in Krynky. Expectations Russian Summer focus It is likely that after the coming mud season, Russia will launch an offensive again. The focus will likely be Kupiansk and Kharkiv. On top of the Ukrainian defenses already in place, a possible successful Ukrainian offensive in the coming summer would help in countering this threat. However, Russia has held the upper hand in the war for the past months and, due to slow western support, it has to be seen whether Ukraine can regain the upper hand in the second half of 2024. In a recent announcement, Russian defense minister Shoigu stated that by the end of the year, Russia is planning on forming two new armies. As announced, these two armies will be made up of 16 new brigades, and 14 new divisions. This will need a total of around 450.000-500.000 men to be recruited or mobilized, and the necessary weapons and vehicles prepared for action. Whether these plans are realistic, especially on the equipment part, remains to be seen. The manpower is likely to come mostly from mobilization of minority groups. The purpose of these new armies is up for speculation; whereas some expect they will be used in an attempt to ‘steamroll’ Ukraine, others worry that Putin is preparing for an offense on NATO. Ukrainian Summer focus Ukraine has announced plans for another attempt at an offensive for the coming summer. After the failure of last year’s offensive, likely due to a shortage of (promised) supplies and leaked battle plans, Ukraine aims for more success this year. The most likely goal would be another attempt at liberating Melitopol. The city is one of the closest major cities near the front line, and serves as a logistical hub for the Russian army. A wildcard attempt at liberating Crimea is a minor possibility, and would be a high risk-high reward scenario. Limiting Ukrainian plans is slow western support, especially US support. While some of the anticipated F-16s might be operational in time for the summer and will certainly be a helping factor, they are not likely to be game changing. Developments in the West Support for Ukraine in the West will likely remain uncertain, as many stakeholders are working against it and will likely continue to do so. Ukraine has already become a central issue in electoral campaigns, most notably in the US with the Republican Party presidential candidate Donald Trump stating he will stop supporting Ukraine if he becomes president. The Republican Party will likely continue to obstruct new aid bills in the US Congress, especially coming closer to the November presidential election. This will make the approval process of new aid for Ukraine long and uncertain, affecting its possibility to advance and retake territories. Tensions will likely remain in the EU as well, as Hungary and possibly Slovakia are taking increasingly pro-Russian stands in the European Council. The stance of Slovakia may be influenced by the results of the March-April 2024 presidential election, which sees a close race between pro-Russian candidate Peter Pellegrini and pro-EU candidate Ivan Korcok. These obstructions will probably impact the European Commission’s plan to use the interests earned by Russian frozen assets to finance the purchase of weapons for Kyiv. While the European Commission is seeking a more proactive role in supporting Ukraine, a new opposition front might arise as Austria, Ireland and Malta, traditionally militarily neutral countries, are increasingly concerned about supplying weapons and munitions to Ukraine. Ukraine trade with European countries will also likely be impacted as European farmers demand a solution to the disruption caused by cheaper Ukrainian tariff free imports. Nevertheless, Ukraine can count on the support of many European countries and they might decide to act separately from the European institutions in order to bypass obstructions by other countries. Conclusions The war in Ukraine is far from over. Russia dictates the direction of the war, without caring for losses, and Ukraine in full defense bringing as much damage as they can to the Russian army. The race seems to be between Russia grinding down the Ukrainian defenses, and Ukraine receiving more help from the West (mainly Europe), as well as being able to effectively start and increase weapon production in its own territory. For now it seems unlikely that NATO will directly join the conflict in any form. The West’s willingness to provide Ukraine with virtually limitless help has drastically reduced and, as a result, Ukraine is preparing to rely on its own production capabilities. Russia and specifically the Kremlin seem to be stuck in a sunken-cost fallacy. Therefore, it is unlikely that it will give up its goals in Ukraine unless it suffers a total defeat on the battlefield.

Date: 22/03/2024 Who’s involved: Nigerian government, insurgents and gangs, herder and farmer communities What happened? On 03/03/2024, hundreds of people looted a government warehouse in Nigeria’s capital, Abuja, followed by thousands of Nigerians rallying against soaring living costs on 05/03/2024. Nigeria's emergency agency responded by strengthening security at its warehouses. On 27/02/2024, protests broke out following the nationwide demonstrations organized by labor unions to voice their opposition to economic problems. On 23/02/2024, several individuals were fatally trampled outside the Lagos customs office as a result of a stampede occurring because of the sale of discounted bags of rice. The customs agency stated that the disbursement of the rice bags was a strategy of the government "to address the critical problem of food scarcity". On 07/03/2024, at least 287 school children were kidnapped by militant insurgents in Nigeria’s northwestern Kaduna State. Earlier that week, on 03/03/2024, at least 50 people were kidnapped from a camp for internally displaced persons in northeastern Nigeria, followed by another kidnapping of at least 15 pupils from a school on 09/03/2024. In this region, Boko Haram and Islamic State West Africa Province (ISWAP) operate frequently. On 14/03/2024, sixteen Nigerian soldiers were killed in Delta state while on an operation to stop fighting between the Okuama and Okoloba communities over land dispute. There are often violent confrontations over land disputes, fishing rights, or demands for compensation due to oil spills. On 17/03/2024, Nigerian soldiers attacked the Okuoma community after President Tinubu labeled the 14 March attack as “a direct assault on the nation”, prompting a response. While searching for those accountable for the killings of 14 March, the soldiers plundered communities and set fire to houses. Analysis: Over the last couple of weeks, Nigeria has experienced several attacks on grain storage sites, following a spike in living costs and a 30% increase in the food inflation rate. In 2023, President Tinubu made efforts to remodel the economy and removed long-standing fuel subsidies, claiming that this would reduce Nigeria’s debt. This was a widely unpopular move as it caused soaring inflation, especially for food. The deepening economic crisis is likely to worsen existing security concerns in Nigeria as crime, armed groups, and corruption rise in the country. Armed groups have targeted vital sources of income for the country in recent years. Theft and vandalism of pipelines in the Niger Delta have led to insecurity in the region, a drop in oil production, and international underinvestment in the sector. The energy infrastructure in the south remains vulnerable to attacks as long as socio-economic issues persist. Confrontations between nomadic (Muslim) herders and native (Christian) farmers stemming from disputes over land, have resulted in recent clashes with fatal outcomes. Farmers are also regularly forced by gangs to abandon their fields or pay extortion fees to access their own land. These factors impact food production, resulting in food shortages and increasing prices. In the north of Nigeria, Islamist insurgents and criminal gangs regularly stage large-scale kidnappings and frequent attacks on villagers and travelers. In some cases, huge sums of money have been transferred to the criminal parties, enabling them to acquire more weapons and recruit adherents. Kidnappings and attacks will persist and increase, given the lucrative nature of the crime. Conclusion The lack of affordable food is prompting looting in Nigeria’s capital, Abuja, and demonstrates how the country’s deepening economic crisis is having major security implications for its population. The World Bank has declared that Nigeria is experiencing ‘crisis food security’ levels, due to the persistent insecurity and armed conflict. Given that the government is sticking to its policy of cutting fuel subsidies, further raiding of warehouses, protests and discontent is likely to spread to urban centers.

Date: 22/03/2024 Where: Europe, Central Asia, North and South America Who’s involved: IBM “X-Force” (threat intelligence), various cyber threat intelligence groups, APT28 AKA Fancy Bear (Russian State-Sponsored Threat Actor), ITG05 (identified group or campaign) What happened? Since mid-March 2024, IBM’s Threat Intelligence “X-Force” has been releasing findings on a new phishing campaign to steal sensitive information by targeting governments and NGOs across four continents. The campaign, identified as “ITG05”, has significant overlap with APT28, famously identified as “Fancy Bear”. APT28 is connected to the Russian GRU, which means ITG05 is very likely part of a Russian military intelligence operation. Ukraine’s CERT-UA identified the campaign as a threat as early as December, identifying one of the tools that would later be attributed to the ITG05 campaign. As of late February 2024, ITG05 has been conducting phishing operations, both targeting and impersonating organizations from countries including but not limited to Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States. Analysis: Reports from X-Force claim that the tools, tactics, and procedures observed in the ITG05 campaign strongly resemble Fancy Bear. The sustained operational intensity and evolving methods of ITG05 indicate that the group will continue to carry out malicious activity against global targets to support Russian state objectives​​. The phishing efforts orchestrated by ITG05 contain a blend of documents: some are sourced from public records while others seem to be crafted by the attackers. The lures used by ITG05 span a wide array of themes and attempt to draw in targets, encompassing areas like finance, essential infrastructure, senior executive meetings, cybersecurity, maritime safety, healthcare, and defense manufacturing. Many of the “lure” documents were designed to appear related to events happening in Israel and Palestine. The backdoor-seeking malware, known as MASEPIE, was found in emails directed towards Polish and Ukrainian government organizations as early as December 2023. APT28 was the Ukrainian government’s chief suspect at the time. APT28 and ITG05’s objectives are typically dedicated to obtaining access to adversarial systems, reconnaissance, and intelligence collection. Conclusion: The ongoing ITG05 campaign shares significant APT28 activities and tactics, and highlights the sophisticated and persistent nature of Russian state-sponsored cyber operations. This campaign's wide geographical scope and targeting of government and non-governmental organizations underline a strategic approach aimed at intelligence gathering, influencing geopolitical landscapes, and advancing Russian state interests. The diverse themes of the phishing lures, ranging from finance and infrastructure to geopolitical events, demonstrate ITG05's adaptability and targeted approach to engaging different victim profiles. The use of the MASEPIE backdoor, in particular, points to a focused effort on maintaining persistent access to high-value targets for long-term espionage and data exfiltration activities.

Written by Elena de Mitri With the ongoing war in Ukraine and recent comments by the US presidential candidate Donald Trump signaling a decrease in US military support to European allies, governments have sought to extensively improve their defense capabilities so that they will be able to autonomously defend the continent. Many European countries have announced increased defense spending for 24. The increase will likely include additional military aid to be delivered to struggling Ukraine, in a time where Russian industrial capacity hasn’t faltered despite the sanctions. Some politicians have called for an industrial focus on defense capabilities, dubbing it as a ‘war economy.’ But what would a “war economy” look like? While in 2023 only 9 European countries were meeting the 2% spending target set by NATO, it is expected that this number will increase in 2024. NATO secretary general Jens Stoltenberg has announced that 18 countries will meet the spending target 2024 and it is highly likely that many European countries will be among them. These initiatives point to a possible future change in the continent’s economic and industrial landscape as the defense industrial base is adapting to address the potential security threats posed by Russia’s destabilizing activities in the continent. Financial changes With the start of the Russian invasion of Ukraine, many European countries sought to support Ukraine by supplying military equipment and ammunition. As a consequence, their stockpiles have been severely depleted. Current defense expenses are mainly targeted at replenishing stockpiles and updating outdated equipment. But in order to permanently expand their military capabilities, European countries will have to rethink how they allocate their finances. The increased spending on defense will certainly require additional funding. With tax increases and issuing debt considered by economists as unfeasible options, the additional funding will likely come with cuts from other areas, such as climate transition and social spending. Social spending in particular has benefited from the European reliance on US defense spending to protect European territory. Widespread defense cuts after the end of the Cold War contributed to the establishment of the European welfare states in their current form. In order to enact the necessary cuts governments will need to convince the population of the necessity of more defense spending, especially in the more skeptical western parts of the European Union. Another option might be the establishment of a debt-funded European defense budget similar to the Covid-19 recovery fund. While this option seems quite appealing, it might take a longer time to materialize due to the slow decision making process that characterizes the European Union. The European Commission is seeking to play a role in this matter, with talks of a future Defense Commissioner post being established after the next European elections and an announced defense industrial strategy proposal. A key point of this proposal is an expansion of the joint procurement mechanism already set with the short-term European defense industry reinforcement through common procurement act. Joint procurement will likely be a critical part of this policy shift as it allows European countries to purchase military equipment and ammunition in bulk while keeping prices down. Nevertheless, unless member states decide to grant more powers to it, the European institutions will only be able to play a supporting role, subject to the member states’ desire to cooperate and harmonize on defense matters. Defense still is primarily a matter of national policy and it will likely remain dependent on the will of individual governments, especially considering the differences in threat perceptions among western and eastern Europe. A European defense industry? European countries are still very much dependent on the US defense industry for their military supplies. Nonetheless, European companies are benefiting from current geopolitical events. For example, German company Rheinmetall is currently expanding and opening new factories in European countries to face the increase in demand for its products from 2022. This trend will likely continue, especially considering the European Commission interest in strengthening the local defense industry. Buying from European companies will return the investment and contribute to the growth of the continent’s economy. An expansion of the defense sector will eventually provide new jobs and increased tax revenue. Moreover, in the long haul European security will be even stronger due to the autonomy provided by a strong local defense industry. In order to more effectively reap the benefits of this growth European governments will need to plan cooperatively their purchases, keeping in mind the importance of interoperability and possible future security challenges. While the European defense industry is on average more homogeneous than the US industry, many states still have different priorities when it comes to planning for defense purchases. National armies also retain different rules for equipment and logistics that will likely need to be standardized at a European level to improve interoperability. Cooperation is expected to remain widespread in the field of research and development, which will be fundamental for the future of defense in the continent. Cooperation mechanisms that are already in place, such as the European Defence Fund and the European Defence Agency, will likely be strengthened. Attracting investments will also be important to help the defense sector to expand and support the continent’s defense needs. As Germany has announced an ease on regulatory hurdles for investments in defense companies, it is likely that other governments will follow soon. Even the European Parliament has called for a change in the rules of the European Investment Bank so that it would be able to invest in defense companies. Joint procurement may provide increased predictability and push companies to expand production lines. Nonetheless, the changes affecting the defense sector will be subjected to the desires and objectives of individual governments. European countries have already been arguing about where to buy military supplies, with disagreements over a focus on European companies. But even if European countries agree on buying European weapons, there will likely be lengthy discussions as they need to decide which national companies will be prioritized. The human side of defense A considerable expansion of European military capabilities engenders many questions. But among them, one really makes a difference: if security threats materialize, who will be fighting? Only eight European countries still retain active compulsory military service, with some considerably easing the commitment required from citizens. Other countries are considering reintroducing it in the wake of the war in Ukraine, with lighter formats being tested. However there is a wide skepticism that conscription would still work considering the increasing complexity of the equipment currently employed in European armies and the little time that conscripts spend in training. Moreover, young Europeans tend to be less willing to accept conscription in case of a war compared to previous generations. On the other side, countries that rely on professional armies have seen a decrease in the number of troops for the last few years. Most European armies are currently struggling to meet their recruitment targets. While defense investments are important, governments would also need to increase the appeal for joining the military. The private security sector is competing to attract new recruits with higher salaries, higher living standards and better benefits, making the army increasingly unpopular. An uncertain future With defense being a prerogative of European Union member states, it is very likely that there will be an increase in multilateral cooperation on defense related matters, in line with the recent trend of joint procurements and research financing. Nevertheless, the changes required to push further the European defense industry require political will and public approval to enact them. Getting public approval will be especially complex in Western Europe, as the perceived threat is weaker than in Eastern Europe. While European institutions are seeking to play a more central role in this matter, some countries have perceived it as an unacceptable meddling into private affairs. National governments and politics will likely continue to be the main influence in future defense developments as defense is still considered a key national prerogative.

Written by Britt Verregghen - March 2024 Despite decades of espionage activities by China’s Ministry of State Security (the foreign and domestic intelligence service of the People’s Republic of China), recent cases in Europe show that China’s espionage remains a key concern for European businesses and society. Reports of China’s sophisticated efforts to gather foreign intelligence and influence political opinion in Europe through covert operations have increased. This is due to Europe’s strategic importance for China, with China’s aim to separate it from the influence of the United States and improve its economic ties and improve China’s image in the continent. Intensifying covert operations makes it vital for governments, companies, and individuals to remain proactive in defending against these threats. Covert Operations in Europe There are three main ways in which China’s Ministry of State Security (MSS) conducts its espionage activities and more closely observes threat actors.  The first is to take sensitive or confidential information from assessed targets and use it to benefit the PRC’s interests. This could be done through traditional human intelligence operations, cyber intrusions and hacking, or economic/business espionage and exploitation. The second is attempting to influence debates such as on EU policies through infiltrating parliaments and other strategically important institutions, such as universities or policy institutions (influence operations). The third, particularly used by the MSS, is targeting dissidents abroad and trying to repress them. The following cases are examples of these methods. On the 6th of February 2024, the Dutch Military Intelligence Service (MIVD) revealed that signs of espionage operations were found within their computer networks last year. Officials from the MIVD explained that a state-actor from China used malware to maintain access to Fortinet systems, an organization that provides worldwide cybersecurity. Although it is a sensitive issue, the MIVD still chose to discuss the matter publicly to create awareness around this subject for other Dutch organizations. The Chinese embassy in the Netherlands responded the following day, saying that they are ‘always firmly opposed to cyber attacks in all forms in accordance with the law.’ Still, the MIVD’s disclosure of the Chinese modus operandi is an indication of the level of certainty about China’s motive and liability.  Despite the sensitivity surrounding the breach, the MIVD deemed it necessary to warn all Dutch companies and organizations to improve their systems and infrastructure. China has also performed attacks against other European countries, Belgium for example. In December 2023, a Chinese spy used a far-right Belgian Politician to gather intelligence for over three years and bribed him into making anti-European decisions. The politician was at the end of his career, which made him an appealing target. He had a broad network of contacts, but was no longer a high-threat individual in the eyes of the Belgian Parliament. That way he could intervene in discussions in favor of decisions that would ultimately benefit Chinese interests. A similar event came to surface in the UK House of Commons, where a British parliamentary researcher was arrested on grounds of spying for China in March 2023. In this case, the person concerned was never granted a security clearance, yet he worked closely with several prominent Conservative Members of Parliament who handled sensitive matters and information. He also publicly advocated for the Chinese community in the UK, but his covert goal was to infiltrate British political networks critical to Beijing. The MSS also targets Chinese dissidents abroad, especially within Europe. For example, China has been placing police stations with their own officers in foreign countries to actively monitor Chinese dissidents living abroad. According to the PRC, their goal is to help overseas Chinese with administrative matters, like getting their driver's license. However, these stations do not appear to be registered with the government of the host country. The police officers monitor a variety of groups, including multiple ethnic and religious minorities, political dissidents, human rights activists, journalists, and former insiders accused of corruption. In some cases they track down the individuals and suppress them. In other cases they use social media accounts to harass these dissidents. China’s Espionage Strategy China’s espionage activities are not a new phenomenon. Yet the intensity and sophistication of China’s clandestine operations against European countries has picked up in recent years. This departs from previous Chinese foreign policy which sought to maintain good trading relationships with many countries to improve trade links and promote economic growth. Why does the CCP use covert operations against European targets? President Xi Jinping's increasing focus on covert operations is a part of his emphasis on security. The ‘comprehensive national security’ concept describes a policy where all aspects of China’s society and relations with the outside world are considered issues of national security. This is reflected in the growing importance of the MSS in China’s political system. The MSS collects foreign intelligence, counterintelligence and is responsible for the perceived threats to the CCP. Without this supply of information gathered through espionage operations, the PRC can’t promote its interests in Europe. The MSS is targeting European businesses and governments as part of its geopolitical strategy. Europe is a target for a number of reasons. Access to European critical technologies in artificial intelligence and quantum computing is a key target as China attempts to build its own advanced technologies. Another objective is to influence investment and trading relationships with different EU countries, especially given the confrontational trading relationship from the Biden Administration in the US. Gaining further information about EU geopolitical intentions would allow China to update its own strategy toward the continent. The MSS focus on influencing European parliamentarians, targeting Chinese dissidents abroad, and exploiting existing divisions in European societies demonstrate the strategy used to secure China’s foreign policy goals in Europe. Conclusion China’s increasing espionage operations and political interference pose a threat to European businesses and civil society, as well as political institutions. This is likely to intensify as EU-China relations remain tense. China’s tacit support of Russia in its war against Ukraine, the clampdown on information in China, and the EU’s possible restrictions on China’s electric vehicles may lead to further espionage operations to prevent negative outcomes for the PRC. European countries will have to navigate a delicate balance in their relations with China and remain vigilant against espionage threats to their operations and business activities. Given the close economic ties between Europe and China, it is important to find a balance between improving security against China’s covert operations and further  economic advantages. Businesses and organizations need to implement measures to protect themselves against Chinese espionage and stay aware of the risks present.

Date: 13/03/2024 Who’s involved: Fronte di Liberazione Naziunale Corsu (FLNC), France, Corsica, Corsican nationalist movement. What happened? On 02/03/2024,  violent clashes erupted in Bastia, Corsica between the police and around 200 nationalists during a protest asking for more rights for Corsican freedom activists. The protestors threw rocks and other projectiles at the police, who responded with teargas and baton charges. The protest was held on the second anniversary of the death of a well-known Corsican militant Yvan Colonna, who was serving a prison sentence for his involvement in several terrorist activities throughout the years. He was killed in prison during a fight with an Islamist inmate allegedly over Colonna “disrespecting Mohammed”. On 01/03/2024, Corsican prosecutors announced that they would start an investigation into the possible “apology of terrorism” by the Corsican nationalist youth group Ghjuventu Indipentista (Independent Youths) who are allegedly responsible for distributing leaflets saying that the “struggle for independence should continue and that the FLNC is the organization that will help get Corsica independence”. On 29/02/2024, the French Minister of the Interior Gerald Damanin had talks with Corsican representatives addressing the possibility of more autonomy for Corsica within France in the near future. In September 2023, the French President Macron first proposed granting Corsica some autonomy, overturning previous French policy. On 08/02/2024, the FLNC targeted with an explosive device a house under construction in Santa Lucia di Moriani, Corsica. Since the start of 2024 there have been several bombings targeting primarily tourism related buildings and second houses of French citizens. Analysis: The Corsican nationalist movement is not homogeneous. While many parties and politicians are aiming for a constructive dialogue with the central French authorities to gain more autonomy, other parts of the movement, such as the FLNC, refuse any ties with France and instead advocate for an independent Corsican state. Founded in 1976, the Fronte di Liberazione Naziunale Corsu (FLNC) is a militant independence group that was mainly active in the 1970s and 1980s. They targeted mainly buildings in Corsica and mainland France through bombings, especially government and police buildings and second houses of non-natives. In June 2014 the group announced its retirement but reemerged in 2022 after the death of Yvan Colonna, with spikes of up to twenty attacks in one night to express dissent against the policies of the central government. With Macron’s promise of delivering legislation for Corsican autonomy by March 2024, talks between the French government and Corsican authorities have increased. While the Corsican Assembly retains legislative power in some areas, local politicians have long campaigned for effective autonomy. Discussions will likely be lengthy as some French politicians are reluctant to devolve powers to autonomist movements. Other regional leaders seemed keen on asking for equal treatment after the news of Macron’s promise. Moreover, the changes required by Corsican authorities will involve changes to the Constitution of France and will likely be opposed by members of the Senate and the National Assembly. Corsican autonomy is still a divisive subject in France. A 2022 poll revealed that roughly half of the total population of France is in favor of Corsican autonomy, with right-wing voters being overall opposed to the idea. On the other hand, the FLNC has maintained their request for full independence from France, often stating that Corsica has no common destiny with mainland France. Even if autonomy is granted to Corsica, it is highly likely that they will continue to fight as it does not align with their requests. Bombings continued even after Macron’s promise of full autonomy, showing a spike in activity after he announced that the government was ready to grant autonomy. Violent nationalist independence movements like the FLNC are seemingly in decline across Europe. With more freedom and autonomy given to contested regions and a local population tired of violence, radical independence groups have lost their wider societal base. But with the lack of gaining independence and a tendency of national governments to reject handing autonomy to specific regions, there is a growing unrest and impatience among younger nationalists. In Corsica the nationalist independence movement is now smaller in size and has less societal support, but they do consist of a group of young people who are willing to undertake more illegal actions. Rioting with the police, arson and sabotage and even planting bombs is not seen as counterproductive to the cause. The new generation of independentists have less faith in treaties and governmental promises and want to see more extensive change happening. Movements like the FLNC incorporate anti-capitalist, anti-fascist and radical environmental ideas that speak to the younger generation who are more concerned about the growing wealth gap, climate change and the rise of anti-immigration political parties. The political process is going too slow for them. It is likely that the new generation of FLNC and related groups will gain more traction in the coming months and years. Conclusion: After the riots on the second anniversary of the death of Yvan Colonna, Corsica seems to be headed towards a new chapter of independence movement radicals taking their cause to the streets and away from the parliamentary negotiations. With the FLNC rejecting the talks on autonomy between Corsican authorities and the central government, Corsica will likely see an increase in violent activities by the FLNC as it ultimately strives for independence from France. Violence will target mainly governmental and police buildings but also tourism related areas and non-native second houses. Moreover, it is uncertain whether Corsica will be effectively granted autonomy from the government as it remains a contentious issue and many politicians are opposed to any compromise on the unity of the Republic.

Date: 13/3/2024 Where: US, Russia Who’s involved: Microsoft corporation, APT29 AKA Midnight Blizzard or Cozy Bear (Russian State-Sponsored Threat Actor) What happened? On January 12th, Microsoft found that a threat actor had gained access to a legacy system that was not customer-facing in late November 2023.  The threat actor was identified as having come from Russia. By logging into this system, they gained access to Microsoft corporate email accounts, though this was not disclosed at first. A Microsoft report was issued on January 19th to consumers, claiming that the event was of no major significance and posed no threat to user account information. On January 25th, Microsoft reported that Russian hackers had gained access to source code repositories during the earlier attack. This was more damaging than initially reported, with the threat actor accessing some of the company's internal systems. Microsoft revealed that the volume of some tactics that were used in the attack had increased by as much as 10-fold in February compared to January 2024. This increase was attributed to the group using information initially exfiltrated from Microsoft's corporate email systems On March 11th, an update from Microsoft indicated that the January attack by Russian hackers was more damaging than originally reported, with it now confirmed that the Midnight Blizzard (APT29) group accessed some of the company's internal systems and software source code. Analysis: Midnight Blizzard, once famously known in the media as Cozy Bear, is one of the oldest and most skilled offensive hacking groups affiliated with the Russian state. Active since at least 2008, they achieved fame as the group associated with both the 2016 Democratic National Convention intrusion attempts and the 2020 SolarWinds hack, which caused massive supply chain disruptions. Achieving backdoor access to Microsoft applications, particularly Cloud deployments, presents a mother lode for Advanced Persistent Threats (APTs), as it could empower them to infiltrate thousands of organizations around the world. This would include defense, engineering, and software development firms. As well, a plurality of government departments in North America and Europe are reliant on Microsoft deployments. Microsoft’s findings indicate that Midnight Blizzard had access to its systems for over two months before being detected. The efficacy of brute-force tactics in this situation indicates that the compromised email accounts were not protected with multi-factor authentication (MFA). The tactic that worked in the initial attack is known as “password spraying”, wherein a threat actor will make login attempts in bursts small enough to not trigger maximum login attempt warnings. Conclusion: The recent revelation by Microsoft about the breach conducted by the Russian state-backed group, Midnight Blizzard (APT29), marks another significant episode in the ongoing cyber conflict involving state-sponsored actors. This incident highlights the sophisticated tactics and persistent threats posed by these groups to global cybersecurity infrastructure. On a more actionable level, This incident reinforces the importance of implementing strong security practices, such as multi-factor authentication (MFA), to protect against password spraying and other brute-force tactics. The breach also signifies the interconnected nature of global cybersecurity, where an intrusion into one major entity like Microsoft can have far-reaching implications for countless organizations and governments. As such, collaborative efforts and information sharing between public and private sectors are essential to strengthen defenses and resilience against state-sponsored cyber activities. As geopolitical tensions continue to manifest in the cyber realm, this event serves as a reminder of the evolving landscape of cyber warfare and espionage. Companies, especially those providing critical IT infrastructure like Microsoft, are prime targets and must remain at the forefront of cybersecurity efforts to protect not only their assets but also those of their clients worldwide.

Date: 08/03/2024 Who is involved: Haitian gangs (mainly G9), Haiti interim Prime Minister Ariel Henry, Kenyan government, the UN What happened? On 29/02/2023, Haiti witnessed an escalation of violence which caused 15,000 displaced people and at least 12 victims, including police officers. The unrest was triggered by Haiti de facto Prime Minister Ariel Henry's visit to Kenya, to sign a  reciprocal deal with Kenyan President Ruto for the deployment of Kenyan police officers to support the Haitian government in combating gangs. On 03/03/2024 gangs launched a coordinated attack targeting two of the main prisons of Port-au-Prince, freeing over 4,700 inmates, at least 9 police stations and other public buildings and critical infrastructure. In response to these, Haiti's government declared a state of emergency and imposed a nighttime curfew which were extended respectively until 03/04/2024 and 10/03/2024, after an escalation of violence saw gangs setting fire to police stations in Port-au-Prince, and breaking into a major port terminal and looting containers. Haiti’s main port terminal is now suspending operations, and The World Food Programme has suspended its maritime transport services to Port-au-Prince from distributing aid to Haiti, due to instability. Many health centers have been forced to reduce their operations too, due to violence and the lack of medicine and personnel. On 04/03/2024, gunmen tried to seize control of a police academy and the Toussaint Louverture International Airport. Some aircrafts have been damaged by gunfire. Prime Minister Henry is currently not in the country. On 05/03/2024, he landed in Puerto Rico, after he was denied entry to Haiti. Gangs, which are currently controlling 80% of capital Port-au-Prince, are calling for Henry’s resignation. Jimmy “Barbecue” Cheriezier, leader of the powerful gang federation G9 in control of most of Port-au-Prince, announced on 05/03/2024 that gangs will prevent the return of Henry in the country. He called for a “civil war”, if the interim PM does not resign and claimed responsibility for the coordinated attacks of the last few days. Amid the mounting pressure to step down, and for safety, especially after the seizure at the airport, Prime Minister Henry has not been able to return to Haiti. His whereabouts were unknown for a few days after the attacks on the prisons and the airport, until 05/03/2024, when he landed in  Puerto Rico, after being denied permission to land in the neighboring Dominican Republic. Following the spike of violence, on 07/03/2024, the U.S. urged Haiti PM to expedite the political transition to prevent a further deterioration of the security and humanitarian crisis. On 06/03/2023, Guyanese President Ali, the Caribbean Community (CARICOM) chairman, of which Haiti is a member, stressed the need for international community support. On the same day, the U.N. The Security Council held a closed door meeting on Haiti, after the UN Secretary General António Guterres called for all political actors to see “urgent action, particularly in providing financial support for the multinational security support mission” in Haiti. Caribbean officials stated that the leaders of CARICOM spoke with Henry and presented several alternatives to end the deepening crisis, including his resignation, but they were not able to reach any form of consensus. All international airlines have suspended flights to Haiti. The airport is being actively targeted, and it is now effectively closed. The Dominican Republic civil aviation authorities have closed all flights to and from Haiti, and increased security at the border with Haiti. In 2023, due to the large flow of migrants and displaced persons, the Dominican Republic had already closed its border, and refused access to Haitian refugees. Nearby nations have secured their borders, too. A maritime blockade was established in the southeastern Bahamas, amid fears of mass migration from Haiti. Analysis: Gang violence has been going on for years in Haiti, the humanitarian and security situation has been unstable for decades, and the escalated violence has caused Haiti’s democratic crisis to deteriorate even further. The power of gangs has increased through smuggled firearms, which made them achieve a high degree of military capacity and financial capital. In 2023, over 5000 killings were reported and more than 310,000 people were internally displaced in Haiti, mostly from the capital. Currently, aid groups estimate that more than 15,000 people have fled their homes in the past week. The latest escalation of events is worsening the already dramatic humanitarian situation, and the UN humanitarian affairs agency has warned that the country’s health system is “nearing collapse”. International observers and humanitarian organizations are urging for emergency aid and support for the population in Haiti. The recent seizure and looting to the main port of Haiti are affecting the distribution of essential supplies by aid organizations. Maritime routes are the only way to transport aid from Port-au-Prince to the rest of the country, which poses a serious problem to the delivery of food and medical supplies. According to the UN Office for the Coordination of Humanitarian Affairs, currently there are a dozen trucks of aid, filled with food, medical supplies and equipment stuck in the port of Port-au-Prince. The recent attacks to the police stations further curbed the capacity of police forces to respond adequately to the gang attacks. Nine police stations have been torched and the National Police Academy has been destroyed. Gangs have also set fire and looted more than twenty other buildings, including the peace court in Croix-des-Bouquets. Since he visited Kenya to conclude the deal for the Kenyan police forces to lead a multi-national force to help restore Haiti, Prime Minister Henry has not given any public statements. Many Haitians consider Henry accountable for the escalation of violence and inability to curb gang-violence. His government is perceived by many as corrupt, as he was supposed to step back after the President Jovenel Moïse assassination in 2021, and ensure parliamentary and presidential elections by 07/02/2024. Currently, there are no elected officials in Haiti’s government. The Security Deal between Kenya and Haiti is a bilateral agreement that came as part of the "Multinational Security Support" (MSS), a year-long international force mission led by Kenya, approved by the United Nations on 2/10/2023, but halted in January 2024 by a Nairobi court. Kenya committed to deploy 1000 police officers to help combat gang violence. However, after the recent events, Kenyan police officers who had volunteered for the deployment have opted out for their safety. Reservations about the MSS also originate from Haiti’s troubled history with international interventions. The last international intervention, the U.N.’s 2004-2017 MINUSTAH mission, resulted in a massive sexual abuse scandal and a cholera epidemic, killing some 10,000 people. Moreover, some states have been reluctant to openly support Ariel Henry’s contested government. Conclusion: The situation in Haiti is highly unstable and volatile, and the violence is likely to continue. The recent escalation of violence threatens to make the humanitarian and security crisis in the country irreparably worse, exacerbating even further the migrant crisis in the Caribbean. Without international intervention, and humanitarian assistance, it is unlikely that Haitian authorities and law enforcement will be able to curb gang violence. Yet, the international community would likely have a hard time supporting such a contested government deemed illegitimate by the local population. The attacks on law enforcement and state institutions of the past week are pushing for Henry’s removal, and gangs including the G9, will continue to oppose Prime Minister Henry until elections are granted. With the current situation and the gang's active threat to government institutions, it may be impossible for interim PM Henry to re-enter the country and establish control over the current situation.

Date: 08/03/2024 Who’s involved: Moldova, Gagauzia, Transnistria, Russian Federation, Turkey, France, Romania What happened? On 07/03/2024 Moldova signed a cooperation agreement with France on defense matters among reports of increasing destabilization  efforts, such as disinformation and cyber attacks, by Russia against the country. On 05/03/2024 Moldovan authorities denounced plans by the Russian Federation to increase destabilizing activities in the country in 2024 to push the country away from its pro-EU path and closer to Russia ahead of the planned November elections. In February 2023 Moldova accused Russia of plotting a coup to overthrow the current pro-EU government. Situated in the south of Moldova, Gagauzia is an autonomous territorial unit populated by a Turkic ethnic minority. Under the Soviet Union, Gagauzia already sought independence from Moldova. In 1995, Gagauzia was awarded autonomy by the government of the newly independent Moldova, with guarantees enshrined in the Moldovan Constitution. The population and the government of Gagauzia have always taken a pro-Russian stance as they retain cultural, linguistic and economic ties with the Russian Federation. On 06/03/2024 Evghenia Gutul, the leader of Gagauzia, met with Putin in Moscow and asked for support and described the central Moldovan government as economically and politically oppressive towards the Gagauz people. Moldova’s prosecutor general announced legal action against Gutul for her involvement in unspecified illegal actions. In 2014 Gagauzia held a referendum on its international stance. The referendum was considered illegitimate by Moldovan authorities. Voters overwhelmingly rejected closer political integration with the European Union in favor of joining the Russia-led CIS Customs Union. They also supported the region’s right to declare independence if Moldova loses its independence, likely referring to talks of a possible Romania-Moldova reunification. Transnistria, a region de facto independent, has also shown pro-Russian views. The majority of the citizens are in favor of joining the Russian Federation, which has a strong influence on the local economy. Since the 1990s Transnistria has hosted 1,500 Russian troops and arms depots dating back to the Soviet Union. Russia is also involved in the management of the local army and secret services. Leaders of Transnistria asked Russia for protection, as did Gagauzia, in late February 2024. Half of the population of Transnistria has Russian nationality or a Russian passport and is allowed to vote in the Russian elections. Moldova is however trying to stop the Russian embassy from handing out ballots. In recent years Russia and Turkey have been in competition with each other over who has more control in Gagauzia. With the inhabitants being of Turkic origin, even though they are Christians, Turkey feels that it has cultural ties with the region. By investing in schools where the Gagauzian language is spoken and by investing in cultural heritage institutions Turkey has increased its role in Gagauzia. In the meantime Turkey has been complaining about Russia trying to turn Gagauzia into a Russian speaking enclave. Analysis: With the invasion of Ukraine advancing only slightly Russia seems to want to divert attention away from Ukraine and is starting to entice other “Russian break-away” regions to be more vocal about their desires to join the Russian Federation. Not only is Russia openly supporting the Moldovan region of Transnistria, but it has also supported the Gagauzian pro-Russian groups more openly. This in combination with the announcement of the opening of a new naval base in the break-away republic of Abkhazia in Georgia seems to be part of a strategy from President Putin to advance his “Greater Russia” plans. A military confrontation between Russia and Moldova could mean that Romania and the rest of the EU and NATO may be involved. This will stretch EU and NATO resources across a long dividing line through Eastern and South-Eastern Europe. There is a chance that Russia will take advantage of this situation by getting the West to agree on more autonomy for Transnistria and Gagauzia in an attempt to prevent a military confrontation. France and Romania have openly stated that they will help Moldova reinforce its military, but it seems that the focus lies more on a defense basis than on offensive capabilities. Moldova is not equipped to fight Russian and pro-Russian forces in Transnistria and Gagauzia and it is not likely that France and Romania will militarily intervene if the break-away regions announce total autonomy or even claim membership of the Russian Federation. It is likely that Russia will increase its pressure on Moldova by more openly supporting Transnistria and Gagauzia through means of propaganda, cyber attacks, election tampering and, not unlikely, violent action through various means like sabotage, terrorism or even sending Russian troops into the regions to “protect” the pro-Russian population from Moldovan “repression”. Any such action will be taken as an act of aggression by Moldova and the EU/NATO, but without an actual physical confrontation it is not likely that Russian plans will be thwarted. The EU and NATO will put pressure on Moldova to not intervene militarily as this will endanger the very fragile peace between Russia and the West. Conclusion: Recent Russian statements expressing support for Transnistria and Gagauzia can be interpreted as part of a wider regional strategy seeking to destabilize pro-EU countries in Eastern Europe. Even though a military confrontation is unlikely to happen, Moldova will be under increasing pressure from Russian disruptive activities to compromise the country’s ties to the European Union. The “Greater Russia” plan of President Putin has strong support in Russian and pro-Russian populations, where it is felt that all people who consider themselves to be of Russian descent have the right to join the Russian Federation and deserve military protection against perceived repression. This point of view will undoubtedly cause further unrest in the coming future as long as Putin stays in power.

Date: 5/3/2024 Where: US, Israel Who’s involved: US District court, NSO Group, Meta corporation What happened? On 04/03/2024, Israeli software developer, NSO Group, creators of the infamous Pegasus spyware, were ordered by a U.S. judge to disclose the program’s code to Meta, the owners of WhatsApp and Facebook. This would allow Meta to reverse-engineer the software and figure out how to prevent future vulnerabilities. Pegasus is a powerful piece of what’s been called “mercenary spyware” due to its capabilities for deep surveillance, enabling unauthorized access to a target's mobile device data, including calls, messages, and location. It has been active since at least 2016. Despite NSO Group’s claims that it should have immunity, the U.S. Supreme Court decided that the company was acting as an agent of a foreign government, and therefore subject to the California court’s rulings. The software has been sold to law enforcement agencies and governments around the world, and violates numerous laws and regulations, particularly within the European Union and North America. The specific case was brought to a district court in California to address Pegasus’ use against 1,400 WhatsApp users in 2019. The case is part of an ongoing legal struggle between Meta and NSO Group. Meta is holding NSO Group responsible for its propagation over its platforms. Analysis The Pegasus spyware has been at the center of global controversy due to its use by governments and government contractors against human rights defenders, journalists, and political opponents. This accusation has been prominently lodged against the governments of India and Israel. Its existence was first established when a 2016 investigation by Citizen Lab and Lookout Security released the technical analysis of a novel spyware found on the phone of a UAE-based human rights activist. In December 2023, forensic investigations found evidence of Pegasus spyware on the iPhones of Siddharth Varadarajan of The Wire and Anand Mangnale of The Organized Crime and Corruption Reporting Project (OCCRP). Both were critical of the Indian government. In 2021, leaked documents indicated that over 1,000 Indian phone numbers were targeted by Pegasus. Among those targeted were Prime Minister Modi's main rival, Rahul Gandhi, and several other opposition politicians and activists. The government refused to cooperate with further inquiries. Other governments credibly accused of abusing Pegasus include Azerbaijan, Morocco, Kazakhstan, and Thailand. Pegasus has used various methods to infect target devices, including spear-phishing text messages or emails, exploiting vulnerabilities in network infrastructure, and zero-click attacks. Zero-click attacks are particularly insidious as they require no interaction from the device owner. For example, Pegasus has exploited vulnerabilities in WhatsApp and iMessage to infect devices without user interaction. Once installed, Pegasus can perform a wide range of surveillance activities. It can access text messages, emails, and chats; activate the camera and microphone for recording; track the device location; and gather information from apps. Conclusion The legal pursuit against Pegasus underscores the challenges and implications surrounding cybersecurity, state-sponsored surveillance, and the responsibilities of private companies in combating misuse of their platforms​. This decision in the case of Meta vs. NSO Group poses the most potent legal challenge to the spyware to date. While those championing privacy and digital rights might be critical of the fact that this blow to NSO Group is coming from Meta, who themselves have a poor reputation within the information security sector, the corporation’s vast resources and influence will likely have an impact on how these proceedings play out. There is an incentive within Meta to use this case to repair reputational damage various accusations of “spying” have inflicted on their various products and services. NSO Group and similar organizations have been involved in what’s been called the “hack-for-hire” industry. This particular sector within the cybersecurity realm is understandably secretive, and blurs the line between private and government actors within offensive cyber practices. While Pegasus has given NSO Group its own highly destructive reputation, it’s only the first of many organizations deserving of further scrutiny for those concerned with their organization’s security and individuals’ civil liberties.

Written by Mickey Beckmann, Elena de Mitri, Sara Frisan, Marnix Van t’Hoff, Jacob Dickinson Russia-Ukraine: Avdiivka is conquered by Russia, a new Russian offensive is opened towards Kupiansk. Israel-Hamas-Hezbollah: Fighting is moving towards Rafah. Hezbollah fire rockets into Israel, Israel responded with airstrikes. Deterioration of humanitarian situation in Gaza. Myanmar: Civil war intensifies across the country as the military junta commits human rights abuses and calls for mass conscription. Sudan: Clashes between the RSF and SAF continue, worsening the humanitarian crisis. Argentina: As the government reorganizes after Congress's rejection of Milei's controversial reform package, massive protests against rising poverty across Argentina. Senegal: Widespread protests as the President Sall delays election date. Sahel - ECOWAS: Turmoil in West-Africa tests ECOWAS’s ability to uphold its goals of economic growth and the increasing of democratic practices. North Korea-Russia: North Korea abandons commitment to re-unification and conducts live fire exercises against South Korea Yeonpyeong island. DRC: The renewed advance of the rebel movement M23 in North Kivu triggers anti-Western sentiments and protests across the country. Indonesia: Ahead of announcing Indonesia's official election results, protesters challenge the victory of former general Prabowo Subianto. Conflicts, February 2024 Russia-Ukraine February saw the end of Ukrainian control over Avdiivka, bringing an end to the almost 10 year battle over the city. Russia’s extensive use of fighter-bomber aircraft supported by A-50 AEW&C aircraft played a significant role in taking down the Ukrainian defenses. However, now that Ukraine has managed to destroy a second A-50, it seems to have halted A-50 operations for now. As Russia is unwilling to halt its glide bombing campaign, this has resulted in severe losses to Russian aviation in the past 2 weeks now that Ukrainian air defenses have breathing room. After the fall of Avdiivka, there was a potential for a Russian breakthrough at the Eastern front. However, it seems that the Ukrainian Armed Forces (ZSU) has succeeded in stabilizing the front line on prepared defenses behind Avdiivka. The Russian armed forces have opened a new offensive, along most of the Eastern front line. This offensive most likely aims to take Kupiansk, which in turn would allow for the staging of an offensive on Kharkiv. The intensification of Russian activity over the past month can likely be attributed to the elections coming in March, in order for Putin to be able to report positive news to the Russian people concerning the war. While this intensification has allowed Russia successes and gains, the long term effects of these actions could be negative for Russia. Israel-Hamas-Hezbollah In February, the conflict between Israel and Hamas entered its fifth month, with no clear end in sight. IDF main operations continued to move towards the southern part of the Gaza strip, with clearing operations still going on around Gaza City in the north. Ground operations in the first part of the month have focused on Khan Younis and the Nasser Hospital in the city, which the IDF claimed was used by Hamas as a hiding spot for militants and hostages. The next planned target is Rafah, a major city along the southern border with Egypt where 1.3 million displaced Gazans are in desperate need of humanitarian aid. While ground operations still haven’t started, Rafah has already been targeted with airstrikes. In the occupied territories of the West Bank, throughout the month Israeli forces clashed with Palestinians militants and many militants have been arrested. Talks about a ceasefire and hostage exchange deal for the month of Ramadan are slowly progressing with hope that they will reach a conclusion by the beginning of March. The humanitarian crisis in Gaza has worsened since the previous month. Since February 9, there has been a consistent drop in aid deliveries. Humanitarian agencies complained about the difficulty of delivering aid into Gaza without any support from the IDF. The northern part of Gaza is in especially dire conditions, as it presents security challenges to aid delivery. The World Food Programme has stopped delivering aid to the north, while the UNRWA has warned that the suspensions of funds enacted by many countries will leave them unable to work after March. Nevertheless, the shortages of food, water and medical supplies affect the entire territory of the Gaza Strip, with a widespread risk of famine. As of 29 February there are more than 30,000 reported deaths in Gaza. Intensified clashes continued between Israeli forces and Hezbollah along the Israeli-Lebanese border. Israeli airstrikes have focused on southern Lebanon, but have also reached Baablek in eastern Lebanon, in an attempt to target members of Hezbollah and Hamas and Iran-linked individuals. Sporadic airstrikes are also directed at Syrian territory with the same purpose. In the meantime, France is trying to negotiate a deal to stop the fighting between Israel and Hezbollah. Myanmar With February 1st 2024 marking the three years since Myanmar’s military coup, the civil war intensified as the resistance and ethnic groups have beaten back the military junta on multiple fronts. Beginning at the end of October 2023, Operation 1027, a coalition of three resistance forces consisting of pro-democracy and ethnic groups captured Laukkaing, a city consisting of transnational criminal networks on the border with China, and several other significant military outposts. The military stepped up air and artillery strikes on villages and civilians in response. There are also reports of fighting in the western region of Rakhine State. Confronting multiple assaults across the country, the mass surrender and desertion of military troops has sapped morale among the junta’s military forces. To boost its military personnel, the junta has announced mass conscription for civilians residing in areas where the military has control in February 2024. The widespread horror at serving for a deeply unpopular military junta has led to a mass exodus of the population toward the Thai border. Outside actors' influence on the Myanmar military is limited given the self-sufficiency of the Myanmar military, though the renewed strength of rebel groups may give China a greater influence on the country. Beijing has achieved its goal of reducing cross-border transnational crime on the border with Myanmar, but remains concerned about the loss of cross-border trade with southwestern China. It has responded to the military’s attempt for help by negotiating two ceasefires, which quickly broke down. For now, it seems like China is seeking to maximize its leverage of individual groups rather than backing a particular side to protect its infrastructure  and investment interests in the country. The Association of Southeast Asian Nations (ASEAN) has remained divided on the issue of Myanmar, particularly with its normative claim to ‘non-interference’ in each other's domestic affairs. Earlier in February 2024, 9 members of the UN Security Council condemned the airstrikes made by Myanmar’s military against civilians, called for an immediate ceasefire, and humanitarian aid needed by more than 18 million people in the country and 2.6 million displaced since the beginning of the conflict. The conflict has claimed 50,000 lives, of which at least 8,000 are civilians. The fighting is likely to worsen as the humanitarian situation deteriorates and a peace plan continues to be ignored by the military junta. Sudan As of February 2024, intensified fighting between RSF forces and Sudanese army has been ongoing in the states of Darfur, Kordofan and Khartoum, in southern and eastern areas of Sudan. Fighting has focused mainly around the cities of Khartoum and Al-Fasher with the Sudanese army claiming control of Omdurman on 17 February. Since 5 February the three main Sudanese telecom networks throughout the country have been deactivated, supposedly by the RSF. This heavily impacted the delivery of aid, external communications and electronic payments on which the population is heavily reliant. Blackouts are still ongoing in many parts of the country. Clashes also erupted in the Abyei region, which is currently disputed between Sudan and South Sudan and jointly managed by the two countries. The conflict has displaced 8.1 million people that fled both to other areas of Sudan and to neighboring countries. Most refugees come from Khartoum and Darfur. According to the UNHCR half of the Sudanese population needs humanitarian assistance, but many challenges prevent the delivery of the necessary aid. Severe lack of funding, insecurity and fuel shortages are all negatively affecting the work of aid agencies. Moreover, the SAF-linked Sudanese government has prohibited the delivery of aid through Chad, claiming that Chad is supporting the RSF. UN agencies have called for increased funding to meet Sudanese humanitarian needs, but managed to secure only a fraction of the funds needed. Expected reductions in harvests are likely to exacerbate the humanitarian emergency, as many parts of the country are on the brink of famine.Cases of cholera, dengue fever and other diseases are increasing and overcrowded refugee camps are especially at risk. Reports of ethnic cleansing, war crimes and crimes against humanity depict a worsening scenario. With diplomatic efforts failing to make SAF and RSF generals hold significant talks and neighboring countries allegedly influencing the conflict, it is very unlikely that violence will end soon. This will also affect refugee flows, as many try to flee the conflict ridden areas. Alerts, February 2024 Argentina Since President Milei declared a state of emergency on December 20, 2023 and promulgated the Decree of "Necessity and Urgency" (DNU), significant protests have occurred nationwide in Argentina. Popular and opposition discontent arose from controversial provisions of the decree and the subsequent promulgation of a series of legislative reforms called Omnibus Bill. Milei's reforms focused on drastic deregulation claiming to lift the country's economy, including massive cuts in education, transportation, health, and substantial reductions in workers' rights. In response, on January 24, 2024, the General Confederation of Workers (CGT) called a nationwide strike, and several protests occurred in Argentina's major urban centers in January 2024. On February 2, 2024, while the House of Deputies was debating approval of the Omnibus Bill, hundreds gathered to demonstrate against Milei's austerity plan. Security forces fired tear gas and rubber bullets to disperse the crowd. Clashes with police led to 60 protesters being injured and dozens arrested. Despite its initial approval, the Omnibus bill failed article-by-article review, which was then rejected by the lower house of Congress on February 6, thus undoing its previous approval. President Milei reacted by cutting subsidies needed by Argentine governors for services, including transportation. This measure reignited labor union protests and strikes across the country. Also, the economic crisis and rising inflation meant that in January 2024, the poverty rate in the country reached its highest level in the last 20 years. While it remains unclear whether the administration will resubmit the reform package to Congress, the coming weeks will likely experience an escalation in protests demanding food aid and subsidies for the lower classes. Moreover, strikes and protests by labor unions, likely to continue, could result in more significant unrest and disruption of services in major urban centers. Senegal Last year Senegal experienced intensifying political unrest, with June 2023 being one of the most violent months due to clashes following the conviction of Ousmane Sonko, an opposition leader of President Macky Sall. The months after have been characterized by further protests against high cost of living, youth unemployment, and accusation of systemic government corruption. Moving towards the scheduled elections on 25 February, tensions have been rising, led by the December 2023 decision of the Constitution Council to ban several prominent opposition leaders from running for elections. President Salls’ decision on 3rd February to delay the elections, and the vote by the Parliament to postpone them to December instead of August, created further protests and violence. This resulted in  the Constitutional Council’s verdict on 15th February of the delay being unconstitutional. The African Union, along with regional bodies and Western governments thereafter argued for free and fair elections as soon as possible. The election delay plunged Senegal into turmoil, questioning its status as the last bastion of West African democracy. The Economic Community of West African States (ECOWAS) expressed its concerns. However, its impact seemed to hold little leverage in a time where it faced criticism with three member states - Burkina Faso, Mali, and Niger - defying its demands and declaring late January to withdraw from the bloc, accusing ECOWAS of not assisting them in resolving insecurity issues. Multiple countries in the bloc faced military coups, often on a base of anti-French sentiments, and have developed closer relationships with Russia. These developments seem to disillusion a young generation of Africans with democratic practices. As such, Senegal will likely experience more tensions and protests in the upcoming period, especially as there is still no fixed agreement on the selection date. Discontent among the Senegalese population, skepticism on ECOWAS’s role and effectiveness, and increasing Russian influence in the region, will keep pressuring democracy in Senegal, also influencing anti-democratic tendencies in other West-African nations. Sahel Amid persistence and strength of violent extremist organizations in the Sahel, the weakening leadership in regional efforts worsened in February. The turmoil in West Africa has brought the Economic Community of West African States (ECOWAS) role and credibility into doubt. The military governments in Mali, Burkina Faso, Guinea, Niger, Chad, announced their withdrawal from ECOWAS at the end of January 2024 following the bloc’s imposition of sanctions on Niger in July 2023. These sanctions included closing all shared borders with the country, suspending financial transactions, and freezing the country’s assets in external banks. On 27 January 2024 Burkina Faso, Niger and Mali announced their plan to withdraw ECOWAS. Already in December 2023, the three governments expressed their intention to leave the West African Economic and Monetary Union and establish their own monetary union. The withdrawal of Burkina Faso, Niger and Mali from ECOWAS is likely to further weaken security forces facing various armed groups across the region. The withdrawal from Niger from ECOWAS limits joint task forces established to fight armed groups who travel across borders. The threat of a spread of jihadism and political instability from the Sahel is therefore likely to escalate. The hostility towards Malian and Burkinabe migrants in Ghana, Côte d'Ivoire, and Senegal is also likely to increase. The economic consequences are likely to be dire, as halting free movement between Burkina Faso, Mali and Niger and the rest of West Africa could lead to significant economic repercussions for all countries involved. With these developments and the threat of countries leaving ECOWAS, the latter faces a dilemma. Either excluding states which practices are not in line with ECOWAS’s principles, or make compromises in its principles to preserve nominal unity. As of 24 February, ECOWAS has lifted  travel, commercial and economic sanctions earlier imposed on Niger, in a new push for dialogue. It is said by ECOWAS’s President Touray that the decision has been on humanitarian grounds to alleviate the hardship resulting from the coup in Niger. With about nineteen elections planned across Africa in 2024, it remains to be seen what degree of democratic governance will prevail by the end of the year. Anyhow, joint endeavors seem crucial for addressing the significant development and security issues that affect all nations in the region. Updates, February 2024 North Korea - Russia The Korean peninsula has seen high levels of tensions throughout 2024. On 5 January, North Korea conducted live fire exercises on South Korea’s Yeonpyeong island, causing the evacuation of South Korean citizens and an artillery response from South Korea’s military. This comes after extensive North Korean long-range ballistic missiles tests and launching of two spy satellites to monitor South Korea and the US. The advance in North Korea’s technological capabilities and assertiveness is likely due to the close relationship developed with Moscow. In exchange for missile development, North Korea has supplied Russia with North Korean ammunition and artillery shells on the battlefields in Ukraine. In a pressing development, Pyongyang has abandoned its commitment to eventual reunification with the South and is speaking openly of a conflict with the South. Kim Jong Un’s motives are always opaque, but they could be a response to regional developments in Northeast Asia and a push for sanctions relief on the country. The closer relationships between South Korea and Japan, who buried the historical animosity for the time being with agreements on intelligence sharing in 2022, is causing alarm in Pyongyang. The pickup in North Korean activities is also used as a bargaining chip for further concessions on sanctions and other goals from its rivals. Indeed, Japan’s PM Fumio Kishida is expected to meet with Kim Jong Un to renegotiate the release of Japanese citizens abducted over 20 years ago in the coming month. While there are reports of planning for war, any determined escalation for an invasion runs the risk of nuclear escalation and possibly the intervention of the United States, which would end his regime. Nevertheless, missteps present a serious risk to the Peninsula. With both Kim Jong Un and South Korean president Yoon becoming more aggressive, there is a risk of disproportionate responses on the Korean peninsula. Democratic Republic of the Congo (DRC) Massive protests erupted in the streets of Kinshasa in early February targeting UN MONUSCO mission buildings and Western embassies. Since February 9, 2024, the embassies of the United Kingdom, France, Belgium, and the United States have been besieged by protesters burning flags outside foreign diplomatic missions. Protests are spreading across the country. On February 15, protests targeting embassies were reported in Bukavu, the capital of South Kivu. The protesters are denouncing the Western complicity in the war in the eastern province of North Kivu, where the alleged Rwanda-backed group M23 intensified its advance surrounding the city of Goma. Since February 7, the resurgence of fighting between the Congolese army and the M23 armed group has forced over 135,000 people to flee the region. Outbreaks of violence against civilians, including attacks on IDP camps, persist in North Kivu. Demonstrators accuse Western nations of indifference to the humanitarian crisis and involvement in the ongoing conflict in eastern DRC for supporting the Rwandan government, blamed for logistically and financially supporting the rebels. Although Rwandan authorities deny involvement with the armed group, multiple recent United Nations reports have extensively documented direct Rwandan military support for the M23 rebellion. Countries like Belgium and France have called on Rwanda to end its involvement. On February 17, the U.S. released a statement condemning Rwanda's support for M23. On February 12, South Africa announced the deployment of 2,900 troops to DRC until December 2024 as part of a Southern African Development Community (SADC). In January 2024, while MONUSCO started the withdrawal operations, expected to be concluded by December 2024, the Congolese military announced a joint offensive with 16-member state SADC troops with a mandate mainly targeting the M23. The protests come at a time of instability for the government. On January 20, 2024, Felix Tshisekedi was reappointed as President. During the election process, the opposition denounced irregularities and called for protests, promptly quelled by the government. Anti-Western protests could thus come at a convenient time for Tshisekedi, shifting popular discontent to the international community. Further protests are to be expected in the coming weeks. The question remains whether popular mobilization will lead the international community to take more concrete action toward Rwanda and the humanitarian crisis in DRC. Indeed, it is likely that the M23, which now holds control over access to the city of Goma, will continue its advance and widespread violence into North Kivu. Indonesia February 14, 2024, Indonesian presidential elections saw the victory of the former Defense Minister under previous President Joko Widodo, also known as Jokowi, and senior military commander Prabowo Subianto. The president-elect is a quite controversial political figure for his links with Suharto's infamous New Order, the military dictatorship which ruled from 1967 to 1998. The president-elect has been accused of mass disappearances, torture, and human rights violations during the dictatorship. The weeks leading up to the election were marked by protests over alleged corruption and rigging by the former President to impose Prabowo as the favored candidate. International observers, pro-democracy activists, and student associations blamed the Subianto-Jokowi alliance for undermining Indonesian democratic institutions and shifting Indonesia towards authoritarianism. In the wake of the election outcome, on February 16, hundreds took to the streets of the Indonesian capital to contest Prabowo's victory, demanding the elections authorities to prevent him from taking office. Indeed, Subianto's presidency is not official yet, as the official results could take up to a month to be released. However, given the support from the military and the former President, it is likely that the election results will be confirmed. Further civil protests are expected to occur in the coming weeks. Observers are concerned about the further deterioration of human rights and freedom in the country. Meanwhile, Indonesia's next President will also have to deal with other security challenges, including an independentist insurgency in Papua New Guinea, where a surge in violence has been reported. About the authors Mickey Beckmann Mickey is currently enrolled in the master’s program Conflict Studies & Human Rights at the University of Utrecht. As of a young age she felt the need to help people in dire circumstances, which evolved into a deep interest and drive to address sociocultural and political issues related to conflict. Motivated to make the world a safer and more accessible place, she completed a bachelor in ‘International Relations in Historical Perspective’ at Utrecht University. Her main topics of interest are radicalization, extremism, terrorism, jihadism and conflict in the Middle East. In this regard, she wrote her master thesis on the mobilization of Islamic State Khorasan in Afghanistan, looking into the broad set of factors enabling this terrorist group to pursue violent action, thereby estimating the threat the group may pose in the coming years. Eager to broaden her knowledge of geopolitical conflict and security, during her internship at Dyami she will actively participate in writing collaborative publications and authoring articles, with a main focus on the region North and Sub-Saharan Africa. Elena de Mitri Elena is a highly motivated person with a strong interest in international security. She holds a Master's degree in International Studies from the University of Turin, where she focused on regime changes and human rights. Her research during her master's studies delved deeper into the intricacies of human rights violations, with a specific emphasis on the war in Iraq. Her academic journey also includes a Bachelor's degree in Foreign Languages and Cultures, with a focus on the MENA region and muslim societies. Additionally she pursued a Minor in Gender Studies, enhancing her understanding of the intersectionality of various issues in international contexts. During her previous traineeship at the Joint Research Centre of the European Commission she conducted research on terrorist groups, especially on jihadist groups and right-wing extremists. Sara Frisan Sara joined Dyami as a Junior Intelligence/Research Analyst post-graduate intern to deepen her passionate interest in conflict analysis and security. Sara recently completed her MA in Conflict Studies and Human Rights at Utrecht University and held an MA degree in International Sciences and Peace Studies. During her academic career, she conducted research in South America, primarily Colombia, on the dynamics of collaboration and resistance between civilians and non-state armed groups in violent settings. In her previous internship at the investigative think-tank InSight Crime, Sara developed some expertise on transnational organized crime and political-criminal alliances.