Monthly Risk Spotlight: February 2022


Journalism and Targeted Violence in Mexico
In an unfortunate start to 2022, four Mexican journalists were killed this past January, including two in the city of Tijuana. Their names are Maldonado López, Margarito Martínez, Roberto Toledo, and José Luis Gamboa, and their deaths were made worse by the fact that all four were actively enrolled in a state protection scheme meant to protect journalists from just such targeted attacks when they were assassinated. While investigations continue into the killings, one main narrative is that these journalists were killed for their work covering organized crime groups, work which logic would follow endangered cartel interests and instigated retaliations. It’s a stark reality that organized criminal groups are rife in Mexico, operating with near full autonomy in some parts of the country, and are at times threatened by information exposed and proliferated by investigative journalists. With a penchant for violence, it is no surprise that the response for some cartels in such a situation is to kill. But it is worth considering that investigative journalists and their work just as often inconveniences local politicians and business interests as organized crime.

To be certain, there have been a number of high profile killings of journalists since the beginning of this year, the continuation of a trend in which the number of incidents of aggression against  journalists in Baja California has more than doubled from 2018 to 2021. As investigations have unfolded, and in line with findings from previous incidents, it is becoming clear that these recent murders were likely carried out by organized crime groups. This makes sense as throughout Mexico organized crime groups represent at least a significant challenge to the State monopoly on use of force and, running off a business model, in many cases would be more than happy to carry out a hit if the right business interest (or fee) was present. But with investigations ongoing, and historically unlikely to uncover exactly why the journalists were killed, it’s important to consider what can be understood from these deaths.

It may come to light that López, Martínez, Toledo, and Gamboa were all on the cusp of independently breaking stories with significant ramifications for local cartel operations and interests. But, so far, there is no indication that this will be the case. Instead, at least in the case of Maldonado López, there are indications the killing may have been related to a nine-year labor dispute in which López had demanded compensation for payroll debt by her former employer Media Sport de México (PSN), owned by a former Baja California state governor. López, whose work focused primarily on politics and corruption, had reported two separate instances in March and April 2021 of her car being attacked, the first with a brick and the second with a bullet shot through the back window. This instigated López to request protection from the State System for the Protection of Journalists and even contact President Andrés Manuel López Obrador and specifically cite the labor dispute and owner’s political connections in relation to concerns for her life related to the attacks. The week before López was killed she was informed she had won the legal dispute and would receive compensation. Then on the evening of 23 January, López was shot and killed by an unknown assailant while exiting her car outside her Tijuana home.

The main takeaway from these incidents is not so much that journalists are becoming more of a threat to cartel operations, but instead, that there appears to be is a continued and perhaps growing inability for the government to maintain law and order and prosecute those responsible for these crimes. In such an environment, it can come as no surprise that individuals (like journalists) who are deemed enemies of those with means (be it cartels, local business people, or politicians) can become the target of violence.


The Death of Al-Qurayshi and its Implications
On 3 February, US special operation forces conducted a raid in Atmeh, a town in northwest Syria near Idlib province. The raid resulted in the death of Abu Ibrahim al-Hashimi al-Qurayshi, the leader of the Islamic State. Al-Qurayshi died when he detonated an explosive device on the third floor of his house, killing his children and other members of his family, as US special forces surrounded his hideout. In total, thirteen people were killed in the operation, including a senior ISIS deputy. US special forces were able to evacuate ten people from the house without injury. According to US intelligence sources, al-Qurayshi “helped drive and justify the abduction, slaughter, and trafficking of members of the Yazidi religious minority groups” in Iraq. He also oversaw ISIS’s global operations.

ISIS no longer controls significant territory as it has in the past, but this latest raid increases concern that ISIS sympathizers and terrorists may be regrouping to stage future attacks. In January, ISIS orchestrated the Ghwayran prison break in northeast Syria, a prison that incarcerated thousands of suspected ISIS fighters and some of their children. The goal of the attack was to free over 3,500 ISIS members. Ultimately, dozens of prisoners were freed, and 23 Kurdish security forces were killed. This was one of the group’s most significant attacks since it was declared defeated in 2019.

Today, ISIS is a shadow of its former self. With ISIS being so decentralized, many are left wondering if al-Qurayshi’s murder will really matter. Analysts warn the death will not erase the group (and its affiliates) whose members have continued to seek safe haven and plan attacks in chaotic places around the world, including Syria, Iraq, Afghanistan, and Mozambique. The US is responsible for killing both ISIS leaders, including Abu Bakr al-Baghdadi. Historically, after leaders of terrorist organizations are killed, some organizations often resurface in new and more powerful ways. In almost all circumstances, deceased leaders are simply replaced with new ones.

While fears of retaliatory attacks are justified, some analysts believe the group is unable to overcome the challenges it faces. Persistent attacks by the US and its allies have disrupted the groups financing networks and members of its inner circle continue to be killed.  Nevertheless, ISIS’s capabilities should not be discounted. Conflict zones, failed states, and poorly governed places offer a safe haven for terrorist organizations like ISIS to operate, train, and expand.

While it is too early to grasp the impact of al-Qarayshi’s death, it is certainly a setback for the group. However, ISIS’s belief and desire for a future so-called caliphate is not dependent on a captivating leader. For now, the US and other allies consider the results of this latest raid as a win.


Tonga’s Devastation by Underwater Volcano Exemplifies the Vulnerability of Pacific Island Nations
On 15 January, the Hunga Tonga–Hunga Haʻapai underwater volcano erupted, generating a 30-kilometer-high ash plume as well as tsunami waves that reached as far as Japan in the west and Peru in the east. Tongatapu, Tonga’s primary island and home to approximately 70% of the Tongan population, is located 65 kilometers from the volcano and was devastated during the eruption and subsequent tsunami. Further exacerbating an already dire situation, lines of communication between Tonga’s islands and the outside world were disrupted after an underwater fiber optic cable was severed during the eruption, essentially isolating the country from the outside world. In the aftermath of this eruption, experts would declare it the largest volcanic eruption of the 21st century, equivalent to the detonation of 10 megatons of TNT.

The eruption of Hunga Tonga–Hunga Haʻapai and subsequent devastation of Tonga astounded the world. Foreign governments were quick to organize relief efforts with New Zealand providing USD $340,000 in relief supplies, technical support, and the deployment of local rescue resources. By 28 January, the Chinese government had delivered essential food, water, and medical supplies to Tonga’s capital, Nuku’alofa. The Australian government, however, provided one of the most robust responses to the crisis via Operation Tonga Assist 2022. This operation saw the deployment of several Australian Navy ships delivering essential supplies and tasked with relief and recovery efforts in the affected areas. While the deployment of foreign aid to Tonga was essential and surely went a long way towards assisting the Tongan population, the influx of foreign emergency personnel had the unfortunate effect of spreading COVID-19 to a country that had only fully vaccinated approximately 60% of its population.

Tonga had remained largely isolated since the beginning of the COVID-19 pandemic, swiftly moving to seal its borders in early 2020 and restricting access to the country for most foreign nationals. The near-complete closure of Tonga’s international borders did much to keep COVID-19 cases minimal; however, the influx of foreign aid personnel following the 15 January eruption of Hunga Tonga–Hunga Haʻapai had the unfortunate effect of exposing a country with minimal natural COVID-19 immunity to the virus. After domestic COVID-19 cases began to be increasingly reported, the Tongan government moved on 19 January to immediately declare a domestic lockdown which included the closure of many non-essential businesses, mask mandates, and nightly curfews.

While Tonga’s geographic isolation had done much to protect the country during the COVID-19 Pandemic, its geography also had the inverse effect of isolating the country and impeding the ability of essential foreign aid to be delivered following the volcanic eruption and tsunami. In this specific incident, it was Tonga that was most affected by the devastation; however, Tonga is hardly the only Pacific Island nation with similar vulnerabilities. Other island nations throughout the region could just as easily be impacted by seismic activity, tsunamis, severe storms, etc. Indeed, while the most recent disaster to strike Tonga was quite devastating, it perfectly exemplifies the vulnerability of other Pacific Island nations across the region.


Coup D’état in Burkina Faso
On 24 January, the military of Burkina Faso stormed President Roch March Christian Kabore’s house and took him, along with other civilian leaders, to an unknown location. The military then suspended the Constitution and an officer appeared on national television to announce the military takeover and that it was closing the countries land and air borders. Following the announcement, citizens joyously poured into the streets of Ouagadougou.

The public opinion of President Kabore was that of immense frustration due to his inability to stop attacks by Islamist militants, which have been on the rise in the region. Attacks by Islamist militants have displaced 1.4 million people and killed 2,000 people last year alone. The civilian display of support for the military coup was strong in the capital and throughout the country, a young man told reporters that he was proud of their ‘valiant soldiers’ and hoped the Economic Community of West African States (ECWAS) would abstain, expectations of sanctions and strong opinions by the ECWAS usually follow with Western African coups.

The new military-appointed leader is Lt. Col. Paul-Henri Sandaogo Damiba. After training at the Military School of Paris he became a member of the elite force that guarded the former President Blaise Compaore who ruled Burkina Faso for 27 years prior to 2014. Last year he published a book titled “West African Armies and Terrorism: Uncertain Responses?” On 1 February, Damiba restored the Constitution, around the same time Burkina Faso was suspended from the African Union. West African leaders and the international community continue to demand a return to civilian rule and the citizens of Burkina Faso continue to celebrate the coup.

An emergency summit was held by West African leaders to discuss the drastic increase in attempted and successful coups within the region. In the past 18 months, military coups have toppled five West African countries including Mali, Chad, Guinea, Sudan, and now Burkina Faso. Nana Akufo-Addo, the chairman of ECWAS, said the trend “must be contained before it devastates our whole region,”. The leaders at the West African summit denounced the civilian support of the Burkina Faso coup and the leaders, with the support of ECWAS, began discussing inflicting economic sanctions on the nation. It is unclear how Burkina Faso will move forward; with the citizen’s support, there could be a lengthy military lead government, regardless of regional and international pressure. Regardless of public support a coup extinguishes any civilian control and can teeter a nation on the brink of disaster.


Cyber Attacks Target Oil Facilities Across Europe 
Multiple oil facilities across Europe have recently been targeted by a series of cyber-attacks. While the malware seems to mainly affect cargo loading operations, authorities are concerned that it may soon cause a greater impact across European shipping and logistic operations similar to the Colonial Pipeline attack in 2021. While investigators have not yet determined if the attacks are all linked, they do appear to be carried out by the same ransomware group known as BlackCat.

The first two attacks targeted German oil companies Oiltanking and Mabanaft, which operate under the parent company Marquard & Bahls. And primarily affected German retail fuel supplies. The next series of attacks targeted various oil terminals operated by SEA-tank, including the Amsterdam-Rotterdam-Antwerp oil hub, which operates ports across the Netherlands and Belgium. Company representatives stated that operational systems were hijacked to the point where barges could not be processed, forcing them to declare force majeure, which is an emergency legal clause reserved for when companies cannot fulfill contractual obligations.  The Shell Oil Company also stated they were forced to reroute supplies as a result of the attacks.

Europol is currently supporting a joint investigation with Belgian law enforcement and the Dutch National Cyber Security Center. While the attacks did not appear to be coordinated at the early stages of the investigation, cybersecurity experts have observed that the BlackCat ransomware group communicates in Russian. With Russian hackers previously involved in infrastructure targets, there is growing concern that they may be linked to the escalating conflict in Ukraine as the attacks are consistent with tactics Russia has used in the past.

The “BlackCat” ransomware group goes by the name ALPHV. The ransomware was labeled BlackCat by cybersecurity researcher MalwareHunterTeam after the image of a black cat was observed on the group’s ransomware notes. The group has since been known as BlackCat when discussed by the media and cybersecurity researchers. ALPHV first appeared in November 2021 as a multi-feature ransomware group that had developed a malware package developed in the Rust programming language, which is unusual for ransomware. The ransomware features highly customizable encryption methods and attack options, making it ideal for multiple targets.

BlackCat operations are run as a Ransomware-as-a-Service (RaaS), typically structured with one team that develops the malware and servers, who then recruit affiliates (known as “adverts) to penetrate and infect target networks. The ransomware payments are then divided between the two parties depending on the amount of the payment. While investigators can typically link different ransomware operations by observing encryption code similarities, the unique Rust code used in BlackCat ransomware was built from scratch and there is not yet enough data to analyze encryption similarities. However, similarities in configuration files do seem to indicate that the members of BlackCat operations may be the same members involved in the DarkSide attacks. Regardless, the BlackCat ransomware group has shown the ability to successfully target large corporations and should be closely monitored by network defense teams.


For over 25 years, On Call International has provided fully-customized travel risk management and global assistance services protecting millions of travelers, their families, and their organizations. Contact us today and watch our video to learn more. You can also stay in touch with On Call’s in-house risk management, travel health and security experts by signing up for our quarterly Travel Risk Management (TRM) newsletter.

The information provided to you within this report has been compiled from a multitude of available sources and is based on current news and analysis at the time of writing. The security team at On Call International, LLC has provided this analysis, supporting advice, and recommendations in good faith to assist you in mitigating risks that could arise. However, no implied or express warranty against risk, changes in circumstance, or other fluid and unforeseen events can be provided. By reading this report, you will agree that any reliance you place on this information is therefore strictly at your own risk and that you will not hold On Call International, LLC or the authors responsible for any inaccuracies, errors or oversights here-in. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise without the prior permission of On Call International, LLC.