KUNA Kuwait News Agency Twitter Hijacked for Disinformation Attack

In 2020, the official Twitter account of Kuwait News Agency (KUNA) - the state’s

authoritative official news service - was compromised by threat actors who used

it to broadcast fabricated reports, including false stories claiming that US military

forces were withdrawing from Kuwait. The disinformation published through the hijacked

account, which carried the institutional credibility of Kuwait’s official state

news service, caused a brief but measurable period of diplomatic confusion and market

disruption before KUNA’s team identified the compromise, regained control of

the account, and issued corrections.

The false reports had already been widely reshared across social media platforms and

picked up by regional and international news aggregators by the time KUNA’s

corrections were published, illustrating the asymmetric speed advantage of disinformation

operations over correction efforts in the social media information environment. The

incident was not merely a cybersecurity failure - it was a demonstration of how

the compromise of a single social media account belonging to a state institution can

generate real-world political and economic consequences that far outlast the technical

duration of the account compromise.

## Key Facts

• .**What:** KUNA's official Twitter was hijacked to broadcast false US withdrawal reports.
• .**Who:** Kuwait's state news agency and its global media audience.
• .**Data Exposed:** Social media credentials and editorial trust were compromised.
• .**Outcome:** Brief diplomatic confusion and market disruption before corrections issued.

## What Was Exposed

• .KUNA’s social media account credentials, enabling attackers to post content with the institutional credibility of Kuwait’s official state news agency
• .KUNA’s editorial workflow and social media management practices, revealed by the ease with which attackers substituted disinformation for legitimate news content
• .The authentication credentials of KUNA staff responsible for managing the agency’s Twitter presence, which may have been harvested for use in future social engineering operations
• .The trust relationship between KUNA’s official accounts and the media organisations, diplomatic missions, and government agencies that follow and rely upon KUNA as an authoritative source
• .Potentially the content management systems or scheduling tools used by KUNA’s social media team, if the account compromise was facilitated by an attack on these third-party services
• .KUNA’s internal communication patterns regarding the account management and the post-incident response, if follow-on surveillance activity accompanied the initial compromise

Kuwait News Agency occupies a unique and consequential position in the Gulf state’s

information ecosystem. Founded by Amiri Decree in 1976, KUNA is the official state news

agency with the authoritative function of communicating Kuwait’s government positions,

official statements, and policy developments to both domestic and international audiences.

KUNA’s newswire is subscribed to by news organizations across the Arab world, by

diplomatic missions accredited to Kuwait, and by international wire services that treat

KUNA output as a primary source on Kuwaiti affairs. When KUNA publishes a story, it carries

an implicit attribution of official accuracy that most social media accounts cannot claim.

The specific disinformation content disseminated through the hijacked KUNA account -

false reports about US military withdrawal from Kuwait - was chosen with evident

strategic intent. Kuwait hosts some of the most significant US military infrastructure

in the Middle East, including Ali Al Salem Air Base and Camp Arifjan, which serve as

critical nodes in US Central Command’s force posture in the Gulf. A credible

report, apparently sourced from Kuwait’s own state news agency, of a US military

withdrawal from Kuwait would carry extraordinary implications: for regional security

calculations, for the governments of Saudi Arabia and other GCC states that rely on

US military presence as a deterrent, for financial markets assessing political stability

risk in the Gulf, and for Iran, which has strategic interest in any development that

would reduce US military presence in the region.

The brief market disruption caused by the false reports illustrates the financial

dimension of strategic disinformation operations. Gulf financial markets are sensitive

to geopolitical news, and a credible report of significant change in US military

posture in the region could trigger algorithmic trading responses that amplify initial

human reactions. High-frequency trading algorithms that scan news wires for geopolitically

significant terms and execute trades based on detected sentiment would respond to a

KUNA-attributed report of US military withdrawal within milliseconds - long before

human analysts could assess the credibility of the report or identify it as disinformation.

This automated vulnerability of financial markets to social media disinformation represents

a significant attack surface that state-sponsored and criminal threat actors have

repeatedly exploited.

The diplomatic confusion caused by the false reports created work across multiple

embassies in Kuwait City as diplomatic staff sought to verify the reported US military

withdrawal through official channels and assess its implications for their countries’

security arrangements. Even where embassies were able to quickly confirm through

internal channels that no withdrawal was underway, the disinformation had already

generated diplomatic traffic that occupied staff time, created momentary uncertainty

in internal policy assessments, and potentially generated classified reporting traffic

that itself became part of the record of a disinformation operation that succeeded

in generating diplomatic confusion as a secondary effect.

The restoration of KUNA’s account control and the publication of corrections

within hours demonstrated that KUNA had incident response capabilities for social

media account compromise. However, the incident revealed that these capabilities

were reactive rather than preventive. By the time corrections were issued, the

false reports had propagated through a network of reshares, screenshot captures,

and downstream news aggregation that corrections could not fully reach. The information

environment’s structural asymmetry - in which disinformation spreads

faster and further than corrections - means that preventing the initial

compromise is categorically more important than responding rapidly after it occurs.

The attribution of this attack was never publicly confirmed with the specificity that

would enable definitive conclusions about the sponsoring entity. The choice of disinformation

content - a false US military withdrawal - is consistent with both Iranian

state information operations objectives and with the objectives of non-state actors

seeking to create regional instability. The timing in 2020, a period of elevated

Iran-US tensions following the Soleimani assassination in January, created conditions

in which such disinformation would be most disruptive and most likely to be initially

believed by audiences already primed to expect significant changes in US regional

military posture.

## Regulatory Analysis

The KUNA Twitter account compromise engages Kuwait’s regulatory framework in

ways that are distinct from conventional data breach incidents. The primary harm was

not the unauthorized access to personal data but the weaponization of an institutional

credential for disinformation dissemination. Nevertheless, the regulatory analysis

reveals important obligations and gaps.

Kuwait’s Cybercrime Law No. 63/2015 directly addresses the conduct of the attackers

in this case. Article provisions criminalizing unauthorized access to computer systems

and electronic accounts apply squarely to the compromise of KUNA’s Twitter account,

while provisions addressing electronic fraud and the dissemination of false information

through electronic means engage the disinformation dimension of the attack. The law

establishes criminal penalties including imprisonment and fines for these offenses,

providing a legal framework for prosecution of identified perpetrators, subject to

the practical limitation that attribution and extradition for state-sponsored actors

operating from foreign jurisdictions remain extremely challenging.

CITRA’s Data Protection and Privacy Regulation, Decision No. 26/2024, imposes

obligations on KUNA as a data controller to the extent that the compromised accounts

or associated systems processed personal data of KUNA staff or sources. The account

compromise would trigger the 72-hour breach notification requirement where it resulted

in unauthorized access to personal data, including the credentials of KUNA staff

managing the social media accounts. KUNA’s obligation to notify CITRA within

72 hours of discovering the breach covers not only the immediate account compromise

but any broader system access that accompanied the credential theft.

Kuwait’s E-Commerce Law No. 20/2014 has limited direct application to this

incident, given that KUNA’s news distribution function is not primarily an

e-commerce operation. However, the law’s provisions regarding the security

of electronic communications and the integrity of electronic information are relevant

to KUNA’s obligations as a state institution using electronic platforms to

distribute official government-attributed news content.

The broader regulatory gap exposed by this incident is the absence of a Kuwaiti legal

framework specifically addressing the security obligations of state media and news

agencies that publish official government-attributed content on social media platforms.

State news agencies occupy a unique regulatory position: they are government entities

processing information with official attribution status, but they operate on commercial

third-party platforms (Twitter/X, Facebook, Instagram) whose account security is

dependent on the platforms’ own security infrastructure and the practices of

the media organizations managing the accounts. Kuwait has no regulatory requirement

specifically mandating security standards for state media social media account management,

creating a governance gap that threat actors can exploit.

The international dimension of social media disinformation creates regulatory challenges

that Kuwait’s domestic framework cannot address unilaterally. Coordinating with

Twitter/X and other platforms to establish rapid-response mechanisms for account

compromise notifications, verified state entity status indicators, and expedited

content removal for confirmed disinformation from compromised verified accounts

requires diplomatic and regulatory engagement with platform companies that operates

at the international rather than domestic regulatory level. Kuwait should pursue

these arrangements through bilateral platform engagement and through GCC-level

coordination on social media security for state institutions.

## What Should Have Been Done

Protecting a state news agency’s social media presence from account takeover

requires a combination of technical security controls, operational procedures, and

crisis response capabilities that are proportionate to the institutional significance

of the accounts being protected.

Hardware security keys implementing the FIDO2 standard represent the gold standard

for social media account security for high-value institutional accounts. Unlike

SMS-based two-factor authentication, which is vulnerable to SIM-swapping attacks,

or authenticator app codes, which can be phished through real-time man-in-the-middle

attacks, FIDO2 hardware keys cryptographically bind the authentication process to

the specific website being accessed, making it impossible to phish credentials even

if an attacker intercepts the authentication session. Twitter/X supports hardware

security key authentication; KUNA should have been one of the first state media

organizations in Kuwait to implement this capability for all accounts with posting

authority.

Social media account access should have been restricted through IP allowlisting,

permitting login attempts only from KUNA’s registered office IP addresses

and approved VPN exit nodes. Any authentication attempt from an unrecognized IP

address should have triggered an immediate alert to KUNA’s security team

and required additional verification before access was granted. Combined with

hardware security keys, IP allowlisting would have provided a second layer of

defence that significantly constrained the attack surface available to remote

threat actors attempting account takeover.

KUNA should have implemented a social media management platform with built-in

access controls, approval workflows, and audit logging for all posting activity.

Professional social media management platforms like Hootsuite, Sprout Social,

or Khoros provide the ability to separate content creation from publishing authorization,

requiring approval from a designated authorizing officer before content is published

to KUNA’s official accounts. This workflow control would have added a human

verification step that might have caught the publication of disinformation before

it appeared on the KUNA account, even if the underlying account credentials had

been compromised.

A rapid-response disinformation protocol, pre-planned and regularly rehearsed,

should have enabled KUNA to issue corrections across all channels within minutes

rather than hours of identifying compromised account activity. This protocol should

include: pre-approved correction statement templates, immediate notification

procedures for KUNA’s wire service subscribers and key diplomatic and

media contacts, coordinated takedown requests to social media platforms, and

direct outreach to regional and international news organizations that have republished

the disinformation. The protocol should be coordinated with the Ministry of

Information and Kuwait’s Foreign Ministry to ensure that official government

corrections reach diplomatic channels as rapidly as they reach the public.

KUNA should establish a continuous monitoring capability for its social media accounts,

using either dedicated social media monitoring tools or third-party services specializing

in account integrity monitoring for high-risk verified accounts. These tools can

detect account compromise indicators such as login from new geographic locations,

password reset attempts, changes to account settings including contact email addresses,

and publication of content at unusual times or with unusual linguistic patterns.

Immediate alerting to KUNA’s security team when any of these indicators are

detected would have enabled intervention within minutes rather than after the

disinformation had been widely disseminated.

The KUNA Twitter hijacking demonstrated that compromising a single social media

account belonging to a state news agency can generate diplomatic confusion and

market disruption that no amount of post-incident correction can fully reverse.

In the disinformation age, the security of state media’s social media

credentials is a national security matter, not merely an IT administration issue

• .and it demands security investment and regulatory oversight proportionate

to that reality.