Between 2018 and 2020, the Iranian state-sponsored threat actor known as APT39 -
also tracked as Chafer or Remix Kitten by different threat intelligence providers -
conducted a sustained, multi-year cyber espionage campaign against Kuwaiti government
agencies, targeting diplomatic communications, military intelligence, and sensitive oil
sector operational data. Bitdefender Labs published a detailed technical analysis of the
campaign, documenting the custom toolsets and living-off-the-land techniques employed
by the group to maintain persistent, stealthy access to high-value Kuwaiti government
networks over an extended period.
Kuwait’s strategic position in the Gulf - sharing a border with Iraq, housing
significant US military presence, and playing a mediating role in regional diplomatic
tensions - made it a high-value intelligence target for Iranian state interests.
The campaign’s longevity, spanning at least two years before being publicly
documented, demonstrates the sophistication of APT39’s operational security and
the persistent gaps in Kuwait’s government cybersecurity posture that allowed the
intrusion to continue undetected. The campaign was discovered and publicly attributed
through the forensic analysis of Bitdefender Labs, working from incident response
engagements and threat intelligence collection, rather than through Kuwait’s
own detection capabilities.
## Key Facts
- .**What:** Iranian APT39 conducted multi-year cyber espionage against Kuwait (2018-2020).
- .**Who:** Kuwaiti government diplomatic, military, and oil sector agencies.
- .**Data Exposed:** Diplomatic cables, military intelligence, and oil sector operational data.
- .**Outcome:** Two-year undetected dwell time; discovered by Bitdefender, not Kuwait.
## What Was Exposed
- .Diplomatic communications from Kuwaiti government agencies, potentially including negotiating positions, foreign policy assessments, and classified diplomatic cables
- .Military intelligence data, including potentially operational planning documents, order of battle information, and assessments of regional military capabilities
- .Kuwait Petroleum Corporation and oil sector operational data, including production figures, infrastructure assessments, and commercial negotiations
- .Personnel records of government officials, military officers, and intelligence personnel, enabling targeting for future social engineering or physical surveillance
- .Internal government network architecture and authentication credential stores, providing persistent access paths and enabling future re-entry
- .Communications metadata revealing the organisational structure of targeted agencies, the identity of key officials, and the patterns of inter-agency communication
- .Classified assessments of Kuwait’s relationships with coalition partners, potentially including information on intelligence sharing arrangements
- .Data on Kuwait’s US military basing arrangements and the operational details of coalition force presence at Kuwaiti bases
APT39 is assessed by multiple intelligence agencies and private threat intelligence
firms to operate as an extension of Iranian state intelligence, specifically the Ministry
of Intelligence and Security (MOIS). The group’s primary mission is the collection
of intelligence in support of Iranian geopolitical objectives - tracking dissidents
and opposition figures, gathering intelligence on regional adversaries, and monitoring
the activities of foreign governments whose decisions affect Iranian interests. Kuwait
sits at the intersection of several Iranian intelligence priorities: it hosts significant
US military infrastructure (Ali Al Salem Air Base and Camp Arifjan), maintains close
relationships with Saudi Arabia that create strategic intelligence value, and has historically
served as a mediator in regional disputes where Iranian interests are at stake.
The technical profile of APT39’s operations, as documented by Bitdefender and
corroborated by MITRE ATT&CK’s APT39 profile, is characterized by a preference
for custom-developed tools over commodity malware. The group’s toolkit includes
SEAWEED (a backdoor capable of file upload/download, command execution, and screenshot
capture), CACHEMONEY (a persistence mechanism exploiting Windows registry run keys),
and POWBAT (a PowerShell-based backdoor enabling remote command execution). These custom
tools enable APT39 to evade signature-based detection tools that rely on known malware
hashes, requiring behavioral detection capabilities that were not universally deployed
across Kuwait’s government network at the time of the campaign.
Living-off-the-land (LotL) techniques were central to APT39’s operational security
during the Kuwait campaign. By leveraging legitimate Windows administrative tools
- .PowerShell, Windows Management Instrumentation, Remote Desktop Protocol, and
the Sysinternals suite - for lateral movement, credential harvesting, and data
collection, the group minimized the generation of artifacts that would distinguish their
activity from legitimate administrative operations. This approach is particularly effective
in government environments where system administrators routinely use these same tools
for legitimate purposes, making behavioral detection significantly more challenging than
in environments where these tools are rarely or never legitimately used.
The dwell time of the APT39 campaign in Kuwait - at least two years -
is a critical indicator of the detection failure that enabled the damage. Extended
dwell times are characteristic of state-sponsored espionage operations precisely
because they prioritize intelligence collection over operational disruption. Unlike
ransomware operators who must eventually reveal their presence to collect payment,
espionage actors benefit from remaining undetected indefinitely, continuously exfiltrating
intelligence while avoiding any action that might trigger an incident response investigation.
Two years of undetected access to Kuwaiti government networks represents an intelligence
windfall for Iranian state interests, potentially enabling them to anticipate Kuwaiti
diplomatic positions, understand Kuwaiti military capabilities, and track Kuwaiti
intelligence relationships with coalition partners.
The geopolitical context of 2018-2020 makes the intelligence value of this campaign
particularly significant. This period encompassed the escalating tensions following
the US withdrawal from the Joint Comprehensive Plan of Action (JCPOA) in May 2018,
the subsequent maximum-pressure sanctions campaign, the Gulf crisis that saw Qatar
blockaded by Saudi Arabia, the UAE, Bahrain, and Egypt, and the assassination of IRGC
Commander Qasem Soleimani in January 2020. Kuwait’s role as a mediator during
the Qatar crisis, combined with its hosting of US military forces and its close
relationship with Saudi Arabia, made its government communications extraordinarily
valuable to Iranian intelligence analysts trying to understand the evolving Gulf
political landscape.
The oil sector targeting in the APT39 campaign reflects a consistent priority across
multiple Iranian state-sponsored cyber operations. Kuwait’s oil sector -
centered on the Kuwait Petroleum Corporation (KPC), one of the world’s largest
vertically integrated oil companies - holds commercial intelligence of enormous
value to Iranian oil ministry officials seeking to understand competitor production
strategies, pricing positions, and OPEC quota compliance. Exfiltrating KPC operational
data provides Iran with intelligence that is directly valuable both for energy policy
purposes and as a source of commercial advantage in international oil markets where
Kuwait and Iran compete for customers and market share.
## Regulatory Analysis
The APT39 campaign against Kuwait’s government agencies presents a fundamentally
different regulatory challenge than the commercial ransomware incidents that represent
most of Kuwait’s publicized data breach history. Nation-state espionage operations
do not fit neatly within the data protection regulatory framework established by CITRA’s
DPPR Decision No. 26/2024 or the Cybercrime Law No. 63/2015. Nevertheless, the regulatory
analysis reveals important structural insights about Kuwait’s cyber governance framework.
The Cybercrime Law No. 63/2015 clearly criminalizes the unauthorized access and data
interception that constitute APT39’s core activities. Articles establishing offenses
for unauthorized system access, data interception, and electronic surveillance apply
directly to the technical actions performed by APT39 operators within Kuwaiti government
networks. However, the practical enforcement of these provisions against state-sponsored
actors operating from Iranian territory is constrained by the absence of mutual legal
assistance arrangements and the diplomatic impossibility of extradition for individuals
acting under the direction of a foreign state intelligence service.
The DPPR Decision No. 26/2024’s breach notification requirements create obligations
for the Kuwaiti government agencies that were compromised, irrespective of the state-sponsored
nature of the attacker. Where government agencies process personal data of Kuwaiti citizens
- .and the diplomatic and military agencies targeted by APT39 certainly do -
a compromise that provides unauthorized access to that data constitutes a personal data
breach requiring notification to CITRA within 72 hours of discovery. The national security
sensitivity of the specific data exposed may justify limitations on the public elements
of the notification, but does not eliminate the obligation to notify the regulator.
Kuwait’s regulatory framework lacks a dedicated national security cyber incident
reporting mechanism comparable to the classified incident reporting requirements that
exist in the United States under Executive Order 14028 or the UK’s National Cyber
Security Centre mandatory reporting scheme for government agencies. The absence of such
a mechanism means that there is no regulatory basis for compelling government agencies
to report state-sponsored intrusions to a central coordinating authority, limiting the
government’s ability to develop a comprehensive picture of Iranian APT activity
across Kuwait’s government network and to coordinate defensive responses.
The two-year dwell time of the APT39 campaign raises questions about the adequacy of
the security measures in place at the targeted Kuwaiti government agencies. CITRA’s
DPPR and the broader data protection framework impose obligations on data controllers
to implement appropriate technical and organizational measures to protect personal data.
For government agencies handling classified diplomatic and military data, the standard
of appropriate measures must be calibrated to the threat landscape - which includes
state-sponsored espionage as a foreseeable and documented risk. Security measures that
fail to detect a sophisticated intrusion for two years do not meet any reasonable
definition of appropriate for data of this sensitivity.
## What Should Have Been Done
Defending against a sophisticated, patient state-sponsored espionage actor like APT39
requires a fundamentally different security philosophy than defending against opportunistic
criminal ransomware operators. The assumption must be that the adversary is already
inside the network and has been for an extended period. The defensive objective is
therefore not to prevent initial access but to minimize the attacker’s ability
to collect and exfiltrate valuable intelligence while maximizing the defender’s
ability to detect the intrusion and identify the full scope of compromise.
Data minimization and compartmentalization are the most effective strategic defenses
against sustained espionage. Kuwait’s government agencies should implement strict
need-to-know access controls that limit each user’s ability to access sensitive
data to only what is directly required for their current official function. Classification
systems should enforce technical access controls, not merely advisory labels, ensuring
that accessing above-classification data requires explicit authorization that is logged
and monitored in real time. An espionage actor who gains initial access through a
low-privilege employee account should be immediately confined to a limited data universe
by technical access controls, rather than being able to escalate privileges and access
the full range of sensitive government data.
Threat hunting, rather than reactive incident response, is the appropriate detection
strategy for nation-state espionage. Threat hunters proactively search network and
endpoint telemetry for indicators of compromise (IOCs) and behavioral patterns associated
with known adversary TTPs, rather than waiting for security tools to generate alerts on
detected threats. APT39’s TTPs are extensively documented in MITRE ATT&CK
and in Bitdefender’s published analysis; Kuwait’s government agencies should
have been conducting regular threat hunts using APT39’s known indicators and
behavioral signatures. A structured threat hunting programme, conducted monthly or
more frequently for high-risk agencies, would significantly reduce the probability
of a two-year undetected dwell time.
Deception technology - honeypots, honeytokens, and canary credentials -
represents a particularly effective tool against espionage actors who must access data
to achieve their mission. Deploying realistic fake credentials, documents, and network
services that appear to be high-value intelligence targets will attract an actor like
APT39 that is actively seeking to identify and access sensitive data. Any interaction
with deception assets generates an immediate, high-confidence alert that a sophisticated
actor is present in the network, enabling rapid incident response before the actor
has accessed genuine sensitive data. Deception technology is particularly effective
against LotL attackers who appear to be legitimate users - the deception environment
distinguishes between the system administrator who legitimately accesses a file server
and the espionage actor who accesses a fake file server that no legitimate user should
ever touch.
Kuwait should establish a national threat intelligence sharing mechanism that enables
government agencies to share IOCs and adversary TTPs bilaterally, without requiring
public disclosure that could compromise ongoing investigations or reveal classified
capabilities. The discovery of APT39 activity in Kuwaiti government networks by a
private sector cybersecurity firm, rather than by Kuwait’s own intelligence
and cybersecurity apparatus, suggests that the government’s threat intelligence
collection and sharing mechanisms were not functioning effectively. A national cyber
intelligence fusion center, operating under CITRA or the national security apparatus,
would provide the coordination mechanism needed to ensure that indicators discovered
in one government agency are immediately shared across all agencies as defensive
signatures.
Diplomatic and intelligence liaison relationships with Gulf Cooperation Council partners,
the United States, and the United Kingdom provide access to classified threat intelligence
about Iranian APT operations that is not available through commercial channels. Kuwait
should leverage these relationships to ensure that its government cybersecurity teams
have access to the full classified picture of APT39’s capabilities and TTPs,
enabling proactive defensive measures before publicly disclosed IOCs have been incorporated
into commercial threat intelligence feeds. The US Cyber Command and CISA regularly
share classified threat intelligence with allied government CERT teams; Kuwait should
formalize these information-sharing arrangements to ensure that CERT-KW operates with
the most current and complete intelligence picture available.
Two years of undetected Iranian espionage inside Kuwait’s government networks
is not primarily a technology failure - it is a strategic failure to invest in
the threat hunting, intelligence sharing, and detection capabilities proportionate to
Kuwait’s geopolitical exposure as a Gulf state hosting US military forces and
serving as a regional diplomatic mediator. The intelligence already lost cannot be
recovered; the priority is ensuring that future Iranian APT activity is detected
in days, not years.