Kuwait Ministry of Finance Rhysida Ransomware Hits Government Systems

🇰🇼 KuwaitSeptember 202310 min read

# Kuwait Ministry of Finance: Rhysida Ransomware Hits Government Systems

In September 2023, the Rhysida ransomware group - the same criminal organization

that struck Abdali Hospital in Jordan weeks earlier - claimed a successful intrusion

into Kuwait's Ministry of Finance, demanding a ransom payment in exchange for

stolen data and the decryption of compromised government systems. The Ministry of Finance

is the fiscal nerve center of one of the Gulf's wealthiest states, overseeing

budget formulation, public expenditure, and the operational activities supporting Kuwait's

$900 billion-plus sovereign wealth fund, the Kuwait Investment Authority.

Kuwait's national Computer Emergency Response Team, CERT-KW, was activated in

response to the incident. Rhysida threatened to publish stolen data publicly on its dark

web leak site if ransom demands were not met, a tactic designed to amplify pressure on

government victims who may be unwilling to acknowledge a compromise publicly. The attack

exposed deep vulnerabilities in Kuwait's government cybersecurity posture at precisely

the moment the country was developing its first comprehensive data protection regulatory

framework under CITRA's oversight.

## Key Facts

• .**What:** Rhysida ransomware hit Kuwait's Ministry of Finance in September 2023.
• .**Who:** Kuwait's fiscal governance ministry overseeing the $900B sovereign wealth fund.
• .**Data Exposed:** Budget data, employee credentials, vendor records, and fiscal documents.
• .**Outcome:** CERT-KW activated; Rhysida threatened dark web data publication.

## What Was Exposed

• .Government financial system access, potentially including budget planning data, expenditure records, and inter-ministerial transfer documentation
• .Internal employee credentials and administrative account data from Ministry of Finance IT infrastructure
• .Operational data potentially touching Kuwait Investment Authority support systems and sovereign wealth fund reporting
• .Vendor and contractor records, including payment details and procurement documentation managed through MoF systems
• .Potentially classified fiscal policy communications, treasury operations data, and debt management records
• .Public-facing service data, including tax registration information and government fee payment records
• .Internal network architecture documentation that would enable future intrusion attempts against connected government agencies

The Kuwait Ministry of Finance occupies a uniquely sensitive position within the Gulf

state's administrative structure. Unlike most national finance ministries, Kuwait's

operates in the shadow of an extraordinary sovereign wealth management apparatus. The Kuwait

Investment Authority, established in 1953 and one of the world's oldest and largest

sovereign wealth funds, holds assets estimated at over $900 billion - more than six

times Kuwait's annual GDP. While the KIA itself operates independently, the Ministry

of Finance serves a coordination and oversight function, processing government budgets,

managing the General Reserve Fund, and handling the administrative infrastructure through

which Kuwait's hydrocarbon revenues flow before reaching the KIA.

Rhysida is a ransomware-as-a-service (RaaS) group that emerged in mid-2023 and rapidly

established a reputation for targeting high-profile government and critical infrastructure

victims across multiple continents. The group's operations against healthcare and

government targets in the Middle East during this period were notable for their speed and

the calibre of institutions targeted. Rhysida employed a double-extortion model: encrypting

victim systems to disrupt operations while simultaneously exfiltrating data to use as

additional leverage. This dual-pressure strategy is particularly effective against government

victims who face both operational disruption and the reputational damage of sensitive

information appearing on criminal leak sites.

The technical profile of Rhysida intrusions during this period typically involved initial

access through phishing campaigns targeting employees with administrative privileges, or

through exploitation of publicly exposed remote access services such as VPN appliances

and Remote Desktop Protocol endpoints. Once inside a network, Rhysida operators demonstrated

proficiency with living-off-the-land techniques: leveraging legitimate Windows administration

tools such as PsExec, PowerShell, and Windows Management Instrumentation to move laterally

while avoiding detection by signature-based security controls. The group frequently exploited

Active Directory misconfigurations to escalate privileges, ultimately deploying ransomware

payloads at scale across compromised environments.

CERT-KW's activation in response to this incident was significant - it

represented a real-world test of Kuwait's national incident response capabilities

against a sophisticated criminal adversary targeting the country's financial governance

infrastructure. CERT-KW operates under CITRA's mandate and serves as the primary

coordinator for cybersecurity incident response across Kuwait's government and

critical sectors. However, the fact that Rhysida was able to exfiltrate data and issue

public ransom demands suggests that CERT-KW's detection and containment capabilities

were not sufficient to prevent significant data loss before the breach was identified.

The timing of this attack is also strategically significant. September 2023 placed the

incident in the middle of Kuwait's ongoing process of developing comprehensive data

protection regulations. CITRA was actively working on what would eventually become the

DPPR Decision No. 26/2024 framework. A ransomware attack against the Ministry of Finance

-- one of the most sensitive data controllers in the Kuwaiti government --

occurring during the drafting of data protection regulations sent an unmistakable signal

about the urgency of establishing enforceable security standards for government data

processing operations.

The Rhysida group's public listing of the Kuwait Ministry of Finance on its dark

web leak site represented a form of asymmetric information warfare against a government

sovereign. Publicly naming a national finance ministry as a ransomware victim damages

international credit ratings assessments, creates uncertainty among foreign investors

evaluating Kuwait as a jurisdiction, and potentially affects bond markets if the breach

is perceived as undermining the integrity of Kuwait's financial management systems.

Criminal ransomware groups increasingly understand that the reputational damage imposed

on government victims can be as damaging as the operational disruption of the ransomware

deployment itself.

## Regulatory Analysis

At the time of the Rhysida attack, Kuwait's primary cybersecurity legal framework

was Law No. 63/2015 on Combating Information Technology Crimes, commonly referred to as

the Cybercrime Law. This legislation primarily addresses criminal liability for perpetrators

of cyberattacks rather than establishing data protection obligations for controllers who

suffer breaches. The law creates offenses for unauthorized access, data interference,

and system disruption, but does not specify minimum security standards that organizations

must implement to protect data, nor does it establish a breach notification regime with

defined timelines.

CITRA's Data Protection and Privacy Regulation, Decision No. 26/2024, introduced

a 72-hour breach notification requirement that would have applied directly to this incident

had it been in force at the time. Under the DPPR, the Ministry of Finance, as a data

controller processing personal data of government employees, contractors, and citizens

using Ministry services, would have been obligated to notify CITRA within 72 hours of

becoming aware of the breach. The regulation also requires notification to affected

data subjects where the breach is likely to result in high risk to their rights and

freedoms - a standard that a ransomware attack encrypting and exfiltrating government

financial records would almost certainly meet.

Kuwait's E-Commerce Law No. 20/2014 contains provisions relevant to the security

of electronic transactions and data processed through government digital services. The

Ministry of Finance's online platforms, through which citizens and businesses

interact with government financial services, are covered by this framework. A compromise

that potentially exposes data processed through these platforms engages the security

obligations established under the E-Commerce Law, even where the breach originated

in internal administrative systems rather than the public-facing services themselves.

The maximum fine available under Kuwait's regulatory framework - KWD 20,000,

approximately $65,000 USD - is strikingly disproportionate to the scale of a

ransomware attack against a national finance ministry. For context, the EU's GDPR

allows fines of up to 4% of global annual turnover or EUR 20 million, whichever is higher.

The DPPR Decision No. 26/2024 maximum of KWD 20,000 creates minimal financial incentive

for data controllers to invest meaningfully in cybersecurity beyond the minimum required

to avoid regulatory censure. For a government ministry with a multi-billion dinar annual

budget, the maximum regulatory fine represents a rounding error in the cost-benefit

analysis of cybersecurity investment.

Kuwait is in the process of developing a comprehensive Personal Data Protection Law that

would replace the current patchwork of sectoral regulations with a unified framework.

The Rhysida attack on the Ministry of Finance provides a compelling case study for

lawmakers to consider as they design this legislation: specifically, the need for mandatory

security standards for high-risk data controllers, minimum technical requirements for

government data processing environments, and financial penalties calibrated to create

genuine deterrence rather than being treated as a cost of doing business.

## What Should Have Been Done

Preventing a Rhysida intrusion requires layered defenses that address each phase of

the attack lifecycle: initial access, lateral movement, privilege escalation, and

ransomware deployment. For an institution of the Ministry of Finance's sensitivity,

these defenses should operate at a standard significantly above what might be acceptable

for a lower-risk data controller.

Email security is the first line of defense against phishing-based initial access, which

represents the most common entry vector for Rhysida and similar RaaS operators. The Ministry

should have deployed a cloud-delivered email security platform with machine-learning-based

detection of business email compromise attempts, malicious attachments, and credential

harvesting links. This should be supplemented by mandatory security awareness training

with phishing simulation exercises for all Ministry employees, with particular emphasis

on employees handling financial authorizations or holding administrative system credentials.

DMARC, DKIM, and SPF email authentication controls should have been enforced on the

Ministry's email domains to prevent spoofing of government sender addresses.

Exposure of remote access services - VPN appliances and RDP endpoints - to

the public internet is a primary attack surface exploited by ransomware groups. The

Ministry's VPN infrastructure should have been hardened with mandatory multi-factor

authentication for all remote access sessions, with hardware security keys required for

privileged users. RDP should not have been exposed directly to the internet under any

circumstances; where remote administrative access was required, it should have been

channeled exclusively through a privileged access workstation (PAW) architecture with

full session recording and real-time anomaly detection.

Active Directory security is foundational to preventing the privilege escalation that

Rhysida operators rely upon to achieve domain-wide ransomware deployment. The Ministry

should have implemented a tiered administration model separating domain controllers, server

administration, and workstation administration into distinct privilege tiers with dedicated

administrator accounts for each tier. Credential Guard and Protected Users security groups

should have been enabled on all Windows systems to prevent credential theft via memory

dumping tools like Mimikatz, which are a standard component of the Rhysida operator

toolkit. Laps (Local Administrator Password Solution) should have managed local administrator

passwords across all endpoints, eliminating the pass-the-hash attack surface.

A 3-2-1 backup strategy with offline immutable backups is the single most effective

mitigation against ransomware's operational impact. The Ministry should have

maintained three copies of all critical data, on two different media types, with at

least one copy stored offline or in an air-gapped environment that ransomware operators

cannot reach through network-based encryption. Cloud-based immutable backup services

with object lock enabled provide cost-effective protection against ransomware targeting

backup infrastructure, which Rhysida operators routinely attempt to destroy before

deploying their encryption payload.

An endpoint detection and response (EDR) solution deployed across all Ministry systems,

managed by a 24/7 security operations center with the authority to isolate compromised

endpoints, is essential for containing a ransomware intrusion before it achieves widespread

encryption. EDR platforms capable of behavioral detection of ransomware pre-cursor activity

-- such as volume shadow copy deletion, rapid file encryption, and credential dumping

-- can identify and respond to Rhysida deployment in its early stages, before the

ransomware payload has encrypted sufficient data to cause significant operational disruption.

For a ministry of this sensitivity, a managed detection and response (MDR) provider with

Gulf region expertise and government security clearance should have been retained.

A ransomware attack against Kuwait's Ministry of Finance is not merely an IT

incident - it is an assault on the financial governance infrastructure of a

sovereign wealth state. With CITRA's DPPR Decision No. 26/2024 now establishing

72-hour breach notification requirements, the next such attack will carry regulatory

consequences alongside operational damage, making proactive investment in enterprise-grade

security controls not just a best practice but a legal obligation.