Between 2019 and 2020, Palo Alto Networks Unit 42 uncovered and publicly documented
a sophisticated multi-year cyber espionage campaign they named “xHunt,”
targeting Kuwait’s shipping and transportation organizations alongside Kuwaiti
government entities. The campaign employed a distinctive set of custom-developed backdoors
named after characters from the anime series Hunter × Hunter - including Hisoka,
Sakabota, Netero, and Killua - reflecting an operational signature that distinguished
the group from other Iranian-linked threat actors operating in the Gulf region during
the same period.
The campaign’s technical sophistication was notable: the threat actors used
DNS tunneling for command and control communications, a technique that routes malicious
traffic through the Domain Name System protocol to bypass conventional network security
controls that monitor HTTP and HTTPS traffic but fail to inspect DNS query patterns.
The group also exploited compromised Microsoft Exchange servers and vulnerable Business
Process Management (BPM) software running on Internet Information Services (IIS) web
servers as initial access vectors, demonstrating a detailed understanding of the specific
technology stack deployed in their Kuwaiti targets.
## Key Facts
- .**What:** xHunt espionage campaign targeted Kuwait's shipping sector using DNS tunneling.
- .**Who:** Kuwaiti shipping companies and government entities (2019-2020).
- .**Data Exposed:** Cargo manifests, Exchange email archives, and government data.
- .**Outcome:** Discovered by Palo Alto Unit 42; linked to Iranian-aligned threat actors.
## What Was Exposed
- .Shipping and logistics operational data from Kuwaiti maritime and transport companies, potentially including cargo manifests, vessel schedules, and commercial routing information
- .Microsoft Exchange email archives from compromised mail servers, enabling comprehensive access to internal and external communications of targeted organizations
- .Credentials and authentication tokens harvested from compromised Exchange servers, enabling persistent access and lateral movement across victim networks
- .Business process management system data, including workflow configurations, process documentation, and operational data managed through IIS-hosted BPM platforms
- .Kuwaiti government entity data from simultaneously targeted government organizations, potentially overlapping with the APT39 campaign documented in the same period
- .Network architecture information and internal system documentation accessible through the compromised BPM and Exchange infrastructure
- .Personnel data of employees at targeted shipping and government organizations, including contact information and organizational role data
- .Commercial intelligence related to Kuwait’s maritime trade flows, including import/export documentation and trade partner information
Kuwait’s shipping and transportation sector is strategically significant far beyond
its commercial importance to the Kuwaiti economy. Kuwait sits at the head of the Arabian
Gulf, one of the world’s most critical maritime chokepoints through which the
vast majority of Gulf oil exports transit. Kuwait’s commercial ports -
particularly Shuwaikh Port and Shuaiba Port - handle the import logistics that
sustain Kuwait’s large and heavily import-dependent economy. Understanding the
operational patterns of Kuwait’s shipping sector provides intelligence value on
military logistics, the movement of dual-use goods, and the commercial networks through
which sanctioned entities might attempt to circumvent US and UN sanctions against Iran.
The use of DNS tunneling for command and control represents a significant technical
capability that distinguishes xHunt from less sophisticated threat actors. DNS is a
foundational internet protocol that is rarely inspected or blocked at network perimeters
because doing so would break basic internet connectivity. Conventional network security
controls - web proxies, SSL inspection, next-generation firewalls focused on
HTTP/HTTPS traffic - typically fail to analyze the content of DNS queries and
responses in sufficient depth to detect the encoding of command-and-control traffic
within what appears to be legitimate DNS lookups. An organization whose security
monitoring is focused exclusively on web traffic could be entirely blind to DNS-tunneled
command and control, even while experiencing continuous data exfiltration through
this channel.
The Hisoka backdoor, named after the flamboyant and dangerous character from Hunter
× Hunter, served as xHunt’s primary implant for maintaining persistent
access to compromised systems. Hisoka used DNS tunneling as its C2 channel, encoding
commands and data within DNS TXT record queries and responses in a manner that evaded
detection by the network security tools in use at the targeted Kuwaiti organizations.
The Sakabota tool functioned as a dropper and persistence mechanism, while Netero and
Killua served as additional backdoor and tunneling tools that provided fallback access
if Hisoka was detected and removed.
The exploitation of Microsoft Exchange servers represents a recurring theme in Iranian
APT operations during 2019-2020. Exchange servers are attractive targets for
multiple reasons: they are inherently internet-facing (to receive email from external
parties), they frequently run with administrative privileges on the servers that host
them, they provide direct access to the email archives of the entire organization,
and vulnerabilities in Exchange have historically been slow to be patched in enterprise
environments where Exchange downtime directly impacts business operations. Compromising
an Exchange server provides immediate access to organizational communications, harvests
credentials from authenticated connections, and provides a trusted internal system
from which lateral movement across the network is far less likely to trigger alerts
than connections originating from an external IP address.
The BPM software exploitation vector is particularly interesting because it targets
a class of enterprise application that is frequently overlooked in security assessments
focused on perimeter defenses and core infrastructure. BPM platforms running on IIS
web servers are often managed by business operations teams rather than by IT security
personnel, resulting in delayed patch cycles and security configurations that prioritize
functionality over hardening. The xHunt operators’ identification of this attack
vector suggests a detailed reconnaissance phase in which they assessed the full
technology stack of their targets and identified the weakest link - in this
case, a business application platform with exposed internet-facing components and
delayed patch management.
Unit 42’s documentation of the xHunt campaign provided the broader cybersecurity
community with valuable threat intelligence, including indicators of compromise, behavioral
signatures, and tactical analysis that enabled other organizations to hunt for evidence
of xHunt activity in their own networks. The public disclosure also served as a form
of attribution that imposed reputational costs on the threat actors, even without
formal government attribution to a specific Iranian state organization. The names
chosen for the campaign’s tools - anime characters associated with
extraordinary skill and lethal capability - reflected a certain operational
aesthetic that, combined with the technical sophistication of the DNS tunneling
approach, has led some analysts to speculate about the personal interests and
cultural profile of the developers behind the xHunt toolset.
## Regulatory Analysis
The xHunt campaign’s targeting of private sector shipping and transportation
companies in Kuwait brings these organizations squarely within the scope of CITRA’s
Data Protection and Privacy Regulation, Decision No. 26/2024. Unlike the APT39 campaign
which targeted primarily government agencies, xHunt’s focus on commercial maritime
and transport operators means that the breach notification and security obligations
of the DPPR apply directly to private companies whose compliance posture may be
significantly less developed than that of government ministries with dedicated IT
security teams.
The 72-hour breach notification requirement under DPPR Decision No. 26/2024 creates
a specific challenge for smaller shipping and transport companies that may lack the
forensic capability to determine within 72 hours whether a sophisticated APT intrusion
has occurred, the scope of data accessed, and the categories of personal data affected.
Unit 42’s analysis suggests that xHunt maintained persistent access to some
victims for months; determining the scope of data access over such an extended dwell
time requires sophisticated log analysis capabilities that are not universally present
in Kuwait’s commercial maritime sector.
Kuwait’s E-Commerce Law No. 20/2014 imposes security obligations on companies
processing data through electronic platforms. Shipping companies using web-based
logistics management systems, customer portals, and electronic bill of lading systems
are processing personal and commercial data through electronic channels that engage
the security provisions of this law. The exploitation of IIS-hosted BPM software
as an initial access vector represents precisely the kind of vulnerability in
web-facing business applications that the E-Commerce Law’s security provisions
were designed to address.
The multi-sector nature of xHunt - targeting both private shipping companies
and government entities in the same campaign - illustrates the need for Kuwait
to develop sector-specific cybersecurity frameworks for critical infrastructure
operators, including maritime and transport companies. Kuwait’s Cybercrime Law
No. 63/2015 establishes criminal liability for unauthorized access but provides no
sector-specific security standards for industries like maritime transport whose
operational data has significant national security implications. The absence of such
standards is a gap in Kuwait’s regulatory framework that the development of
a comprehensive data protection law presents an opportunity to address.
The DNS tunneling C2 technique used by xHunt highlights a specific regulatory gap:
Kuwait currently has no mandatory requirement for internet service providers to
implement DNS security monitoring or to report anomalous DNS traffic patterns
indicative of tunneling activity. In jurisdictions with more developed cybersecurity
regulatory frameworks, telecommunications and internet service providers are required
to maintain monitoring capabilities and to report observed threats to national
cybersecurity authorities. CITRA, as the telecommunications regulator, is well-positioned
to establish such requirements for Kuwaiti ISPs, creating a network-level detection
capability that would provide early warning of DNS tunneling activity across the
entire Kuwaiti internet infrastructure.
## What Should Have Been Done
Defending against xHunt required a security posture capable of detecting sophisticated
APT activity that deliberately evades conventional perimeter security controls. The
following measures represent the minimum required to detect and respond to the xHunt
campaign within a timeframe that would have limited intelligence loss.
DNS security monitoring is the single most direct countermeasure to the xHunt campaign’s
DNS tunneling C2 infrastructure. DNS traffic analysis tools - including purpose-built
DNS security platforms such as Cisco Umbrella, Infoblox, or open-source tools like
PassiveDNS - can detect the statistical anomalies characteristic of DNS tunneling:
unusually high query volumes to specific domains, abnormally long hostnames in DNS
queries, high entropy in queried subdomains, and query/response patterns inconsistent
with legitimate DNS usage. These tools should have been deployed at the network perimeter
of every organization in Kuwait’s maritime and government sectors, feeding alerts
to a SOC staffed to investigate DNS anomalies on a 24/7 basis.
Exchange server security requires a dedicated hardening programme that goes significantly
beyond the default installation configuration. Organizations running on-premises Exchange
servers should implement Exchange Emergency Mitigation (EOMT) for rapid vulnerability
remediation, enable Advanced Audit Policy Configuration to maximize the forensic value
of Exchange log data, deploy Microsoft Defender for Exchange with behavioral analysis
enabled, and implement web application firewall rules restricting access to Exchange
administrative interfaces from anything other than known administrative IP ranges.
The September 2019 Unit 42 report documented xHunt’s Exchange exploitation
techniques; organizations with Unit 42’s published IOCs loaded into their
Exchange security tools would have had detection capability from the moment of public
disclosure.
Web application security for IIS-hosted BPM platforms must be treated with the same
rigour applied to externally facing e-commerce and customer portal applications.
This means: regular vulnerability assessment and penetration testing of BPM web
applications, implementation of a web application firewall in front of all IIS-hosted
services, strict input validation and output encoding controls to prevent injection
attacks, and a formal patch management process that ensures BPM software receives
security updates within a defined timeframe of vendor release. Internal business
applications running on internet-accessible servers should never be treated as exempt
from the same security controls applied to customer-facing systems.
Endpoint detection and response deployment across all servers and workstations, with
behavioral detection rules tuned to identify the xHunt toolset’s specific
techniques, would have provided host-level detection capability independent of
network-based controls. The Hisoka, Sakabota, Netero, and Killua tools have behavioral
signatures that a well-tuned EDR solution would have detected: unusual process creation
chains, registry persistence mechanisms, encoded PowerShell execution, and DNS query
patterns inconsistent with normal system behavior. Unit 42’s published technical
analysis provides the basis for custom detection rules that can be implemented in
EDR platforms and SIEM systems to proactively hunt for xHunt activity.
Network traffic analysis (NTA) tools capable of baseline behavioral profiling and
anomaly detection provide detection capability for the lateral movement and data
exfiltration phases of xHunt’s operations that may evade perimeter controls.
NTA platforms establish baselines of normal traffic patterns between hosts and alert
when traffic deviates from these baselines in ways indicative of lateral movement,
data staging, or exfiltration. For Kuwait’s shipping companies, whose networks
carry predictable patterns of logistics data, the unusual internal traffic patterns
generated by xHunt’s lateral movement across the network would have been
detectable by an NTA solution calibrated to the organization’s normal traffic
baseline.
The xHunt campaign demonstrated that Kuwait’s maritime and transport sector
- .critical infrastructure for a small, import-dependent economy - was
being systematically targeted by a sophisticated adversary using evasion techniques
specifically designed to defeat conventional network security monitoring. Closing
this gap requires investment in DNS security, advanced endpoint detection, and
network traffic analysis that sees past the DNS protocol camouflage that made
xHunt so difficult to detect.