In 2023, the Clop ransomware group listed Zain Group - Kuwait's largest
telecommunications operator and one of the Gulf region's most significant
digital infrastructure companies - on its dark web leak site, claiming to have
exfiltrated data through the exploitation of CVE-2023-34362, the critical SQL injection
vulnerability in Progress Software's MOVEit Transfer managed file transfer
platform. Zain Group, founded in Kuwait in 1983 as Mobile Telecommunications Company,
serves more than 50 million subscribers across seven countries: Kuwait, Saudi Arabia,
Bahrain, Iraq, South Sudan, Jordan, and Sudan, generating annual revenues of approximately
$5.6 billion.
The MOVEit exploitation campaign, conducted by Clop (also designated as TA505 by some
threat intelligence providers) during May and June 2023, affected hundreds of organizations
globally, exploiting a zero-day vulnerability in one of the world's most widely
deployed enterprise managed file transfer solutions. For Zain Group, the potential scope
of the breach extended far beyond Kuwait's domestic regulatory jurisdiction,
encompassing the personal data, billing records, and corporate information of subscribers
and business customers across an enterprise spanning the Gulf, the Levant, and
Sub-Saharan Africa.
## Key Facts
- .**What:** Clop ransomware exploited MOVEit zero-day to breach Zain Group telecom.
- .**Who:** 50+ million Zain subscribers across seven countries in the Gulf and Africa.
- .**Data Exposed:** Customer data, billing records, corporate information, and HR files.
- .**Outcome:** Listed on Clop leak site; part of global MOVEit campaign affecting hundreds.
## What Was Exposed
- .Customer data for 50+ million subscribers across Zain's seven-country footprint, potentially including names, national identity numbers, addresses, and contact details
- .Billing records and payment history for Zain's consumer and enterprise customer base, potentially including credit card or bank account details used for bill payment
- .Corporate customer data, including account details, contract terms, and usage data for Zain's enterprise division serving major Gulf and regional businesses
- .Internal financial and operational data transferred through the MOVEit platform, potentially including revenue figures, cost data, and inter-subsidiary transfer documentation
- .Human resources data for Zain Group's multinational workforce, potentially transmitted through MOVEit for payroll and HR administration purposes
- .Network infrastructure documentation if technical files were transferred through the compromised MOVEit installation
- .Regulatory compliance documentation and government relations data, given the sensitivity of Zain's licensing relationships with telecom regulators across seven jurisdictions
- .Subscriber metadata including call records, data usage patterns, and location history to the extent these were processed through systems connected to the MOVEit infrastructure
The MOVEit Transfer vulnerability (CVE-2023-34362) that Clop exploited to access Zain
Group's data represents one of the most consequential zero-day vulnerabilities
of 2023. MOVEit Transfer is a managed file transfer (MFT) platform widely deployed in
enterprise environments for the secure transmission of large files between organizations
and their partners, suppliers, and regulators. Financial services firms use it to
transmit client data to auditors; healthcare organizations use it to share patient
records with insurers; telecommunications companies use it to exchange subscriber data
with roaming partners and to transfer operational data between subsidiaries. The
platform's trusted status in enterprise environments - deliberately positioned
as a "secure" file transfer solution - meant that data transmitted
through MOVEit was often of exceptional sensitivity.
CVE-2023-34362 is a SQL injection vulnerability in MOVEit Transfer's web application
layer that enables unauthenticated remote attackers to access the MOVEit database,
modify data, and install LEMURLOOT - Clop's custom webshell - to
enable persistent access and automated data exfiltration. Clop appears to have developed
or acquired knowledge of this zero-day vulnerability prior to its public disclosure,
enabling the group to conduct a mass exploitation campaign against thousands of
MOVEit installations worldwide during a brief window before the vulnerability was
publicly known and patches were available. The group exploited the vulnerability at
industrial scale, automating the compromise of MOVEit installations across multiple
sectors and geographies simultaneously.
Zain Group's position as a telecommunications operator serving seven countries
across three distinct regulatory regions - the Gulf Cooperation Council, the
Arab world more broadly, and Sub-Saharan Africa - means that the regulatory
implications of the breach extended far beyond Kuwait's domestic data protection
framework. Each of Zain's operating companies is subject to the data protection
laws and telecommunications regulations of its home jurisdiction. A breach affecting
data across all seven operating companies would simultaneously engage regulatory
obligations in Kuwait (CITRA), Saudi Arabia (SDAIA's PDPL and CITC), Bahrain
(PDPL and TRA), Jordan (TDRA and NISP), Iraq (CMC), South Sudan, and Sudan, creating
a compliance challenge of extraordinary complexity.
The telecommunications sector holds a particularly sensitive category of personal data
that extends well beyond what most other industries collect: call detail records (CDRs)
capturing the time, duration, and endpoints of every communication made through Zain's
network; location data generated by the continuous interaction of mobile devices with
cell towers; SMS content (in some jurisdictions and system configurations); internet
browsing metadata generated by data service usage; and financial transaction data
from mobile money services operated by Zain's subsidiaries. If the Clop
compromise accessed systems connected to this subscriber data, the harm potential
is fundamentally different from a typical corporate data breach.
Clop's operational model for the MOVEit campaign was distinctive from conventional
ransomware operations. Rather than encrypting victim systems and demanding payment for
decryption keys, Clop focused exclusively on data exfiltration through the MOVEit
vulnerability and used the threat of public data publication as its sole extortion
mechanism. This pure extortion model reflects an operational evolution in which the
group recognized that data theft and publication threats could be as financially
productive as system encryption, while avoiding the operational complexity of deploying
and managing encryption payloads at scale. For victims like Zain Group, this meant
that operational disruption may have been minimal but data exposure risk was potentially
severe.
The scale of the Clop MOVEit campaign - affecting hundreds of organizations
globally, with total victim counts estimated in the thousands when including downstream
customers of directly affected organizations - created a challenge for regulators
and courts seeking to assign accountability for what was, in technical terms, a supply
chain attack. Organizations like Zain Group that used MOVEit as a trusted file transfer
platform had limited visibility into the zero-day vulnerabilities that Progress Software's
product contained, raising questions about the distribution of responsibility between
software vendors, enterprise IT teams that chose to expose MOVEit to the internet,
and the regulatory frameworks that define minimum security standards for critical
data processing infrastructure.
## Regulatory Analysis
Zain Group's breach by the Clop MOVEit campaign engages Kuwait's regulatory
framework primarily through CITRA's role as both the telecommunications regulator
and the data protection supervisory authority. As Kuwait's dominant telecommunications
operator, Zain Kuwait operates under CITRA's telecommunications licensing regime,
which imposes network security and customer data protection obligations as conditions
of the operating licence. A data breach affecting Zain Kuwait's subscriber data
therefore engages both the data protection obligations under DPPR Decision No. 26/2024
and any security obligations embedded in Zain's telecommunications operating
licence.
The 72-hour breach notification requirement under CITRA's DPPR Decision No. 26/2024
creates a specific procedural obligation that Zain Kuwait would have been required to
fulfill promptly upon discovering that its MOVEit installation had been compromised.
The complexity of assessing the scope of a MOVEit breach - determining which
files were exfiltrated through the SQL injection exploit requires forensic analysis
of database transaction logs and network egress records - creates a tension
between the 72-hour notification timeline and the time needed to develop an accurate
assessment of the breach's scope. CITRA's framework, like most comparable
international frameworks, anticipates this tension by requiring notification within
72 hours of becoming aware of the breach rather than 72 hours after completing the
forensic investigation, enabling iterative notifications as the scope assessment develops.
Zain's multi-country operations create a notification challenge of significant
complexity. The parent entity's breach of its MOVEit installation may have
involved data from subsidiaries operating under different regulatory regimes, each
of which may have independent notification obligations to their respective regulators.
In Saudi Arabia, SDAIA's PDPL imposes notification requirements; in Bahrain,
the PDPL and TRA have overlapping jurisdiction; in Jordan, the National Information
Technology Center (NITC) and the Telecommunications Regulatory Commission (TRC) both
have relevant oversight functions. Coordinating simultaneous notifications across seven
regulatory jurisdictions, each with different requirements, timelines, and reporting
formats, tests the limits of any organization's incident response capability.
Kuwait's E-Commerce Law No. 20/2014 provides an additional layer of security
obligation relevant to Zain's digital service operations. Zain's customer
portals, mobile apps, and online billing systems process personal and financial data
in the course of electronic commerce transactions, engaging the security obligations
established under this law for electronic service providers. The compromise of
systems through which this data flows - even if through a supply-chain vulnerability
in a trusted file transfer platform rather than through direct compromise of the
customer-facing systems themselves - constitutes a failure of the security
obligations applicable to these electronic services.
The regulatory response to Clop's MOVEit campaign globally revealed a significant
gap in the accountability framework for supply-chain vulnerabilities in enterprise
software. Progress Software, the vendor of MOVEit Transfer, faced legal actions in
multiple jurisdictions from organizations that suffered breaches through the zero-day
vulnerability. Kuwait's current regulatory framework does not address vendor
liability for software vulnerabilities, creating an accountability gap that may
discourage enterprise customers from pursuing legal remedies against software vendors
whose products contain critical security flaws that enable large-scale data breaches.
## What Should Have Been Done
The MOVEit zero-day represents a category of vulnerability that is, by definition,
unknown at the time of exploitation and therefore impossible to patch before the
attack. However, several compensating controls could have significantly limited
the impact of a successful MOVEit exploitation on Zain Group's data environment.
Network segmentation and access restriction for the MOVEit Transfer installation
would have been the most direct mitigation. MOVEit Transfer, as a file transfer
platform, requires internet access to receive files from external parties but
does not require unrestricted outbound internet access to function. Implementing
strict egress filtering on the MOVEit server - allowing only specific,
pre-approved outbound connections and blocking all other outbound traffic --
would have constrained Clop's LEMURLOOT webshell's ability to exfiltrate
data to attacker-controlled infrastructure. Clop's exfiltration methodology
relies on the compromised MOVEit server being able to establish outbound connections
to attacker infrastructure; egress filtering that requires all outbound connections
to be explicitly approved would have blocked this exfiltration path.
Web application firewall (WAF) deployment in front of the MOVEit Transfer web
interface, with SQL injection detection rules enabled, provides a layer of defense
against the exploitation technique used by Clop. While WAF rules cannot catch every
novel exploitation technique, the SQL injection vector used in CVE-2023-34362 could
have been detected and blocked by a properly configured WAF with up-to-date rule sets.
ModSecurity with the OWASP Core Rule Set, or a commercial WAF solution, configured
to inspect and filter traffic to the MOVEit web interface would have added a detection
and blocking layer between the attacker and the vulnerable application.
A comprehensive software asset inventory programme is a prerequisite for rapid response
to zero-day vulnerabilities in enterprise software. Organizations that maintain an
accurate, continuously updated inventory of all software deployed across their
infrastructure can immediately identify which systems are running a vulnerable product
and prioritize patching accordingly. For Zain Group, with an IT estate spanning
multiple countries and subsidiaries, maintaining this inventory requires a Software
Asset Management (SAM) tool with centralized visibility across the entire group.
When Progress Software released the emergency MOVEit patch on May 31, 2023, organizations
with comprehensive software inventories were able to identify and patch all vulnerable
installations within hours; those without such inventories may not have identified
all vulnerable systems until days or weeks later.
A third-party and vendor risk management programme specifically addressing critical
enterprise software used to process sensitive data should have required Zain Group
to maintain an up-to-date assessment of the security posture of Progress Software's
MOVEit Transfer product. This assessment should have included: review of Progress
Software's security development lifecycle practices, subscription to Progress
Software's security notification service for prompt receipt of vulnerability
disclosures, and a contractual service level agreement with Progress Software requiring
timely notification of security vulnerabilities affecting MOVEit. For a product deployed
to process sensitive subscriber data for a 50-million-customer telecommunications
group, this level of vendor security oversight is a minimum reasonable standard.
Data minimization principles should have governed what data was stored in or accessible
through the MOVEit Transfer environment. If the MOVEit installation was processing
files containing subscriber personal data, this data should have been encrypted at
the file level before transfer through MOVEit, ensuring that files exfiltrated through
the MOVEit vulnerability were encrypted with keys unavailable to Clop. While this
would not have prevented the exfiltration itself, it would have rendered the exfiltrated
data useless to the attacker and dramatically reduced the harm caused to Zain's
subscribers.
Zain Group's exposure through the Clop MOVEit campaign illustrates that for
a telecommunications operator managing the personal data of 50 million subscribers
across seven countries, a single vulnerable enterprise file transfer product can
create regulatory exposure across multiple jurisdictions simultaneously. As CITRA's
DPPR framework matures, Kuwaiti telecommunications operators must treat their entire
software supply chain - not merely their core network infrastructure --
as a data protection risk requiring active management.