In 2020, the official Twitter account of Kuwait News Agency (KUNA) - the state’s authoritative official news service - was compromised by threat actors who used it to broadcast fabricated reports, including false stories claiming that US military forces were withdrawing from Kuwait.
The disinformation published through the hijacked account, which carried the institutional credibility of Kuwait’s official state news service, caused a brief but measurable period of diplomatic confusion and market disruption before KUNA’s team identified the compromise, regained control of the account, and issued corrections.
Key Facts
- WhatKUNA's official Twitter was hijacked to broadcast false US withdrawal reports.
- WhoKuwait's state news agency and its global media audience.
- Data ExposedSocial media credentials and editorial trust were compromised.
- OutcomeBrief diplomatic confusion and market disruption before corrections issued.
What Was Exposed
- KUNA’s social media account credentials, enabling attackers to post content with the institutional credibility of Kuwait’s official state news agency
- KUNA’s editorial workflow and social media management practices, revealed by the ease with which attackers substituted disinformation for legitimate news content
- The authentication credentials of KUNA staff responsible for managing the agency’s Twitter presence, which may have been harvested for use in future social engineering operations
- The trust relationship between KUNA’s official accounts and the media organisations, diplomatic missions, and government agencies that follow and rely upon KUNA as an authoritative source
- Potentially the content management systems or scheduling tools used by KUNA’s social media team, if the account compromise was facilitated by an attack on these third-party services
- KUNA’s internal communication patterns regarding the account management and the post-incident response, if follow-on surveillance activity accompanied the initial compromise
Kuwait News Agency occupies a unique and consequential position in the Gulf state’s information ecosystem. Founded by Amiri Decree in 1976, KUNA is the official state news agency with the authoritative function of communicating Kuwait’s government positions, official statements, and policy developments to both domestic and international audiences.
KUNA’s newswire is subscribed to by news organizations across the Arab world, by diplomatic missions accredited to Kuwait, and by international wire services that treat KUNA output as a primary source on Kuwaiti affairs. When KUNA publishes a story, it carries an implicit attribution of official accuracy that most social media accounts cannot claim.
The specific disinformation content disseminated through the hijacked KUNA account - false reports about US military withdrawal from Kuwait - was chosen with evident strategic intent. Kuwait hosts some of the most significant US military infrastructure in the Middle East, including Ali Al Salem Air Base and Camp Arifjan, which serve as critical nodes in US Central Command’s force posture in the Gulf.
A credible report, apparently sourced from Kuwait’s own state news agency, of a US military withdrawal from Kuwait would carry extraordinary implications: for regional security calculations, for the governments of Saudi Arabia and other GCC states that rely on US military presence as a deterrent, for financial markets assessing political stability risk in the Gulf, and for Iran, which has strategic interest in any development that would reduce US military presence in the region.
The brief market disruption caused by the false reports illustrates the financial dimension of strategic disinformation operations. Gulf financial markets are sensitive to geopolitical news, and a credible report of significant change in US military posture in the region could trigger algorithmic trading responses that amplify initial human reactions.
High-frequency trading algorithms that scan news wires for geopolitically significant terms and execute trades based on detected sentiment would respond to a KUNA-attributed report of US military withdrawal within milliseconds - long before human analysts could assess the credibility of the report or identify it as disinformation.
This automated vulnerability of financial markets to social media disinformation represents a significant attack surface that state-sponsored and criminal threat actors have repeatedly exploited.
The diplomatic confusion caused by the false reports created work across multiple embassies in Kuwait City as diplomatic staff sought to verify the reported US military withdrawal through official channels and assess its implications for their countries’ security arrangements.
Even where embassies were able to quickly confirm through internal channels that no withdrawal was underway, the disinformation had already generated diplomatic traffic that occupied staff time, created momentary uncertainty in internal policy assessments, and potentially generated classified reporting traffic that itself became part of the record of a disinformation operation that succeeded in generating diplomatic confusion as a secondary effect.
The restoration of KUNA’s account control and the publication of corrections within hours demonstrated that KUNA had incident response capabilities for social media account compromise. However, the incident revealed that these capabilities were reactive rather than preventive. By the time corrections were issued, the false reports had propagated through a network of reshares, screenshot captures, and downstream news aggregation that corrections could not fully reach.
The information environment’s structural asymmetry - in which disinformation spreads faster and further than corrections - means that preventing the initial compromise is categorically more important than responding rapidly after it occurs.
The attribution of this attack was never publicly confirmed with the specificity that would enable definitive conclusions about the sponsoring entity. The choice of disinformation content - a false US military withdrawal - is consistent with both Iranian state information operations objectives and with the objectives of non-state actors seeking to create regional instability.
The timing in 2020, a period of elevated Iran-US tensions following the Soleimani assassination in January, created conditions in which such disinformation would be most disruptive and most likely to be initially believed by audiences already primed to expect significant changes in US regional military posture.
Regulatory Analysis
The KUNA Twitter account compromise engages Kuwait’s regulatory framework in ways that are distinct from conventional data breach incidents. The primary harm was not the unauthorized access to personal data but the weaponization of an institutional credential for disinformation dissemination. Nevertheless, the regulatory analysis reveals important obligations and gaps.
Kuwait’s Cybercrime Law No. 63/2015 directly addresses the conduct of the attackers in this case. Article provisions criminalizing unauthorized access to computer systems and electronic accounts apply squarely to the compromise of KUNA’s Twitter account, while provisions addressing electronic fraud and the dissemination of false information through electronic means engage the disinformation dimension of the attack.
The law establishes criminal penalties including imprisonment and fines for these offenses, providing a legal framework for prosecution of identified perpetrators, subject to the practical limitation that attribution and extradition for state-sponsored actors operating from foreign jurisdictions remain extremely challenging.
CITRA’s Data Protection and Privacy Regulation, Decision No. 26/2024, imposes obligations on KUNA as a data controller to the extent that the compromised accounts or associated systems processed personal data of KUNA staff or sources. The account compromise would trigger the 72-hour breach notification requirement where it resulted in unauthorized access to personal data, including the credentials of KUNA staff managing the social media accounts.
KUNA’s obligation to notify CITRA within 72 hours of discovering the breach covers not only the immediate account compromise but any broader system access that accompanied the credential theft.
Kuwait’s E-Commerce Law No. 20/2014 has limited direct application to this incident, given that KUNA’s news distribution function is not primarily an e-commerce operation. However, the law’s provisions regarding the security of electronic communications and the integrity of electronic information are relevant to KUNA’s obligations as a state institution using electronic platforms to distribute official government-attributed news content.
The broader regulatory gap exposed by this incident is the absence of a Kuwaiti legal framework specifically addressing the security obligations of state media and news agencies that publish official government-attributed content on social media platforms.
State news agencies occupy a unique regulatory position: they are government entities processing information with official attribution status, but they operate on commercial third-party platforms (Twitter/X, Facebook, Instagram) whose account security is dependent on the platforms’ own security infrastructure and the practices of the media organizations managing the accounts. Kuwait has no regulatory requirement specifically mandating security standards for state media social media account management, creating a governance gap that threat actors can exploit.
The international dimension of social media disinformation creates regulatory challenges that Kuwait’s domestic framework cannot address unilaterally. Coordinating with Twitter/X and other platforms to establish rapid-response mechanisms for account compromise notifications, verified state entity status indicators, and expedited content removal for confirmed disinformation from compromised verified accounts requires diplomatic and regulatory engagement with platform companies that operates at the international rather than domestic regulatory level.
Kuwait should pursue these arrangements through bilateral platform engagement and through GCC-level coordination on social media security for state institutions.
What Should Have Been Done
Protecting a state news agency’s social media presence from account takeover requires a combination of technical security controls, operational procedures, and crisis response capabilities that are proportionate to the institutional significance of the accounts being protected.
Hardware security keys implementing the FIDO2 standard represent the gold standard for social media account security for high-value institutional accounts. Unlike SMS-based two-factor authentication, which is vulnerable to SIM-swapping attacks, or authenticator app codes, which can be phished through real-time man-in-the-middle attacks, FIDO2 hardware keys cryptographically bind the authentication process to the specific website being accessed, making it impossible to phish credentials even if an attacker intercepts the authentication session.
Twitter/X supports hardware security key authentication; KUNA should have been one of the first state media organizations in Kuwait to implement this capability for all accounts with posting authority.
Social media account access should have been restricted through IP allowlisting, permitting login attempts only from KUNA’s registered office IP addresses and approved VPN exit nodes. Any authentication attempt from an unrecognized IP address should have triggered an immediate alert to KUNA’s security team and required additional verification before access was granted. Combined with hardware security keys, IP allowlisting would have provided a second layer of defence that significantly constrained the attack surface available to remote threat actors attempting account takeover.
KUNA should have implemented a social media management platform with built-in access controls, approval workflows, and audit logging for all posting activity.
Professional social media management platforms like Hootsuite, Sprout Social, or Khoros provide the ability to separate content creation from publishing authorization, requiring approval from a designated authorizing officer before content is published to KUNA’s official accounts. This workflow control would have added a human verification step that might have caught the publication of disinformation before it appeared on the KUNA account, even if the underlying account credentials had been compromised.
A rapid-response disinformation protocol, pre-planned and regularly rehearsed, should have enabled KUNA to issue corrections across all channels within minutes rather than hours of identifying compromised account activity. This protocol should include: pre-approved correction statement templates, immediate notification procedures for KUNA’s wire service subscribers and key diplomatic and media contacts, coordinated takedown requests to social media platforms, and direct outreach to regional and international news organizations that have republished the disinformation.
The protocol should be coordinated with the Ministry of Information and Kuwait’s Foreign Ministry to ensure that official government corrections reach diplomatic channels as rapidly as they reach the public.
KUNA should establish a continuous monitoring capability for its social media accounts, using either dedicated social media monitoring tools or third-party services specializing in account integrity monitoring for high-risk verified accounts. These tools can detect account compromise indicators such as login from new geographic locations, password reset attempts, changes to account settings including contact email addresses, and publication of content at unusual times or with unusual linguistic patterns.
Immediate alerting to KUNA’s security team when any of these indicators are detected would have enabled intervention within minutes rather than after the disinformation had been widely disseminated.
The KUNA Twitter hijacking demonstrated that compromising a single social media account belonging to a state news agency can generate diplomatic confusion and market disruption that no amount of post-incident correction can fully reverse.
In the disinformation age, the security of state media’s social media credentials is a national security matter, not merely an IT administration issue
- and it demands security investment and regulatory oversight proportionate to that reality.