Trial and error in Kuwait

Mohammed Aldoub stared at his computer.

It was late March 2019, and Aldoub had begun his day as he often does, by scouring the internet for security issues from his house in Kuwait City — the sweltering, palm-tree-lined capital of Kuwait — when he came upon a file on VirusTotal, a platform that researchers use to analyze malicious code.

In a sea of ones, zeros and letters, eight characters leapt off the screen with a startling suggestion: that hackers had caused millions of dollars in losses at Gulf Bank, one of Kuwait’s most powerful financial institutions. “GBKAdmin” was a name contained in a malicious software file that an anonymous user had uploaded to VirusTotal. It could be a reference to a Gulf Bank network administrator, thought Aldoub, a cybersecurity consultant.

It was a few days after Gulf Bank had announced a network “service disruption” that the bank said could cost it $9 million. What caused the outage at the firm, which has a reported $20 billion in assets, still wasn’t clear.

Aldoub started to speculate that the SWIFT system, which banks around the world use to transfer funds, may have been involved in the Gulf Bank incident. Hackers had used SWIFT to steal $81 million from the Bank of Bangladesh in 2016, after all, so the idea of such a heist wouldn’t be unprecedented.

“For those interested in banking security: These are highly probable [indicators of compromise] from the local banking SWIFT attack you may have heard about,” Aldoub tweeted, sharing his findings with the world. In another tweet, he encouraged his followers to look for “GBKAdmin” on VirusTotal.

Maybe someone would come forward with more information on what happened, he thought.

The answer to what really happened at Gulf Bank, though, would be left aside as the aftermath of the incident soon became very personal. Gulf Bank executives, who had tried to keep information about the incident tightly held, would file a complaint against Aldoub under Kuwait’s cybercrime and telecommunications laws — and the public prosecutor would take up a criminal investigation.

Aldoub would go on to delete the messages, but the bank seemed bent on proving that he had smeared its reputation by posting about the incident. Under Kuwait’s cybercrime law, plaintiffs can bring charges against those who “disclose secrets that would harm the reputation of persons, or their worth, or their commercial names.”

The tweets could have landed Aldoub in jail for a year, according to independent legal experts.

Aldoub’s legal odyssey would give him a sobering introduction to how laws in Kuwait might be used to suppress the discussion of security incidents and, in turn, the spread of information that organizations can use to protect themselves from hackers.

“The bank may prefer secrecy and discretion because it fears for its reputation [although all of Kuwait is aware], but it is not acceptable … to obscure the technical details of the attack,” Aldoub argued in one of his since-deleted tweets.

Aldoub’s legal troubles are somewhat reminiscent of American security researchers who worry about running afoul of the U.S. Computer Fraud and Abuse Act, a 1986 law that prosecutors have interpreted to punish hacking, even if it’s in good faith. Those concerns are real, but other legal environments can be far less forgiving. In multiple Gulf countries, there are cybercrime laws that, critics argue, can hinder public discussions of data breaches.

Aldoub’s lawyer, Mohammed al-Dosari, who has worked on other privacy and cybersecurity-related cases, said the Kuwaiti law enables powerful organizations to “make it difficult for people to exercise their free speech and speak their minds.”

An ‘unjust’ departure, and a secret meeting

Gulf Bank is one of the four largest banks in Kuwait, a country of roughly 4 million people wedged between Iraq and Saudi Arabia, and situated a few dozen miles, at its closest point, over the Persian Gulf from Iran. The bank handles money for some of Kuwait’s richest citizens, but the last week of March 2019 was bad for its public image.

The first sign that something was amiss came on March 27, 2019. In a bland, four-sentence statement, Gulf Bank apologized to customers for a “service disruption to our network,” and said it was “working with our international partners to resolve the matter.”

Three days later, the bank put a dollar figure behind the problem: 2.8 million Kuwaiti dinars in losses, or more than $9 million, were possible. “This amounts to only 0.4% of our capital,” the bank sought to reassure investors.

In a March 31, 2019, disclosure to investors, Gulf Bank emphasized that “it was not subjected to an embezzlement incident,” but rather a network disruption affecting international transfers instead of customer accounts.

Behind the scenes, the mood was less sanguine.

On March 31, 2019, Gulf Bank fired Waleed al-Hasawi, who worked as the bank’s general manager of IT, without public explanation. al-Hasawi said he was “unjustly asked to leave” Gulf Bank after just five months on the job, but declined to elaborate.

“It is obvious that they are trying to contain the incident and any negative impact on the investors or the trust of the banking industry,” al-Hasawi wrote in an April 7, 2019, email to CyberScoop.

It remains unclear if al-Hasawi’s ouster had anything to do with the disruption and potential loss of $9 million. al-Hasawi said that technology risk was not his responsibility but rather that of the bank’s risk department, to which he referred questions.

“The bank publicly denies that it was subject to cyberattack, but it was a technical glitch as they stated,” al-Hasawi wrote in an April 3, 2019, email to CyberScoop. “I cannot disclose any information other than what they publicly announce.”

Meanwhile, cyber-threat data circulating in Kuwait’s banking community contained possible “indicators of compromise” related to recent malicious cyber activity, including a commodity hacking tool that can be used to steal data. And on April 2, 2019, the Central Bank of Kuwait convened a meeting with executives from Kuwait’s biggest financial institutions to discuss cybersecurity, an unusual step at the time.

“I don’t recall a meeting with those parties attending in the last 10 years,” said one Kuwaiti cybersecurity executive briefed on the meeting.

Bank officials reviewed procedures for protecting their clients from cyber-threats, according to a statement the Central Bank provided to Kuwait’s state-run news agency. Meeting organizers also shared data on recent malicious cyber activity, but did not discuss the incident at Gulf Bank in detail, according to the executive, who spoke on the condition of anonymity.

The Central Bank of Kuwait did not respond to a request for comment on the meeting.

More than two years later, Gulf Bank has not publicly explained what caused the $9 million in potential losses.

Ramzy Abouezzeddine, a bank spokesman, declined to answer questions about the incident when contacted April 2, 2019. He did not respond to follow-up emails seeking comment last year. Abouezzeddine left the bank in July 2020. The current bank spokesman, Ahmad al-Amir, did not respond to multiple requests for comment.

In November 2019, Gulf Bank hired as its chief information security officer Ross McNaughton, who spent 15 years as a cybersecurity executive at banks in Bahrain and Saudi Arabia. McNaughton did not respond to multiple requests for comment for this story.

CyberScoop could not determine what caused the “service disruption” at the bank.

Aldoub said that he had no inside knowledge of what happened at Gulf Bank, and that he drew on publicly available information when he tweeted about the incident. Despite his initial tweets, he later told CyberScoop he was ultimately unsure if the malware samples he discovered were connected to the disruption at Gulf Bank.

“You need an insider for any meaningful information [on the incident],” he said.

Whatever the cause, al-Hasawi, the former general manager of IT, said he hoped the Central Bank of Kuwait would share its findings on the incident so that “other local banks [can] take the additional necessary measures.”

‘The fall guy’

While bank executives ignored questions about the service disruption, their lawyers got to work.

Aldoub was at a social hour for cybersecurity professionals in Kuwait City in early April 2019 when someone from the public prosecutor’s office called. The tweets were gone, but so were his hopes of avoiding prosecution.

For his tweets referring to the VirusTotal sample and banking malware, Aldoub was charged with intentionally damaging the company’s trademark, and misusing a communications device (his phone) under a Kuwaiti telecommunications law.

He was up against not one powerful opponent, but two: Gulf Bank’s lawyers were seeking criminal charges against him, and Kuwait’s Ministry of Interior was handling the complaint. (In Kuwait, a corporation can file charges with the public prosecutor’s office, which then decides whether to pursue the case.)

Aldoub lowered the phone in stunned silence. He called his lawyer, then his family. He worried the courts wouldn’t understand the technical nature of the work.

“The bank wants a fall guy to prove that it is protecting shareholders,” he said at the time.

Many of the libel-related cases in Kuwait involve alleged insults made against powerful public figures on social media. In Aldoub’s case, though, prosecutors alleged that he had damaged the “trademark” of the bank by publishing proprietary information.

The prosecution argued that “GBKAdmin” listed in the VirusTotal sample contained some sort of trade secret.

Aldoub has tens of thousands of followers on Twitter. While it’s unclear how many users engaged with the tweets before he deleted them, Gulf Bank executives may have been worried that Aldoub’s clout in cybersecurity circles could draw more attention to the security incident.

“In the Gulf, there are significant pressures on commercial and private sector organizations to preserve their reputation, in addition to the financial consequences all organizations face from public disclosure of data breaches or intrusions,” said James Shires, an assistant professor at Leiden University in the Netherlands who studies cybercrime laws in Gulf countries.

Prosecutors also accused Aldoub of violating a 2015 cybercrime law that bars Kuwaitis from using social media to insult various public figures.

Civil liberties groups have slammed the law as a threat to free speech in Kuwait.

In 2020, the Ministry of Interior’s cybercrime department — the same one that handled Aldoub’s case — interrogated or arrested at least five activists and journalists for comments they made on Twitter, according to Human Rights Watch. That July, a Kuwaiti appeals court sentenced a former member of parliament to six months in prison for insulting the United Arab Emirates on his Twitter account.

Ali Boshehri, an attorney at Kuwaiti law firm Meysan Partners, said it is easy to file a complaint under the cybercrime law through the state Public Prosecution Office in Kuwait City.

After the law was passed, “a number of social media influencers began using their ability to easily file complaints through their lawyers to stem any criticism or offensive language on their accounts by the public,” said Boshehri, who is a member of the Kuwaiti Democratic Forum, a political opposition group that has staged protests against the ruling government.

Not everyone sees the law as oppressive.

“Some see that this law is suppressing the freedom of speech and opinion; I say this isn’t the intention of the legislature or the purpose of this law,” said Faten Al-Naqeeb, the founder of a Kuwait City-based law firm. “I have seen many cases where the prosecutor brought cases based on this law and were denied or dismissed by courts.”

Nevertheless, the law’s chilling effect has extended to cybersecurity professionals. A European consultant who has worked in Kuwait for a decade said the law is often on his mind when making public comments.

“For a single word, I can be deported,” the consultant, who spoke on the condition of anonymity, told CyberScoop. Because of the law, he said, “we are very careful with what we write.”

Laws that leave researchers in jeopardy for sharing publicly available cyber-threat information, or discussing incidents long after they’ve passed, can deprive organizations of the information they need to protect themselves from future hacks.

For example, suspected Iranian operatives have repeatedly conducted data-wiping hacks at institutions in multiple Gulf countries. The incidents involved similar techniques and tools, meaning potential victims can learn to protect themselves from others’ experiences. While data about those breaches has been shared publicly, a scenario in which a victim company sues a researcher to keep the attack data under wraps is conceivable.

Multiple countries in the Gulf, from Saudi Arabia to Qatar to the United Arab Emirates, have instituted expansive cybercrime laws over the last 15 years.

A 2018 study by the British think tank Chatham House found that, in prosecutions and investigations, most Gulf countries “still apply traditional texts to cybercrime cases that are mostly oblivious to the nature of these cases,” which impedes “the overall impact of fighting cybercrime.” Defenders of the laws, including some cybersecurity consultants who helped craft the language, say they are needed to counter a rise in scams and hacking in the region.

Critics say the laws are a potential counterweight to progress that these countries are making in other aspects of cybersecurity.

Saudi Arabia, for example, has a bug bounty program that allows researchers to report vulnerabilities on government networks. Kuwait unveiled a national cybersecurity strategy in 2017, with a foreword from the prime minister. And Kuwaitis like Aldoub and Reem al-Shammari, a security executive at Kuwait Oil Company, are regular speakers at international security conferences.

The unspoken rule in the region is that public dialogue on cybersecurity is welcome, so long as it doesn’t stray into sensitive territory. But a reluctance to publicly discuss and divulge hacking incidents, and learn from them, could leave the Gulf’s critical infrastructure less secure.

“The ambiguity and breadth of cybercrime laws in the Gulf means that they can be interpreted to encompass several ethical and legal grey areas in information security, such as public post-incident analysis or external vulnerability research and disclosure,” said Shires, of Leiden University.

A personal and national journey

Over the course of Aldoub’s life, Kuwait emerged from the ravages of the Gulf War, when Saddam Hussein’s invasion resulted in the deaths of some 1,000 Kuwaitis; rode the oil boom of the 2000s; and experienced popular unrest during the 2011 Arab Spring.

Kuwait is among the top 20 countries in the world in terms of GDP per capita, according to the World Bank.

An early curiosity about how computers fail people, and how they might be fixed, led Aldoub to study computer engineering at the country’s flagship Kuwait University. He graduated in 2009, and worked for several years afterward as a contractor conducting penetration tests of Kuwaiti government networks and writing software used on government systems, he said.

(Penetration testers break into clients’ networks the way a malicious hacker might, then advise organizations on how to defend against such intrusions.)

As Aldoub’s career was taking off, the Kuwaiti government was also taking cybersecurity more seriously.

Alleged Iranian hackers had targeted the country’s critical infrastructure, and the Kuwaiti government enlisted the help of the U.S. government to build out a cybersecurity program. In one example, suspected Iranian hackers posed as Kuwait’s Ministry of Foreign Affairs in a cyber-espionage campaign aimed at government agencies in the region, the security firm Anomali said in February.

Douglas Silliman said that when he was U.S. ambassador to Kuwait between 2014 and 2016, the Gulf country invested in programs to safeguard government networks and Kuwait’s prized oil reserves, which account for 6% of global supply.

Until recent years, though, Kuwait’s financial sector hasn’t invested a comparable amount in cybersecurity, Silliman and others said.

“Over the last decade the Kuwaiti banking system has made huge and very fast leaps from a series of brick-and-mortar institutions to mobile banking,” Silliman said. “There was no really strong Kuwaiti legal infrastructure to direct the banks on how they would have to protect information and depositors.”

Soon, events like the $81-million heist by North Korean hackers of Bangladesh Bank in 2016 were making network security an unavoidable issue for the global financial system. Some institutions, like Gulf Bank, brought in outside experts for cybersecurity training. Others did more to hire security executives in-house. The Central Bank of Kuwait in 2020 published a detailed list of cybersecurity requirements for financial institutions, and banks now must comply with third-party cybersecurity audits.

A black eye at Black Hat

Aldoub, a generally confident man, couldn’t seem to suppress his unease during a meeting with CyberScoop on the upper floor of the Mandalay Bay casino in Las Vegas in August 2019. He was at the famous Black Hat cybersecurity conference to share his technical knowledge, but his mind was elsewhere.

One month earlier, a court in Kuwait had acquitted him of all charges.

The prosecution, the judge said, had failed to prove that Aldoub had published anything improper or proprietary to Gulf Bank by tweeting about the VirusTotal samples. Aldoub’s lawyer, al-Dosari, also argued that his client’s tweets are protected by the Kuwaiti constitution — a direct challenge to the strict interpretation of the cybercrime law that Gulf Bank was betting on.

For Aldoub, the sense of relief was fleeting. He was convinced the bank would appeal the decision.

Before he had boarded the first of multiple flights to swap one desert climate for another, Aldoub’s phone rang. The voice on the other end told him he had information on the Gulf Bank incident and claimed to fear for their safety because of it, according to Aldoub. Rattled, and suspicious that it might be a trap, Aldoub told the person to get legal help and hung up.

Seated at a roundtable at the top of Mandalay Bay in Las Vegas, Aldoub recounted in a low voice the months of uncertainty that came with waiting for a verdict in the case.

He had ditched his usual thawb, the ankle-length gown worn in the Gulf, for a collared shirt and slacks. Small talk was at a premium. CyberScoop asked Aldoub about his Twitter handle, “Voulnet.”

“Not even my wife knows where I got that name,” he said.

Aldoub’s pride at representing his community on the big stage was tinged by reminders of a legal struggle that could be renewed at any moment.

He was defiant, but guarded. “I will prevail in my case, inshallah.”

In October 2019, two months after he returned to Kuwait, prosecutors appealed Aldoub’s acquittal. The Kuwaiti court of appeals was set to take up the case in April 2020, court records show, but the coronavirus pandemic delayed the case by six months.

It took until Oct. 28, 2020 — 19 months after Aldoub sent his tweets — before a judge in Kuwait’s appeals court cleared his name. The courts ruled that Aldoub had not acted with criminal intent and that his tweet did not contain any trade secrets.

“It’s unbelievable,” Aldoub, who is now 35, said with a laugh during a recent interview over Skype. “This case was extremely stressful.”

Ahmad al-Amir, the Gulf Bank spokesman, did not respond to multiple requests for comment on the case, including a detailed list of emailed questions. Ahmad Alsaleh, Gulf Bank’s legal counsel, did not respond to requests for comment.

One of the court rulings acquitting Aldoub rejects the prosecution’s allegation that Aldoub’s offenses had damaged the business brand of Gulf Bank and, in turn, Omar Alghanim, a wealthy businessman who was then the chairman of the bank’s board of directors.

If hacking was involved in the 2019 incident at Gulf Bank, it might not be Alghanim’s first brush with digital drama. A 2009 civil lawsuit in New York filed by Alghanim’s uncle, Bassam, accused Omar and his father, Kutayba, of hiring hackers to break into Bassam’s email accounts amid a bitter family business dispute, according to a Wall Street Journal report.

The case moved to arbitration in 2011 and the brothers agreed to dismiss the case, according to court records.

Sara Mohammadi, the CEO of the Family Business Council Gulf, a non-profit that Omar Alghanim chairs, declined a request to interview Alghanim.

A representative for Alghanim, who stepped down as chairman of Gulf Bank last year, did not respond to questions about the case.

A letdown for the ‘forces of silence’

Through a year and a half of legal ups and downs, Aldoub kept his silence about his predicament, fearful that any commentary could give prosecutors a new way of trying to incriminate him.

Now, the soft-spoken former government contractor says he’d do it all over again.

“The case did cost me time, money and was an ordeal, but that will not stop me from exercising my right to free speech and research,” Aldoub said in a recent interview. “I would have still sent the same tweets; it’s my right to do so, and it’s the bank’s responsibility to respect freedom of speech and research in Kuwait, not go looking for a scapegoat.”

Aldoub said he is back to doing cybersecurity consulting for the Kuwaiti government, and prodding officials to start a bug bounty program for security researchers. It’s part of an effort, he said, to get the government to “change the old mindset” on cybersecurity from seeing the issue through a prosecutorial lens to accepting help from technical experts.

When Aldoub learned of his acquittal in the court of appeals, on Oct. 28, he logged onto Twitter. “The truth has come and the falsehood was lost,” he wrote in Arabic without mentioning his case. The acquittal, he said, was a “letdown for the forces of darkness and silence.”

Editing by Jeff Stone and Tim Starks and design by Maria Barreix and Jacob Hege