False claims of U.S. troop withdrawal from Kuwait in midst of escalation with Iran vigorously denied by state-run news outlet

The official news agency of Kuwait issued a statement on January 8 claiming its Twitter account had been hacked, following a pair of tweets incorrectly reporting the impending departure of U.S. troops from the country. While the hacking of news agencies’ Twitter accounts is by no means unprecedented, it has also been used as an excuse when accounts have published controversial or false posts in the past. Whatever the facts may be in this case, it bodes very poorly when it comes to sorting out facts in the extraordinarily messy information environment of the current United States-Iran crisis and crisis information environments more broadly.

At approximately 1:42 p.m. Kuwait time on January 8, the government-run Kuwaiti News Agency (KUNA) posted a pair of tweets to its 35,000 followers suggesting a U.S. pullout from local military bases was imminent. According to the Washington Post, the first tweet said, “Kuwait defense minister announced today that he has received an official letter from Commander-in-chief of Camp Arifjan declaring imminent withdrawal of all US military forces in 3 days.” It was then followed up by a second tweet: “Kuwait Defense Minister stated that receiving such letter from Camp Arifjan was unexpected and we are communicating with U.S. Department of Defense for more details and information.” (Both tweets have been deleted.)

At 2:16 p.m. Kuwait time, around 35 minutes after the initial tweets appeared, KUNA posted a tweet in English claiming “Our social media account (Twitter) has been hacked.”

KUNA: "Our social media account (Twitter) has been hacked."#KUNA #KUWAIT
(M E)

— Kuwait News Agency – English Feed (@kuna_en) January 8, 2020

This was followed by a pair of tweets from KUNA’s Arabic account eight minutes later attempting to explain what happened. Translated with assistance from Google Translate and independently verified, the two tweets read:

(KUNA) categorically denies reports it broadcast statements by Defense Minister Sheikh Ahmad Al-Mansour about the withdrawal of U.S. forces from Kuwait.

KUNA affirms that it did not broadcast any news about the withdrawal of US forces, and stresses the need to investigate the accuracy of the circulation of information and news and its transmission, and to ensure that the information is drawn from its correct and official sources.

(كونا) تنفي قطعيا صحة ماتم تداوله حول نشرها تصريحا لنائب رئيس مجلس الوزراء ووزير الدفاع حول انسحاب القوات الأمريكية من الكويت#كونا #الكويت
س.ع

— كـــــــــــونا KUNA (@kuna_ar) January 8, 2020

كونا تؤكد أنها لم تبث أي خبر حول انسحاب القوات الامريكية وتشدد على ضرورة تحري الدقة في تداول المعلومات والاخبار ونقلها والحرص على استقاء المعلومات من مصادرها الصحيحة والرسمية#كونا #الكويت
س.ع

— كـــــــــــونا KUNA (@kuna_ar) January 8, 2020

The text of the tweets, reportedly written by Kuwaiti government communications office head Tareq al-Muzram, were also posted on KUNA’s website and English-language Twitter account. Later, at 5:55 p.m. Kuwait time, Information Minister Mohammed Al-Jabri announced the formation of a committee to investigate the matter.

What exactly happened here? Was the Kuwaiti News Agency hacked, or are they simply claiming they were hacked to the avoid embarrassment of retracting an incorrect story during a high profile crisis? It is too early to know, but it would not be the first time a news outlet has had their Twitter account hacked.

On April 23, 2013, the Associated Press primary Twitter account (@AP) posted an alarming bulletin: “Breaking: Two Explosions in the White House and Barack Obama is injured.” The tweet led to a temporary but massive selloff on Wall Street, not to mention brief panic across social media. The account had been hacked and temporarily led to a suspension by Twitter until the matter was resolved.

It was not even the first major Twitter hack that same month. A week earlier, NPR had multiple accounts and its breaking news blog taken over by the hacker collective known as the Syrian Electronic Army. A few days later, CBS found several of its Twitter accounts taken over by the same group, including @60Minutes, @48Hours, and @CBSDenver. The Syrian Electronic Army also took credit for the AP hack: “Ops! @AP get owned by Syrian Electronic Army! #SEA #Syria #ByeByeObama,” they wrote in a now-deleted tweet.

How could the Syrian Electronic Army commandeer these platforms in rapid succession? Rather easily, because they exploited a particular vulnerability common among online brands: the use of third-party social media management tools, which allow teams of people to manage the same accounts. In the case of NPR — the author of this story was social media editor at the time — the organization’s Twitter accounts were exposed because of a successful phishing attempt, in which countless NPR staff were emailed a fake message containing a link to purportedly newsworthy information. Anyone who clicked the link had their email inboxes scanned for logins and temporary passwords, some of which might still be active. Eventually the hackers found an individual with a vulnerable password, granting them access to the program used to coordinate the organization’s social media, Social Flow, and ultimately Twitter. The same phishing exploit was used to access NPR’s content management system, leading to vandalized blog posts propagating across NPR.org and member station websites.

The lesson to be learned here: even news outlets as highly respected as the AP, CBS, and NPR can have their online platforms successfully hacked. For CBS and NPR, the hacking was akin to vandalism and mostly a nuisance; for the AP, however, its status as a long-respected purveyor of breaking news bulletins temporarily caused havoc online and in the markets.

It is entirely possible that something similar happened to the Kuwait News Agency on January 8. Looking at their Twitter accounts, it is clear that they too are using a third-party social media management tool — in this case, Hootsuite, as can be seen next to each tweet’s timestamp.

There is also the possibility that KUNA made an actual reporting mistake and attempted to cover it up by claiming to have been hacked, but this scenario is generally much more common among politicians and celebrities attempting to cover up a mistake, rather than news outlets. At the time of publishing, there is no direct evidence to suggest that this scenario took place.

Taking the outlet at its word, it would indicate that someone or some group is trying to add to the informational chaos surrounding the Iran crisis. The tweets in question claimed the U.S. military was about to withdraw from a local Kuwaiti base, which were perfectly timed to ride the coattails of the recent news cycle surrounding reports that the U.S. Department of Defense had drafted a memo regarding troop withdrawals from the region. While the Defense Department ultimately claimed that no actual decision had been made on the matter, troop withdrawals are top of mind in every country in the Persian Gulf that host U.S. forces, including Kuwait, given the enormous repercussions of such a policy decision taking place.

Whoever posted the Kuwaiti News Agency tweets, particularly if it was a hack, seems to have been motivated to stoke the kindling regarding U.S. troop presence. While there have been plenty of examples of bad reporting since the death of Qasem Soleimani, this would be the first instance of hacking a news outlet’s social media presence to propagate disinformation. And it is entirely possible it will not be the last.

Follow along for more in-depth analysis from our #DigitalSherlocks.