A coordinated phishing campaign targeted the National Fishing Company of Kuwait as part of a broader attack on Kuwait’s critical sectors (fisheries, telecommunications, and insurance). Over 100 domains were deployed to harvest credentials via cloned login portals, with more than half of the 230+ domains impersonating the company. The attackers used transliterated and brand-inspired domain names (e.g., *alwattnya[.]com*, *wtanaya[.]com*) to bypass traditional detection, replicating the company’s online storefront including product listings and shopping carts to deceive employees and customers.The campaign exploited SSH key reuse across multiple servers (hosted under Aeza International Ltd’s AS210644), allowing researchers to trace the infrastructure. While no explicit data breach was confirmed in the article, the harvesting of credentials particularly from employees and customers poses a severe risk of follow-on attacks, including financial fraud, internal data leaks, or operational disruption. The use of mobile payment lures (e.g., spoofed Zain telecom portals) further amplifies the threat of large-scale credential compromise, potentially enabling attackers to pivot into corporate networks or exfiltrate sensitive business/customer data.
Source: https://cybersecuritynews.com/ssh-auth-keys-reuse-exposes-phishing-attack/
TPRM report: https://www.rankiteo.com/company/national-fishing-company
"id": "nat4274542112625",
"linkid": "national-fishing-company",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'fisheries',
'location': 'Kuwait',
'name': 'National Fishing Company of Kuwait',
'type': 'private company'},
{'industry': 'telecommunications',
'location': 'Kuwait',
'name': 'Zain Kuwait',
'type': 'private company'},
{'industry': 'insurance',
'location': 'Kuwait',
'name': 'Unspecified Insurance Companies',
'type': 'private companies'}],
'attack_vector': ['phishing domains',
'cloned login portals',
'SSH key reuse',
'transliterated/generic domain names'],
'data_breach': {'data_exfiltration': 'Likely (harvested via phishing portals)',
'personally_identifiable_information': 'Yes (phone numbers, '
'payment details)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['credentials',
'phone numbers',
'payment details']},
'date_publicly_disclosed': '2025-05',
'description': 'A coordinated phishing campaign targeting Kuwait’s critical '
'sectors (fisheries, telecommunications, and insurance) was '
'exposed due to the reuse of SSH authentication keys across '
'multiple attack servers. The campaign, active as of May 2025, '
'deployed over 100 domains to harvest credentials through '
'cloned login portals impersonating legitimate Kuwaiti '
'businesses. The infrastructure spans servers hosted within '
'Aeza International Ltd’s network (AS210644), with domains '
'using transliterations and generic references to evade '
'traditional detection methods. Over half of the 230+ domains '
'impersonated the National Fishing Company of Kuwait, while '
'others targeted Zain (telecommunications) and insurance '
'sectors. The campaign’s operational security lapse reusing '
'SSH keys allowed researchers to link seemingly unrelated '
'domains and expose the full scope of the attack.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'impersonated companies (e.g., '
'National Fishing Company of Kuwait, '
'Zain)'],
'data_compromised': ['credentials',
'phone numbers',
'payment details'],
'identity_theft_risk': 'High (due to harvested credentials and '
'payment details)',
'payment_information_risk': 'High (mobile payment portal targeting '
'Zain customers)'},
'investigation_status': 'Ongoing (as of May 2025)',
'lessons_learned': ['Sophisticated threat actors may leave detectable '
'patterns (e.g., SSH key reuse) despite advanced tactics.',
'Transliterated/generic domain names can bypass '
'traditional typosquatting detection.',
'Mobile phishing portals (e.g., Zain spoof) exploit '
'reduced visibility on mobile devices.',
'Cross-sector targeting increases attack surface and '
'complicates defense.'],
'motivation': ['credential theft', 'financial fraud', 'data exfiltration'],
'post_incident_analysis': {'root_causes': ['Operational security failure (SSH '
'key reuse across servers)',
'Effective use of '
'transliterated/generic domains to '
'evade detection',
'Convincing replication of '
'legitimate company portals (e.g., '
'shopping carts, mobile payment '
'interfaces)']},
'recommendations': ['Monitor for SSH key reuse across infrastructure to '
'detect linked malicious domains.',
'Query ASN 210644 (Aeza International Ltd) for potential '
'malware sightings.',
'Enhance detection for transliterated/generic domain '
'registrations impersonating brands.',
'Educate users on mobile phishing risks, especially for '
'payment portals.',
'Implement multi-factor authentication (MFA) to mitigate '
'credential harvesting.'],
'references': [{'source': 'Hunt.io'}],
'response': {'enhanced_monitoring': ['SSH key fingerprinting queries (e.g., '
'SELECT ip, hostname, malware.name FROM '
"malware WHERE asn.number == '210644')"],
'third_party_assistance': ['Hunt.io researchers']},
'title': 'Coordinated Phishing Campaign Targeting Kuwait’s Critical Sectors '
'via SSH Key Reuse',
'type': ['phishing', 'credential harvesting', 'social engineering'],
'vulnerability_exploited': 'Operational security lapse (SSH authentication '
'key reuse across servers)'}