Table of content
  1. Who is APT34 (OilRig / Helix Kitten)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT34 (OilRig / Helix Kitten) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

APT34 (OilRig / Helix Kitten) Earth Simnavaz Cluster Targets Middle Eastern Government Email Infrastructure via PowerExchange Backdoor

APT34 (OilRig / Helix Kitten), an advanced persistent threat group, has been linked to a recent cyberattack on Middle Eastern government email infrastructure. The incident leveraged On-prem Exchange server compromise, backdoor deployment (PowerExchange), credential theft via EWS API to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We’ll also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
May 25, 2023
Table of content
  1. Who is APT34 (OilRig / Helix Kitten)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT34 (OilRig / Helix Kitten) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is APT34 (OilRig / Helix Kitten)?

APT34, tracked as OilRig or Helix Kitten, is an Iranian state-backed hacking group specializing in Middle Eastern government and energy sector espionage, using spear-phishing and Exchange server compromises to deploy custom backdoors like PowerExchange. Their campaigns blend credential theft with covert command-and-control over trusted email channels.

What Happened?

In early to mid-2023, Iranian APT34 compromised the on-premises Microsoft Exchange servers of a UAE government entity by deploying a custom PowerShell backdoor called PowerExchange. Using stolen credentials and web shell access, the attackers established covert, long-term control over the server—turning the organization's own email platform into a command hub for espionage.

How Did The Attack Work?

The operation began with spear-phishing emails carrying ZIP files that masqueraded as PDFs. Once launched by the target, these files delivered the PowerExchange payload, which installed itself and deployed the ExchangeLeech web shell. From there, APT34 innovatively used the Exchange Web Services (EWS) API as its communications channel, exchanging encoded commands and exfiltrated data via regular email traffic with innocent-seeming subject lines. By pivoting into SaaS—the trusted Exchange email infrastructure—the attackers ensured all C2 traffic blended invisibly into routine business operations and could even use harvested credentials to move laterally to other cloud-linked assets.

Why It Matters

This incident demonstrates a major shift in attacker strategy: leveraging legitimate SaaS platforms not just as targets but as cover for stealthy, persistent operations. When adversaries can use the very core of business communication—the organization's own SaaS services (like Exchange)—for command and control, conventional network monitoring and threat detection become much less effective. As businesses and governments increasingly rely on cloud-based email and SaaS platforms, the ability to monitor and secure internal activity within these trusted services is now just as crucial as protecting the perimeter. Preventing, detecting, and responding to these types of “living off the SaaS” attacks is vital for safeguarding data, credentials, and operational integrity.

How to Defend Against APT34 (OilRig / Helix Kitten) - Style Attacks

To defend against threats similar to those used by APT34 (OilRig / Helix Kitten) exploiting on-premises Microsoft Exchange servers:

  • Phishing Prevention & Awareness
    Train users to recognize spear-phishing emails and malicious attachments. Simulate targeted phishing exercises to raise awareness.
  • Email Attachment Filtering
    Block or quarantine executable attachments in ZIP files at the email gateway.
  • Patch & Vulnerability Management
    Promptly apply security updates to Microsoft Exchange servers and other critical infrastructure.
  • Exchange & SaaS Activity Monitoring
    Monitor for suspicious Exchange Web Services (EWS) API calls, anomalous mailbox activity, and unauthorized web shell deployment.

Where Obsidian Security Can Help

ITDR detects anomalous account and service activity within SaaS email platforms. SSPM continuously monitors and enforces secure configurations for email and identity systems to block unauthorized access channels.

Conclusion

APT34 (OilRig / Helix Kitten)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.