A new cyberattack was discovered targeting government networks in the UAE. Hackers deployed a stealthy backdoor called PowerExchange that uses internal email servers to secretly communicate and steal data.

Who was behind the attack?

The attack is suspected to be the work of APT34, a known Iranian state-linked group. They have a history of targeting Middle Eastern government agencies using phishing and Exchange-based backdoors.

What was the goal of the attackers?

The primary objectives were stealing credentials, performing surveillance inside the network, and executing commands to expand control over systems.

How did the attackers break in?

They used a phishing email containing a malicious ZIP file. When opened, it quietly installed a backdoor that allowed ongoing access and control.

What did they target?

The attackers focused on government systems and specifically Microsoft Exchange servers, which they used to hide communications and steal passwords.

Why are Exchange servers significant here?

The attackers used the Exchange server as a middleman, allowing them to stay hidden. This method avoided many common security tools and made detection difficult.

Is this attack widespread?

This appears to be a targeted attack focused on a specific government organization, though similar tactics have been used before against other entities in the region.

What can organizations do to stay safe?

Organizations should harden their email infrastructure, deploy endpoint protection tools, train staff against phishing, and monitor for unusual behavior on Exchange servers.

Threats Feed|APT34|Last Updated 03/04/2025|AuthorCertfa Radar|Publish Date24/05/2023

APT34 Suspected in Coordinated Attack on UAE Government Infrastructure

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Spear Phishing
Attack Complexity: High
Threat Risk: Low Impact/High Probability

Threat Overview

FortiEDR's research lab discovered a series of attacks on a government entity in the United Arab Emirates. The attacks involved a novel PowerShell-based backdoor dubbed PowerExchange. The backdoor's command and control (C2) protocol used the victim's Exchange server for communication. Further investigations revealed additional implants and a new web shell named ExchangeLeech that could harvest credentials. Iranian threat actor APT34 is suspected to be behind the attacks, which involved phishing emails for initial access, lateral movement within the network, and using scheduled tasks for persistence.

Reference and Credit: Fortinet - May 2023

Operation "Total Exchange": New PowerExchange Backdoor Discovered in the UAE

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services A government entity in the United Arab Emirates was targeted by the attack.	Verified
Region	United Arab Emirates The United Arab Emirates was targeted by the attack.	Verified

Extracted IOCs

enmckkb0t0v3.x.pipedream[.]net
2b995ce4656db7257451080111705d5b98b45df3
2ba23d9115fb1c1d4c5899d34dc4772631d77eda
68299df5d8ce52845a8fc10598f138840094181c
70aaa46784a2abd8af5628cb94f876d57fe8d154
d82aad3222664ec9fb112808dfabbb56de9aa770
f18575065970ef36e613ffa046f381fe9b01b3e9
fd3750d809f6ff9cf2b49d7a63f8f3fa0a457f61
hxxps://enmckkb0t0v3.x.pipedream[.]net?n=my

download

Tip: 9 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 7 file hash) to this threat have been found.

FAQs

Understanding the PowerExchange Attack in the UAE

: A new cyberattack was discovered targeting government networks in the UAE. Hackers deployed a stealthy backdoor called PowerExchange that uses internal email servers to secretly communicate and steal data.
: The attack is suspected to be the work of APT34, a known Iranian state-linked group. They have a history of targeting Middle Eastern government agencies using phishing and Exchange-based backdoors.
: The primary objectives were stealing credentials, performing surveillance inside the network, and executing commands to expand control over systems.
: They used a phishing email containing a malicious ZIP file. When opened, it quietly installed a backdoor that allowed ongoing access and control.
: The attackers focused on government systems and specifically Microsoft Exchange servers, which they used to hide communications and steal passwords.
: The attackers used the Exchange server as a middleman, allowing them to stay hidden. This method avoided many common security tools and made detection difficult.
: This appears to be a targeted attack focused on a specific government organization, though similar tactics have been used before against other entities in the region.
: Organizations should harden their email infrastructure, deploy endpoint protection tools, train staff against phishing, and monitor for unusual behavior on Exchange servers.

About Affiliation

APT34

Associate threats