Unmasking the Shadows: Detecting Network Scans from APT34 and APT39

In the ever-evolving landscape of cybersecurity, staying ahead of sophisticated threat actors is paramount. Groups like APT34 and APT39, known for their targeted and persistent attacks, often begin their campaigns with a subtle yet crucial phase: reconnaissance.

Recently, insights from a Tech Talk by Dan Gunter of Insane Cyber shed light on how defenders can pinpoint these early-stage network scanning activities, which are the digital footprints left during the reconnaissance and discovery phases of an attack. Understanding these behaviors is the first step in fortifying your defenses.

Meet the Adversaries: APT34 (OilRig/Helix Kitten)

APT34, an advanced persistent threat group widely believed to operate in alignment with Iranian strategic interests, has been a significant player in the cyber espionage arena since approximately 2012, though their activities gained broader public recognition around 2016.

Known Aliases: This group is also tracked under monikers such as OilRig, Earth Simnavaz, Helix Kitten, and more recently, Scarred Manticore. These different names often reflect evolving tactics or tools identified by various cybersecurity research teams.

Strategic Objectives & Targeted Sectors: APT34’s operations are primarily geared towards intelligence gathering to bolster Iran’s national security and geopolitical standing. Their focus is not random; they strategically target sectors that offer high-value information and control:

• Aviation & Defense: Critical for insights into military capabilities and national security apparatus.
• Energy (Oil & Gas) & Chemicals: Vital for economic intelligence and understanding of critical infrastructure, given Iran’s own resource-rich status.
• Finance & Government: Key for economic data, policy insights, and potential disruption.
• IT & Telecommunications: Access here can provide broad intelligence, technological knowledge, and control over communication channels.
• Education: Institutions can be a source of research, technology, and access to future talent.

Geographic Footprint: While APT34’s activities demonstrate a strong concentration in the Middle East, particularly the Persian Gulf region, their operational reach is global. They have been observed targeting entities in the United States, United Kingdom, China, Turkey, and various other nations across North Africa and the broader Middle East, reflecting diverse economic and strategic pursuits.

A History of Adaptation: APT34’s journey from 2012 to the present is a testament to their adaptability:

• 2012-2015 (Emergence): Believed to have initiated operations.
• 2016 (OilRig Campaign): Public recognition with attacks on Saudi financial and tech sectors using social engineering and tools like the Helminth backdoor.
• 2017 (Tool Advancement): Introduced new malware (ISMAgent, ISMInjector) and enhanced anti-detection, targeting Middle Eastern IT and government.
• 2018 (Expansion): Deployed OopsIE Trojan and RGDoor backdoor against high-profile Middle Eastern government and financial bodies.
• 2019 (Leaks & Evolution): Despite an operational leak exposing tools, the group adapted, using platforms like LinkedIn for sophisticated phishing.
• 2020 (Refined Targeting): Shifted focus to U.S. companies, refining malware like Karkoff and RDAT, using steganography.
• 2021 (New Campaigns): Launched new backdoors like SideTwist against Lebanese organizations and campaigns like “Outer Space” and “Juicy Mix” targeting Israeli firms.
• 2022 (Destructive Turn): Notable attack on the Albanian government, marking a foray into destructive operations alongside ongoing spear-phishing with backdoors like Saitama.
• 2023 (Intricate Operations): Significant intrusions against Middle Eastern governments using advanced tools like PowerExchange for data exfiltration, operating as Scarred Manticore.
• 2024 (High-Profile Exploits): Targeted Iraqi governmental networks using sophisticated installers and exploits like CVE-2024-30088, leveraging Microsoft Exchange vulnerabilities for credential theft.

Operational Web & Affiliations: APT34’s operations suggest connections with Iran’s Ministry of Intelligence and Security (MOIS).

They also share operational infrastructure, malware, and TTPs with clusters like Karkoff, Saitama, and IIS Group2. Subgroups such as Greenbug and Volatile Kitten operate within APT34’s broader objectives. Potential overlaps exist with APT33 (Elfin/Magnallium) and the DNSpionage campaigns, and resemblances to the Hexane (Lyceum) cluster.

They also have documented links with FOX Kitten, known for facilitating ransomware attacks.

Peeling Back the Layers: Core Scanning Techniques

Attackers like APT34 and APT39 rely on several foundational scanning techniques to map out their target environments:

1. Port Scanning: Identifying open TCP/UDP ports to find available services.
2. Service Identification: Determining the specific software and version running on open ports.
3. Operating System (OS) Detection: Fingerprinting the target system’s operating system.
4. Vulnerability Scanning: Actively probing for known weaknesses in identified services and systems.

Tools like Nmap and Nikto are staples in both attacker and defender toolkits. Their modular nature allows attackers to select specific functions, which in turn dictates the types of evidence left behind.

Spotting the Unseen: Indicators of Nmap Activity

Nmap is a versatile network scanner. Aggressive scans (e.g., nmap -A) can reveal a wealth of information:

• Open ports and their services
• Service version numbers
• OS fingerprints
• SMB-related details and more.

Defenders can look for tell-tale signs:

• Distinct User-Agent strings, especially those from the Nmap Scripting Engine (NSE).
• Probes to known, often unusual paths like /trinity.txt.back.
• A sudden spike in HTTP 404 errors (path not found) as Nmap tests for common web paths.
• HTTP 501 errors (method not implemented) if Nmap attempts unsupported HTTP methods.
• Patterns indicative of SMB enumeration, such as a series of access denied errors or queries for disabled accounts.

The Whisper of SYN Scans (Stealth Scans): APT34 and APT39 have been noted to use SYN scanning (often nmap -sS). This “half-open” scan is stealthier because it doesn’t complete the full TCP three-way handshake:

1. The scanner sends a SYN packet to a target port.
2. If the port is open, the server responds with a SYN-ACK.
3. The scanner then sends an RST (reset) packet, aborting the connection before it’s fully established and logged by many applications.

While quieter, SYN scans aren’t invisible. They can create anomalies:

• An unexpected increase in TCP RST (reset) packets originating from the target hosts as they respond to the aborted handshakes.
• Noticeable shifts in traffic volume, especially if many ports or hosts are scanned.

Unmasking Nikto: Clues from Web Server Scans

Nikto specializes in scanning web servers for vulnerabilities. Its scans are generally more “noisy” than Nmap’s stealth options. Indicators include:

• Requests for hardcoded URLs that are part of Nikto’s vulnerability checks.
• Specific User-Agent headers revealing the Nikto version and test signatures.
• Exposure of directory listings or specific vulnerability details in server logs if Nikto successfully identifies them.

Attackers might attempt evasion by:

• Encoding URLs to bypass simple signature matching.
• Using custom User-Agent strings to mask Nikto’s identity.

Despite these efforts, the underlying patterns, like a surge in 404 errors from probing numerous non-existent paths, can still signal scanning activity.

The Adaptable Adversary: APT34’s Evolving Arsenal

APT34 doesn’t rely on a static set of tools. Their operational flexibility is a hallmark:

• Custom & Evolving Tools: They develop and adapt tools (.NET applications, PowerShell scripts, IIS-focused malware) designed for stealth, persistence, and evasion in diverse environments.
• Rapid Vulnerability Exploitation: APT34 quickly weaponizes new vulnerabilities (e.g., CVEs like CVE-2024-30088) for privilege escalation and deeper network penetration. They’ve also exploited Microsoft Exchange server vulnerabilities for credential theft to facilitate lateral movement.
• Sophisticated C2 Mechanisms: They employ innovative command-and-control methods, including custom DNS tunneling protocols for covert data exfiltration and system control. Compromised email accounts are also used, blending malicious traffic with legitimate communications.
• Diverse Malware Portfolio: Their arsenal includes tools for various stages of attack, from reconnaissance and lateral movement (e.g., BONDUPDATER, Alma Communicator) to data exfiltration (e.g., STEALHOOK) and system disruption.
• Modular Design: Their toolsets are often modular, allowing for quick customization and adaptation to bypass evolving security defenses, ensuring long-term persistence.

Implications for Targeted Industries

The persistent and adaptive nature of APT34’s tactics poses significant challenges, particularly for organizations in the energy, finance, government, chemical, and telecommunications sectors, especially those in the Middle East.

Their alignment with state objectives means a constant threat of intelligence gathering, cyber espionage, and potential disruption aimed at critical infrastructure. The use of supply chain attacks further complicates defense, as vulnerabilities in partner organizations can become entry points.

Shifting from Signatures to Behavior: The Path Forward

The crucial insight is this: while attackers can try to obfuscate the specific tools they deploy, they cannot easily hide the behavioral patterns or the shifts in network traffic flow their activities generate.

Defenders are encouraged to:

• Move Beyond Signature-Based Detection: While important, signatures alone are insufficient against adaptive threats.
• Embrace Anomaly-Based Monitoring: Focus on identifying deviations from normal network behavior. Look for unusual traffic patterns, unexpected internal connections, or atypical data flows that suggest scanning or probing.
• Strengthen Vulnerability Management: Proactively identify and remediate weaknesses that groups like APT34 exploit.
• Enhance Threat Intelligence: Stay informed about the TTPs (Tactics, Techniques, and Procedures) of relevant threat actors.

 

By integrating these strategies, organizations can build a more resilient defense. Focusing on behavioral anomalies and understanding the specific risks to your sector allows you to stay one step ahead in this continuous cat-and-mouse game with sophisticated adversaries.