The NCSC Advisory Report – Jargonbusted!
Yesterday, NCSC published this report “Advisory: Turla group exploits Iranian APT to expand coverage of victims” together with the NSA. Rob declared this was “very interesting” so I sat down to read it. I didn’t even make it to the third paragraph…
I asked Rob to explain what the report meant, paragraph by paragraph, so I could understand what was so very interesting, and what I, as a director of a small business who is interested in cyber security, should be thinking and doing with this information.
A summary of our discussion follows.
Report: “The Turla group, also known as Waterbug or VENOMOUS BEAR”
Me: What? What are these names? Who comes up with them? Why is VENOMOUS BEAR in upper-case?
Rob: The names are basically arbitrary; they are assigned by different cyber security organisations. Over time “Bear” has become somewhat synonymous with Russia. There are a few websites where you can find out who these groups are such as https://attack.mitre.org/groups/. The government tends to use upper-case names, so if the name is in upper-case there’s a good chance it was created by a former government analyst.
Report: “Turla’s use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit”
Me: Woah stop right there! What’s an implant? What are Neuron and Nautilus exactly? What’s an ASPX-based backdoor? What’s a rootkit? And the Snake rootkit?
Rob: An implant is another name for a trojan or malicious software (malware). It will be something that talks out, i.e. when it runs it will connect to a central command and control (C2) centre. Neuron and Nautilus are names of malware (hacking tools) known to be used by Iranians. A backdoor, also malware, will be a listener, i.e. it will be installed on something internet facing and wait to be connected to. A rootkit is just another form of malware; the Snake rootkit is malware known to be used by this Russian group Turla.
Report: “The behaviour of Turla in scanning for backdoor shells”
Me: Backdoor shells – are these something businesses might have on their servers? How would we know?
Rob: Yes possibly, if they have internet facing servers. This sort of thing can be detected by security software (it will be listening on an unusual port), which can be picked up by vulnerability scanning.
Report: “The NCSC published two advisories on the use of Neuron and Nautilus tools”
Me: Should I be reading these advisories?
Rob: These NCSC advisories provide information on how to detect this malware which gets fed into security tools. The important thing for businesses is to keep their security tools up to date.
Report: “Iranian APT groups”
Me: These are government spies right? The Iranian version of MI5/MI6?
Rob: Yes usually APT means they are a state organisation, either directly employed or a hacking group being paid by a state.
Report: “Turla directly accessed ‘Poison Frog’ C2 panels from their own infrastructure and used this access to task victims to download additional tools”
Me: And Poison Frog is …?
Rob: Another bit of malware.
Report: “Indicators of Compromise (IOCs)”
Me: What are we supposed to do with this information?
Rob: Bigger security companies will have research teams who can use this information. The NCSC encourages all organisations to share research findings so they can feed into the intelligence gathered, and ultimately improve security software.
The world of cyber security seems particularly prone to jargon and fantasy names that only those in-the-know have a hope of understanding. It can be overwhelming, but I’m hoping to be able to unpick some of that in future blog posts.
Thanks for reading! If you have any questions please don’t hesitate to get in touch.