Security vendor Forcepoint has released a new blog looking at the use of gamification to teach website hacking. The focus of the blog is around Operation Sledgehammer which is a Distributed Denial of Service (DDoS) attack on political sites. The sites being targeted belong to those who disagree with the current Turkish government.
The blog points to a Forcepoint Security Labs Special Investigations report entitled: “SLEDGEHAMMER – Gamification of DDoS Attacks Revision: 1.07 | TLP-WHITE | 2/28”. At the start of the report is a quote from Andy Settle, Head of Special Investigations, Forcepoint. He describes Sledgehammer as: “Federated hacking teams joining forces to perform Distributed Denial of Service Attacks (DDoS) on targets relating to Turkish politics. A first world-war Turkish artillery corporal from the Ottoman Army. A real-time league table scoreboard of DDoS attacks which displays a points system and allows those participating to exchange points for software to enable them to perform “click fraud”. A mysterious individual who writes all the software tools, but also puts secret backdoors into the software and who possibly works for a Turkish defence supplier…
“Simple? No. Messy? Yes.”
Gamification – A new training ground for hackers
The use of gamification to train security teams is not new. Military units regular run exercises based on different types of attacks. Criminals have also used similar methods for high value targets especially where the security was complex. There are also several cyber security companies adopting the approach to train their own staff and customers.
IBM, for example, recently announced the Cyber Range in Cambridge, Massachusetts. Customers can book time at the range to train their staff in how to defend against cyber security attacks. It has even made its way into TV programmes. US TV programme Blindspot recently ran an episode where a hacker created mods for games that included real world targets. The hacker included the real-world security features of a site allowing criminals to practice how to attack the site.
Moving from this to the dark web doesn’t take much of a jump. What is different is that hackers who take part in the games earn points. Points, as they say, make prizes. Those prizes include access to bots, hacking programmes and an updated version of the hacking tool. Interestingly the creator is also gaming the hackers. It seems that the tool they are providing is itself a piece of malware that exposes the computers used by hackers.
Is this a cyber security double bluff?
The Forcepoint team focus on the backdoor embedded in the tool. They suggest that the unknown author may actually work for a Turkish defence contractor. This would certainly make sense. It would give the contractor the ability to recruit an army of hackers that they could then control. Equally it would allow the contractor to monitor hackers and see what else they were involved in. This makes it a very good intelligence gathering tool.
Another possibility might be to use this as a recruitment tool. It would not be that far removed from the approach of the UK National Crime Agency. It monitors attacks and attempts to connect to hackers early in their career. Having let them know they are being monitored it gives them advice about careers in cyber security. The NCA is very secretive about this approach which is part of their Prevent programme
Forcepoint has chosen not to look further into the potential motives of the tools creator. They have said that there is plenty of evidence to tie them to the handle “Mehmet”. They also suggest that the author has experience of Signals Intelligence (SIGINT) due to the reference to the Blackbird SIGINT system.
While this currently shows little risk to enterprise IT departments it does show an increasing sophistication in how hackers are trained. The approach is also one that companies can adopt throughout their organisation. For example launching random attacks on departments with fake phishing messages. The IT security team could monitor how people click on the messages and then use that to direct more training to that person. It can also be used to improve the skills of their own IT staff using services such as the IBM Cyber Range.