Sophos Cloud Optix
A Turkish crime group has set up a league that awards points to other groups willing to use its tool to carry out DDoS attacks on websites it doesn’t like.
Superficially, it’s an innovative idea the company that discovered it, Forcepoint (formerly Websense), likens to gamification – in other words, turning activities into competitions as a way of increasing uptake.
If you politely ask someone to do something, they probably won’t bother. If you tell them that other people are doing it and getting rewarded as part of a competition, they become more interested.
In the league set up by Surface Defence (Sath-ı Müdafaa), participants receive one point for every 10 minutes spent attacking a target with the Tor-hosted “Sledgehammer” (Balyoz) DDoS tool.
The hardwired list of target organisations is small but revealing, and includes the CDU party of German Chancellor Angela Merkel, Kurdish political organisations including the PKK, the Armenian Genocide Institute, and even an Israeli film festival.
The prize for taking part is the right to use an open version of the Sledgehammer tool against any website, and access to a few minor click-fraud bots.
Clearly, the people running this league are Turkish nationalists, but is their motivation as it seems?
To date, the league’s top 10 features half a dozen groups (including the tool’s developer) that appear to have racked up modest levels of DDoS activity, although there is no way of knowing how disruptive these were.
But there are odd features too. Competitors can only run Balyoz from one computer at a time, which makes for a fair fight to lead the table but is hardly an efficient way to conduct DDoS attacks of any size.
Anyone who forgets this rule – say running Balyoz inside multiple virtual machines as a way of cheating – will risk receiving a version of the full tool containing a backdoor that recruits the offending machines into a botnet.
It’s almost as if Surface Defence is trying to sift other Turkish criminals for those who can be trusted with its nationalist outlook and those who can’t.
Perhaps coincidentally (or perhaps not coincidentally), Forcepoint found evidence that the individual controlling all this seems to be familiar with the Blackbird mobile signals and intelligence system used by companies in the defence sector. Either this person has a respectable day job, or running schemes like this is their respectable day job.
As Forcepoint’s authors note: “It remains unknown whether the author of Sledgehammer and these various tools has a hidden agenda, or is simply experimenting with these concepts.”
Or perhaps the author is doing both. If Sledgehammer is playing games with the cybercriminals it attracts to its strange league, perhaps they are its real prize.