Attacks on AI systems and disinformation starred as key elements of a ransomware tabletop exercise CSO participated in during this month’s Infosecurity Europe conference.
The “Enter the War Room” exercise — organised and run by cybersecurity vendor Semperis — featured a scenario focused on a cyberattack against a fictional supermarket chain, BlueCart.
CSO took part as one of eight members of a red team of supposed national state–linked attackers (APT 64, AKA Checkout Chaos) that was as much interested in thrashing the reputation of the supermarkets it targeted and causing disruption as in making money.
Last year we took part in a comparable exercise, also organised by Semperis, but on the opposite team as a media advisor to a blue team defending the systems of a fictional water utility from attack.
Rules of engagement
Ransomware tabletop exercises place participants in a realistic but fictional cyberattack scenario where each team takes 10-minute turns to devise their attack and defence plans before reporting their findings to the other side.
Each turn involves an attack-response cycle with Semperis acting as game master. The whole exercise lasted around two hours.
Like many tabletop exercises, this particular simulation was designed to get participants to think outside the box, improve cross-team communications, and develop improved incident response capabilities by exposing blind spots.
Each team was made up of seven participants from public and private sector organisations, including former hackers, security consultants, and incident response execs. Unlike the 2025 edition of the event, the names and identities of those who participated was kept confidential this year.
Data leak on aisle two
As the target of this year’s “Enter the War Room” exercise, grocery retailer BlueCart has an AI-enhanced supply chain command centre, designed to provide visibility across inventory, logistics, and fulfilment. The system has a key role in keeping shelves stocked and deliveries moving.
Logistics, scheduling, warehouse operations, and store fulfilment have been centralised in a new technology and operations centre.
The red team began with reconnaissance to find a supplier or logistics partner that already has trusted connectivity into the AI command centre, then use that foothold to reach shared portals, APIs, or remote-access tooling.
A combination of stolen credentials from developers, weak MFA enforcement, and over-privileged service accounts were used to hack into planning and inventory systems and steal loyalty card data — three of several access vectors typically employed today. The attackers also attempted to break into BlueCart’s Active Directory environment using a combination of phishing and credential theft.
The attackers also sought to exploit the retailer’s poorly segmented building-management network to disrupt heating, cooling, and ventilation operations.
The blue team of defenders decided to rebuff ransomware demands, which the attackers responded to by leaking loyalty scheme data to cause reputational damage against BlueCart.
False alerts and misinformation
The attackers generated thousands of false alerts to confuse the work of security operations analysts and hinder response. To counteract this, the defenders established out-of-band communications channels.
Continuing their attempts to disrupt BlueCoat’s operations, the attackers disrupted payroll operations. Using job losses due to a move to AI-powered operations, attackers took to social media sites such as Reddit and 4chan in attempts to rage bait hacktivists into getting involved with attacks on BlueCoat.
The attackers also created a deepfake of BlueCart’s CEO — made to look as if filmed on his private yacht — saying the job cut will allow BlueCoat to make increased profits and expand its operations.
Fake delivery orders for inappropriate goods, such as sex toys, and perishable items such as ice cream were generated by the attackers.
The blue team said it had established a honeypot so the attackers were only ever in that environment and never had access to its real environment nor customer data.
Testing the relative merits of these claims and counter claims — which seemed at times like a rap battle rather than a game with structured rules such as chess — was beyond the scope of the exercise.
The tabletop exercise offered an immersive experience without featuring any analysis of technical data, such as exercise-specific log files.
Post-mortem
Speaking after the exercise, Guido Grillenmeier, principal technologist at Semperis, explained that Enter the War Room was not a technical tabletop exercise but a way for participants to “broaden their minds and have fun.”
The scenario was designed to hone cyber incident preparedness in a similar way to how war games are used to train military forces during peacetime.
Simon Hodgkinson, strategic advisor at Semperis, said the exercise illustrated how real preparedness and resilience depends more on people and process than on tools.
“The blue team were well structured, thinking about how to minimise the financial and reputational impact on the business and recognising that, should the red team detonate destructive capability, they would need to prioritise and stand up a minimal viable business,” Hodgkinson said.
“The red team were innovative, using techniques like deception to distract the blue team so they could achieve their objective.” Hodgkinson added. “Despite the motivation not being financial they did take the opportunity to make money through media manipulation and shorting stock.”
No Responses