Gh0st RAT Scenario: Research University Surveillance

Gh0st RAT Scenario: Research University Surveillance

Pacific Institute of Technology: Research university, 15,000 students, $800M research budget, defense-funded labs
Academic Espionage • Gh0st RAT
STAKES
Research IP protection + Publication integrity + Grant continuity + Institutional trust
HOOK
Researchers report unauthorized cursor movement, confidential datasets opening without input, and off-hours access to restricted project folders. Lab teams also see unexplained remote commands appear on analysis workstations during private meetings.
PRESSURE
Research publication decision due by 5:00 PM - Potential confidentiality and compliance escalation under FERPA and ITAR controls for defense-funded research
FRONT • 180 minutes • Expert
Pacific Institute of Technology: Research university, 15,000 students, $800M research budget, defense-funded labs
Academic Espionage • Gh0st RAT
NPCs
  • Dr. James Holloway (Provost): Balancing publication urgency, grant exposure, and governance accountability
  • Susan Ramirez (IT Director): Coordinating endpoint isolation and secure research-collaboration fallbacks
  • Dr. Wei Zhang (Research Director): Assessing scientific impact across priority programs and publication tracks
  • Michael Torres (CISO): Directing forensic triage and evidence handling with FBI Counterintelligence and CISA
SECRETS
  • Faculty opened convincing academic-collaboration lures during active research cycles
  • Remote surveillance persisted for weeks across restricted project workspaces before detection
  • Adversaries selectively targeted unpublished findings and methods likely to shift competitive positioning

Pacific Institute of Technology is a Research university, 15,000 students, $800M research budget, defense-funded labs in United States, operating as a American institution with 15,000 students and $800M in research capacity.

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Gh0st RAT Research University Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Gh0st RAT Research University Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Research workstations show remote cursor movement during confidential project meetings.”
  • “Restricted datasets open automatically while teams are discussing methods and results.”
  • “Endpoint telemetry shows persistent screen-capture and keylogging behavior on lab systems.”
  • “Outbound encrypted traffic increases from hosts tied to high-value research directories.”

Key Discovery Paths:

Detective Investigation Leads:

  • Forensic reconstruction ties initial compromise to targeted collaboration-lure documents.
  • Host artifacts confirm operator-driven surveillance focused on confidential research repositories.
  • Cross-project timeline shows selective theft behavior rather than broad disruptive activity.

Protector System Analysis:

  • Compromised endpoints include principal-investigator and lab-coordinator systems.
  • Persistence survived standard reboot and profile-reset actions, indicating deliberate long-term access.
  • Segmentation gaps between collaboration tools and restricted datasets increased exposure scope.

Tracker Network Investigation:

  • Command-and-control sessions are timed to blend into normal after-hours research workflows.
  • Exfiltration bursts align with manuscript and grant-deadline activity windows.
  • Lateral movement patterns prioritize project systems with commercialization potential.

Communicator Stakeholder Interviews:

  • Research teams report concern that unpublished methods may already be circulating externally.
  • Grants and commercialization staff request a defensible impact statement for active funding decisions.
  • Leadership asks for clear confidence ranges before publication and disclosure choices are finalized.

Mid-Scenario Pressure Points:

  • Hour 1: A funding sponsor asks whether active milestones are still trustworthy.
  • Hour 2: Legal counsel asks whether publication should pause pending impact validation.
  • Hour 3: Lab leads request a go/no-go decision for continued restricted-data workflows.
  • Hour 4: External investigators request immediate evidence-preservation confirmation.

Evolution Triggers:

  • If containment is delayed, adversaries can continue monitoring priority research tracks.
  • If legal-hold rigor is inconsistent, evidence quality degrades during regulatory scrutiny.
  • If communications are unclear, sponsor and partner confidence can deteriorate before recovery stabilizes.

Resolution Pathways:

Technical Success Indicators:

  • Active surveillance channels are eliminated from compromised research systems.
  • Monitoring confirms no unauthorized persistence in restricted project environments.
  • Secure fallback collaboration and data-handling workflows are validated for ongoing research operations.

Business Success Indicators:

  • Publication and grant governance decisions are made with defensible evidence confidence.
  • Sponsor relationships are stabilized through transparent impact communication and remediation milestones.
  • Institutional risk posture improves without avoidable disruption to core research objectives.

Learning Success Indicators:

  • Team distinguishes targeted espionage behavior from opportunistic disruptive malware.
  • Participants align incident sequencing with scientific governance and compliance duties.
  • Group demonstrates integrated legal, security, and research decision-making under deadline pressure.

Common IM Facilitation Challenges:

If Surveillance Scope Is Underestimated:

“Containment actions started, but principal investigators are still using affected collaboration channels. What evidence threshold proves surveillance is actually inactive?”

If Compliance Escalation Is Deferred:

If Decision Ownership Is Unclear:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Rapid recognition of research-surveillance indicators and publication-risk framing
Key Actions: Isolate compromised systems, preserve evidence, assign publication-governance decision ownership

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Confidentiality impact analysis plus sponsor/regulator-ready communications
Key Actions: Reconstruct surveillance timeline, classify affected projects, align response with legal and sponsor obligations

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end research-security incident management under active publication pressure
Key Actions: Coordinate research, legal, and security teams; preserve forensic quality; execute phased control recovery

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Focus: Ambiguous evidence, multi-project exposure, and high-pressure governance tradeoffs
Key Actions: Defend confidence levels under uncertainty, resolve disclosure conflicts, protect long-term institutional trust

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

Option A: Immediate Research Isolation and Evidence Lockdown

  • Action: Isolate compromised research endpoints, activate secure collaboration fallbacks, and preserve chain-of-custody artifacts.
  • Pros: Rapid reduction of active surveillance risk and stronger legal defensibility.
  • Cons: Temporary disruption to manuscript and grant-delivery timelines.
  • Type Effectiveness: Super effective against APT-style surveillance campaigns.

Option B: Targeted Remediation with Continuity Priority

  • Action: Maintain critical publication workflows while remediating confirmed compromised systems first.
  • Pros: Preserves short-term research throughput under deadline pressure.
  • Cons: Residual-risk window remains if additional footholds are missed.
  • Type Effectiveness: Moderately effective against APT surveillance with elevated residual risk.

Option C: Continuity-First with Deferred Deep Forensics

  • Action: Prioritize deadline delivery and postpone broad forensic expansion until immediate milestones pass.
  • Pros: Minimizes near-term operational interruption.
  • Cons: Extends potential dwell time and may widen confidentiality exposure.
  • Type Effectiveness: Partially effective; operationally useful but weak on full eradication.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Surveillance Discovery and Publication Triage (30-35 min)

Investigation Clues:

Round 2: External Scrutiny and Sponsor Confidence (30-35 min)

Investigation Clues:

Round Transition Narrative

Debrief Focus:
Balancing research continuity with confidentiality duties; preserving forensic quality under time pressure; communicating uncertainty without eroding sponsor trust.

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation, creative response design, and a third round focused on strategic research-governance recovery.

Round 1: Active Research Surveillance and Immediate Control (35-40 min)

If team stalls:
“Research operations asks whether confidential meetings should pause immediately or continue on restricted fallback channels. What is your decision and why?”

Facilitation questions:

  • “What minimum evidence proves active surveillance is contained enough for confidential work to resume?”
  • “How do you protect high-value research while preserving critical publication timelines?”
  • “Who owns the final go/no-go decision when technical confidence and scientific urgency diverge?”

Round 1→2 Transition

Initial choices determine whether Round 2 begins with lower exposure and slower output, or higher throughput and higher uncertainty. Leadership must justify the selected tradeoff externally.

Round 2: Regulatory and Sponsor Scrutiny (35-40 min)

If team stalls:
“External reviewers ask what was accessed, what remains uncertain, and why your disclosure scope is proportionate. Who presents that position?”

Facilitation questions:

  • “How do you communicate research-confidence risk without overstating forensic certainty?”
  • “What evidence package satisfies both compliance review and criminal investigation needs?”
  • “Which decisions are irreversible now versus deferrable until confidence improves?”

Round 2→3 Transition

The incident transitions from acute containment to institutional trust recovery. Technical progress is visible, but sponsor confidence and governance credibility remain fragile.

Round 3: Strategic Recovery and Governance Reform (40-45 min)

Pressure events:

Facilitation questions:

  • “What governance changes best reduce recurrence risk without undermining research collaboration?”
  • “How do you show accountability while limiting unnecessary legal exposure?”
  • “Which long-term controls most directly improve trust among sponsors, faculty, and partners?”

Debrief Focus

  • How targeted academic surveillance differs from broad disruptive incidents.
  • Why research incidents demand tightly coupled legal, security, and governance responses.
  • How evidence confidence drives publication, disclosure, and sponsor decisions.
  • What institutional changes make research confidentiality protection sustainable.

Advanced Challenge Materials (150-170 min)

Red Herrings & Misdirection

  1. Legitimate after-hours data processing resembles adversary exfiltration windows.
  2. Scheduled systems maintenance overlaps with suspicious endpoint events.
  3. Collaborative access from partner institutions obscures unauthorized sessions.
  4. Bulk data sync operations create misleading network-noise patterns.

Removed Resources & Constraints

  • No external incident-response retainer support in the first 24 hours.
  • Limited forensic staffing across simultaneous high-priority labs.
  • Publication governance requests immediate decisions with incomplete evidence.
  • Secure fallback tools exist but most research teams have minimal operational familiarity.

Enhanced Pressure

  • Sponsor review deadlines arrive before full confidence is achieved on impact scope.
  • Governance committees demand same-day risk recommendations tied to publication milestones.
  • Partner institutions request individualized impact statements for shared project data.
  • External inquiries require detailed chain-of-custody and decision-log documentation.

Ethical Dilemmas

  1. Full transparency can reinforce trust but may amplify competitive exposure.
  2. Delayed disclosure can preserve short-term control but risks deeper sponsor distrust.
  3. Strict isolation protects confidentiality but can degrade urgent research output.
  4. Continuity-first decisions protect deadlines but may tolerate elevated residual risk.

Advanced Debrief Topics

  • Confidentiality as an operational requirement in modern research ecosystems.
  • Shared accountability between academic leadership and security leadership during espionage incidents.
  • Balancing defensible caution with publication and funding realities.
  • Converting incident lessons into durable governance and technical controls.