Ghost Rat Scenario: Titan Defense Systems Surveillance

Titan Defense Systems: Military contractor developing classified weapons systems, 1,200 employees
APT • GhostRAT
STAKES
National security + Classified weapon designs + Defense contract integrity + Military operational security
HOOK
Titan Defense Systems is finalizing classified designs for next-generation military equipment when engineers notice their CAD workstations occasionally responding to commands they didn't issue - files opening automatically, designs being modified mysteriously, and classified documents being accessed during secure meetings. Sophisticated remote access tools have been providing foreign adversaries complete control over defense contractor systems.
PRESSURE
Classified weapons delivery deadline Thursday - any design theft compromises national security and threatens military operational advantage
FRONT • 150 minutes • Expert
Titan Defense Systems: Military contractor developing classified weapons systems, 1,200 employees
APT • GhostRAT
NPCs
  • General Patricia Wells (Program Director): Overseeing classified weapons development, unaware that foreign adversaries have been monitoring confidential defense meetings and stealing classified designs through compromised engineering workstations
  • Dr. Michael Chang (Lead Systems Engineer): Discovering that classified weapon designs and military specifications may have been accessed through sophisticated remote surveillance malware
  • Colonel Sandra Martinez (Defense Security Service): Coordinating counterintelligence investigation of potential foreign espionage targeting classified military technology development
  • Agent Robert Kim (FBI Counterintelligence): Leading investigation of suspected nation-state targeting of defense industrial base and classified weapons technology
SECRETS
  • Defense engineers clicked on sophisticated spear-phishing emails containing convincing military technical documents during classified project development
  • Foreign adversaries have had complete remote control over engineering workstations for months, monitoring classified meetings and stealing weapons designs
  • Stolen military technology and defense specifications may have been transferred to foreign military development programs

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at Titan Defense Systems, and the company is completing final classified designs for next-generation military equipment that will be delivered to the Pentagon on Thursday. But during secure engineering meetings, staff notice disturbing anomalies: CAD workstations performing actions without user input, classified design files opening automatically, and computer screens flickering during confidential discussions. Security investigation reveals sophisticated remote access tools providing foreign adversaries complete surveillance capabilities over classified defense development.”

Initial Symptoms to Present:

  • “Engineering workstations showing signs of remote control during classified design work”
  • “Classified weapon designs being accessed automatically during secure engineering meetings”
  • “Screen capture and keystroke logging detected on systems containing military specifications”
  • “Network traffic indicating exfiltration of classified defense technology to foreign command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal sophisticated nation-state remote access trojan with comprehensive surveillance capabilities
  • Classified network analysis shows targeted spear-phishing campaign using convincing military technical documents
  • Counterintelligence timeline indicates months of undetected foreign surveillance of classified weapons development

Protector System Analysis:

  • Engineering workstation monitoring reveals real-time screen surveillance and data theft of classified designs
  • Defense security assessment shows unauthorized foreign access to classified weapons specifications and military technology
  • Classified network security analysis indicates coordinated multi-target campaign affecting other defense contractors

Tracker Network Investigation:

  • Command and control traffic analysis reveals sophisticated foreign intelligence infrastructure targeting defense industrial base
  • Military technology intelligence patterns suggest nation-state coordination of classified weapons technology theft
  • Defense contractor communication analysis indicates systematic foreign targeting of classified military development programs

Communicator Stakeholder Interviews:

  • Defense engineer interviews reveal suspicious computer behavior during classified weapons development meetings
  • Military program coordination regarding potential compromise of classified weapons technology and operational security
  • Counterintelligence coordination with FBI and Defense Security Service regarding foreign espionage investigation

Mid-Scenario Pressure Points:

  • Hour 1: Pentagon security officials discover potential compromise of classified weapons delivery affecting national defense readiness
  • Hour 2: FBI counterintelligence investigation reveals evidence of foreign military intelligence targeting
  • Hour 3: Classified weapons designs found on foreign intelligence networks affecting military operational advantage
  • Hour 4: Defense Security Service assessment indicates potential compromise of multiple classified military programs

Evolution Triggers:

  • If investigation reveals foreign technology transfer, national security enforcement action affects defense industry
  • If remote surveillance continues, adversaries maintain persistent access for long-term classified intelligence collection
  • If classified design theft is confirmed, military operational security and national defense capabilities are compromised

Resolution Pathways:

Technical Success Indicators:

  • Complete foreign surveillance removal from classified engineering systems with preservation of counterintelligence evidence
  • Classified weapons technology security verified preventing further unauthorized foreign access
  • Nation-state infrastructure analysis provides intelligence on coordinated defense industrial targeting

Business Success Indicators:

  • Classified weapons delivery protected through secure forensic handling and counterintelligence coordination
  • Defense contract relationships maintained through professional incident response and security demonstration
  • National security compliance demonstrated preventing defense security penalties and clearance revocation

Learning Success Indicators:

  • Team understands sophisticated foreign intelligence capabilities and long-term defense industrial espionage
  • Participants recognize defense contractor targeting and national security implications of classified technology theft
  • Group demonstrates coordination between cybersecurity response and counterintelligence investigation requirements

Common IM Facilitation Challenges:

If Foreign Surveillance Sophistication Is Underestimated:

“Your malware removal is progressing, but Dr. Chang discovered that foreign adversaries have been watching classified engineering meetings in real-time for months. How does comprehensive foreign surveillance change your counterintelligence approach?”

If National Security Implications Are Ignored:

“While you’re cleaning infected systems, Agent Kim needs to know: have classified weapons designs been transferred to foreign military programs? How do you coordinate cybersecurity response with counterintelligence investigation?”

If Classified Information Impact Is Overlooked:

“General Wells just learned that next-generation weapons technology may be in foreign hands. How do you assess the national security impact of stolen classified military technology?”

Success Metrics for Session: