Ghost Rat Scenario: Meridian Capital Management Espionage

Meridian Capital Management: Investment firm managing $8 billion in assets, 250 employees

APT • GhostRAT

STAKES

Client investment data + Trading algorithms + Competitive intelligence + Regulatory compliance

HOOK

Meridian Capital is preparing for a major acquisition announcement when executives notice their computers occasionally behaving strangely - mouse cursors moving on their own, documents opening unexpectedly, and sensitive merger documents being accessed during off-hours. Unknown to them, sophisticated remote access tools have been providing attackers complete control over executive workstations for weeks.

PRESSURE

Merger announcement Monday - any data leak could affect $2 billion transaction and violate SEC regulations

FRONT • 150 minutes • Expert

Meridian Capital Management: Investment firm managing $8 billion in assets, 250 employees

APT • GhostRAT

NPCs

• Charles Morrison (Managing Partner): Leading $2 billion merger negotiations, unaware that attackers have been monitoring confidential client meetings and transaction strategies through compromised executive systems
• Dr. Elena Rodriguez (Chief Investment Officer): Discovering that proprietary trading algorithms and client portfolio data may have been accessed through sophisticated remote control malware
• Marcus Thompson (Compliance Director): Investigating potential regulatory violations as confidential merger documents and client information appear to have been exfiltrated
• Agent Sarah Kim (SEC Financial Crimes): Coordinating investigation of potential insider trading and market manipulation using stolen merger intelligence

SECRETS

• Investment firm executives clicked on sophisticated spear-phishing emails containing merger-related documents during deal preparation
• Attackers have had complete remote control over executive workstations for weeks, monitoring confidential meetings and accessing sensitive financial data
• Stolen merger intelligence and trading strategies may have been used for illegal market manipulation and insider trading

---

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Meridian Capital Management, and the firm is 72 hours from announcing a $2 billion merger that will reshape the financial services industry. But during final preparation meetings, executives notice disturbing signs: mouse cursors moving on their own during confidential discussions, documents opening unexpectedly, and computer screens occasionally flickering. The IT team discovers evidence of sophisticated remote access tools that have been providing attackers complete control over executive workstations for weeks.”

Initial Symptoms to Present:

• “Executive computers showing signs of remote control - mouse cursors moving independently”
• “Confidential merger documents being accessed during off-hours when offices are empty”
• “Screen capture activity detected on workstations containing sensitive trading algorithms”
• “Network traffic indicating data exfiltration from executive systems containing client portfolio information”

Key Discovery Paths:

Detective Investigation Leads:

• Digital forensics reveal sophisticated remote access trojan with complete system control capabilities
• Email analysis shows targeted spear-phishing campaign using convincing merger-related documents
• Timeline analysis indicates weeks of undetected access to confidential financial data and trading strategies

Protector System Analysis:

• Executive workstation monitoring reveals real-time screen capture and keystroke logging activity
• Financial data system assessment shows unauthorized access to client portfolios and proprietary trading algorithms
• Network security analysis indicates coordinated multi-target campaign affecting other financial institutions

Tracker Network Investigation:

• Command and control traffic analysis reveals sophisticated APT infrastructure with centralized management capabilities
• Financial intelligence coordination patterns suggest nation-state or organized criminal targeting of merger intelligence
• Market activity analysis indicates potential use of stolen information for illegal trading and market manipulation

Communicator Stakeholder Interviews:

• Executive interviews reveal suspicious computer behavior during confidential merger negotiations
• Client communication assessment regarding potential exposure of investment data and trading strategies
• Regulatory coordination with SEC regarding potential insider trading and market manipulation using stolen intelligence

Mid-Scenario Pressure Points:

• Hour 1: Merger partner discovers potential data breach threatening $2 billion transaction completion
• Hour 2: SEC investigators arrive to assess potential insider trading using stolen merger intelligence
• Hour 3: Proprietary trading algorithms found on underground markets affecting competitive advantage
• Hour 4: Client portfolio data exposure threatens regulatory compliance and customer trust

Evolution Triggers:

• If investigation reveals market manipulation, SEC enforcement action affects merger completion
• If remote access continues, attackers maintain persistent control for long-term financial espionage
• If client data exposure is confirmed, regulatory penalties threaten firm survival and industry reputation

Resolution Pathways:

Technical Success Indicators:

• Complete remote access trojan removal from executive systems with forensic preservation of evidence
• Trading algorithm and client data security verified preventing further unauthorized access
• APT infrastructure analysis provides intelligence on coordinated financial services targeting

Business Success Indicators:

• Merger completion protected through secure evidence handling and regulatory coordination
• Client relationships maintained through transparent communication and data protection verification
• Regulatory compliance demonstrated preventing SEC enforcement action and industry penalties

Learning Success Indicators:

• Team understands sophisticated APT capabilities and long-term corporate espionage operations
• Participants recognize financial services targeting and regulatory implications of data theft
• Group demonstrates coordination between cybersecurity response and financial regulatory compliance

Common IM Facilitation Challenges:

If Remote Control Sophistication Is Underestimated:

“Your malware analysis is good, but Dr. Rodriguez just discovered that attackers have been watching executive screens in real-time during confidential merger meetings. How does complete remote control change your investigation approach?”

If Regulatory Implications Are Ignored:

“While you’re removing the malware, Agent Kim needs to know: has stolen merger intelligence been used for illegal trading? How do you coordinate cybersecurity response with SEC investigation requirements?”

If Market Impact Is Overlooked:

“Charles just learned that trading strategies may have appeared on underground markets. How do you assess whether stolen financial intelligence has been used for market manipulation?”

Success Metrics for Session:

• Team understands sophisticated remote access capabilities and long-term APT operations
• Financial data protection and regulatory compliance maintained throughout investigation
• Coordinated response demonstrates understanding of financial services cybersecurity obligations
• Learning includes corporate espionage targeting and financial regulatory implications
• Response strategy balances immediate threat containment with regulatory investigation coordination