Litter Drifter Scenario: Ministry of Digital Infrastructure

Ministry of Digital Infrastructure: Government agency, 180 employees, managing national cybersecurity policy
APT • LitterDrifter
STAKES
National security + Critical infrastructure + Government communications + International relations
HOOK
The Ministry is coordinating cybersecurity policy during regional tensions when IT staff notice USB-based malware specifically targeting Ukrainian-language systems and government networks. Advanced nation-state worm is propagating through removable media, collecting intelligence on government operations and strategic planning during active geopolitical conflict.
PRESSURE
NATO summit begins Friday - intelligence collection threatens national security and diplomatic operations
FRONT • 150 minutes • Expert
Ministry of Digital Infrastructure: Government agency, 180 employees, managing national cybersecurity policy
APT • LitterDrifter
NPCs
  • Minister Dr. Olena Petrov: Leading national cybersecurity policy with targeted nation-state espionage affecting government operations
  • Cybersecurity Director Major Alexei Kozlov: Investigating geopolitical malware targeting Ukrainian government systems
  • Senior Policy Analyst Maria Doroshenko: Reporting intelligence collection affecting diplomatic and strategic planning
  • Intelligence Liaison Colonel Viktor Shevchenko: Coordinating counterintelligence response and international cooperation
SECRETS
  • Government staff received USB devices containing sophisticated nation-state worm targeting Ukrainian organizations
  • Foreign adversaries have geopolitical intelligence collection targeting government operations and diplomatic planning
  • Strategic communications and policy documents have been systematically collected through targeted espionage malware

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter Government Ministry Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter Government Ministry Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at the Ministry of Digital Infrastructure, and the government agency is coordinating national cybersecurity policy as regional tensions escalate toward a critical NATO summit on Friday. But IT staff have discovered something alarming: USB-based malware specifically targeting Ukrainian-language systems and government networks. This isn’t random malware - it’s an advanced nation-state worm propagating through removable media, systematically collecting intelligence on government operations and strategic planning during active geopolitical conflict.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB devices automatically spreading malware targeting Ukrainian-language government systems”
  • “Strategic policy documents being accessed through nation-state espionage malware”
  • “Diplomatic communications showing signs of unauthorized foreign intelligence collection”
  • “Network traffic indicating systematic exfiltration of government operations to nation-state command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal sophisticated nation-state USB-propagating worm targeting Ukrainian government operations
  • Government network analysis shows geopolitical targeting of diplomatic planning and strategic communications
  • Counterintelligence timeline indicates months of undetected foreign intelligence collection on government policy

Protector System Analysis:

  • Government workstation monitoring reveals systematic intelligence theft through USB propagation targeting Ukrainian language systems
  • Strategic system assessment shows unauthorized nation-state access to diplomatic communications and policy documents
  • Government network security analysis indicates coordinated campaign targeting multiple Ukrainian organizations during conflict

Tracker Network Investigation:

  • Command and control traffic analysis reveals nation-state espionage infrastructure targeting government operations
  • Geopolitical intelligence patterns suggest strategic coordination of diplomatic information theft supporting foreign conflict objectives
  • Government communication analysis indicates systematic nation-state targeting of Ukrainian operations and NATO coordination

Communicator Stakeholder Interviews:

  • Government staff interviews reveal suspicious USB behavior during strategic policy development and diplomatic coordination
  • International relations coordination regarding potential compromise of NATO summit planning and diplomatic communications
  • Counterintelligence coordination with allied intelligence agencies regarding nation-state espionage investigation during conflict

Mid-Scenario Pressure Points:

  • Hour 1: NATO allies discover potential compromise of summit coordination affecting international security cooperation
  • Hour 2: Counterintelligence investigation reveals evidence of nation-state targeting of Ukrainian government operations during conflict
  • Hour 3: Strategic policy documents found on nation-state intelligence networks affecting diplomatic operations and national security
  • Hour 4: Intelligence assessment indicates potential compromise of multiple Ukrainian government ministries and international coordination

Evolution Triggers:

  • If investigation reveals diplomatic intelligence transfer, international security coordination and NATO relationships are compromised
  • If nation-state surveillance continues, adversaries maintain persistent access for long-term government intelligence collection during conflict
  • If strategic policy theft is confirmed, national security and diplomatic operations are severely compromised affecting geopolitical position

Resolution Pathways:

Technical Success Indicators:

  • Complete nation-state worm removal from government systems with preservation of counterintelligence evidence
  • Strategic communications security verified preventing further unauthorized nation-state access during conflict
  • Foreign espionage infrastructure analysis provides intelligence on coordinated government targeting and geopolitical objectives

Business Success Indicators:

  • NATO summit coordination protected through secure forensic handling and international intelligence cooperation
  • Government operations maintained through professional incident response and security demonstration to allies
  • National security compliance demonstrated preventing diplomatic embarrassment and international relationship damage

Learning Success Indicators:

  • Team understands sophisticated nation-state espionage capabilities and long-term government targeting through USB propagation during conflict
  • Participants recognize geopolitical targeting and national security implications of strategic policy theft
  • Group demonstrates coordination between cybersecurity response and counterintelligence investigation requirements for government operations

Common IM Facilitation Challenges:

If Nation-State Sophistication Is Underestimated:

“Your USB malware removal is progressing, but Colonel Shevchenko discovered that nation-state adversaries have been systematically collecting government intelligence for months through geopolitical targeting. How does sophisticated foreign espionage change your counterintelligence approach during active conflict?”

If Diplomatic Implications Are Ignored:

“While you’re cleaning infected systems, Minister Petrov needs to know: have strategic policy documents been transferred to nation-state adversaries targeting NATO summit coordination? How do you coordinate cybersecurity response with international counterintelligence investigation?”

If Strategic Impact Is Overlooked:

“Maria just learned that diplomatic communications may be in nation-state hands affecting international cooperation. How do you assess the national security impact of stolen strategic government intelligence during geopolitical conflict?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

  • Rounds: 1
  • Actions per Player: 1
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: Use the “Hook” and “Initial Symptoms” to quickly establish nation-state government espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing geopolitical targeting and strategic communications security implications.

Lunch & Learn (75-90 min)

  • Rounds: 2
  • Actions per Player: 2
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: This template allows for deeper exploration of geopolitical government espionage challenges. Use the full set of NPCs to create realistic NATO summit and counterintelligence pressures. The two rounds allow discovery of diplomatic communications theft and international coordination targeting, raising stakes. Debrief can explore balance between cybersecurity response and national security coordination.

Full Game (120-140 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing NATO summit coordination, strategic policy protection, counterintelligence cooperation, and national security obligations. The three rounds allow for full narrative arc including nation-state discovery, diplomatic impact assessment, and international intelligence coordination.

Advanced Challenge (150-170 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Complexity: Add red herrings (e.g., legitimate government communications causing false positives). Make containment ambiguous, requiring players to justify counterintelligence decisions with incomplete strategic information about geopolitical targeting during active conflict. Remove access to reference materials to test knowledge recall of nation-state behavior and government security principles. Include deep coordination with NATO allies and Ukrainian conflict implications.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Digital forensics reveal sophisticated nation-state USB-propagating worm (Litter Drifter) targeting Ministry of Digital Infrastructure government workstations with Ukrainian-language system detection. Security analysis shows foreign intelligence systematically collecting strategic policy documents through USB devices affecting government operations during active geopolitical conflict. Government staff report USB malware spreading automatically during NATO summit coordination affecting national security and diplomatic planning.”

Clue 2 (Minute 10): “Counterintelligence timeline indicates nation-state surveillance maintained for months through targeted USB devices distributed to Ukrainian government organizations. Command and control traffic analysis reveals geopolitical espionage infrastructure coordinating multi-target government intelligence collection supporting foreign conflict objectives. Strategic system assessment shows unauthorized access to diplomatic communications and policy documents affecting NATO cooperation and international relations during regional tensions.”

Clue 3 (Minute 15): “Allied counterintelligence investigation discovers strategic policy documents on nation-state intelligence networks confirming diplomatic information transfer affecting international security cooperation. NATO coordination reveals potential compromise of summit planning threatening alliance relationships and collective defense operations. Intelligence assessment indicates coordinated nation-state targeting of multiple Ukrainian government ministries requiring immediate counterintelligence response and international cooperation coordination.”

Pre-Defined Response Options

Option A: Emergency Government Isolation & International Coordination

  • Action: Immediately isolate compromised government systems from USB propagation, coordinate comprehensive counterintelligence investigation with allied intelligence agencies, conduct strategic damage assessment for diplomatic communications exposure, implement emergency security protocols for NATO summit protection and international notification.
  • Pros: Completely eliminates nation-state worm preventing further strategic intelligence theft through USB propagation; demonstrates responsible national security incident management; maintains international relationships through transparent counterintelligence coordination with allies.
  • Cons: Government system isolation disrupts NATO summit coordination affecting international security cooperation; counterintelligence investigation requires extensive allied intelligence coordination; damage assessment may reveal significant diplomatic communications compromise affecting geopolitical relationships.
  • Type Effectiveness: Super effective against APT malmon type; complete nation-state worm removal prevents continued strategic surveillance and diplomatic intelligence theft through USB propagation during conflict.

Option B: Forensic Preservation & Targeted Remediation

  • Action: Preserve counterintelligence evidence while remediating confirmed compromised systems, conduct targeted strategic damage assessment, coordinate selective allied notification with intelligence agencies, implement enhanced monitoring while maintaining government operations.
  • Pros: Balances NATO summit requirements with counterintelligence investigation; protects critical government operations; enables focused national security response and diplomatic coordination.
  • Cons: Risks continued nation-state surveillance in undetected USB propagation locations; selective remediation may miss coordinated targeting; forensic requirements may delay strategic communications protection and summit coordination.
  • Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate nation-state presence through USB propagation; delays complete government security restoration and international cooperation.

Option C: Diplomatic Continuity & Phased Security Response

  • Action: Implement emergency secure NATO summit coordination environment isolated from USB threats, phase nation-state worm removal by strategic priority, establish enhanced government monitoring, coordinate gradual counterintelligence notification while maintaining diplomatic operations.
  • Pros: Maintains critical NATO summit timeline protecting international security cooperation; enables continued government operations during conflict; supports controlled allied coordination and diplomatic notification.
  • Cons: Phased approach extends nation-state surveillance timeline through continued USB propagation; emergency operations may not prevent continued strategic intelligence theft; gradual notification delays may violate international security coordination requirements.
  • Type Effectiveness: Partially effective against APT malmon type; prioritizes diplomatic operations over complete nation-state elimination through USB propagation; doesn’t guarantee strategic communications protection or national security.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Nation-State Discovery & Government Intelligence Assessment (35-40 min)

Investigation Clues (Time-Stamped)

Minute 0-5 (Opening):

  • Security alert: USB devices showing automated propagation behavior targeting Ukrainian-language government systems
  • Strategic policy documents accessed through unauthorized means during NATO summit coordination
  • Network traffic patterns indicating potential data exfiltration to foreign command infrastructure during regional conflict

Minute 10 (Detective Path):

  • Digital forensics identify sophisticated USB-propagating worm (Litter Drifter) with nation-state tradecraft targeting government operations
  • Malware designed specifically to target Ukrainian government networks with language detection capabilities
  • Timeline analysis reveals potential months of undetected presence during active geopolitical tensions

Minute 15 (Protector Path):

  • Government workstation monitoring reveals systematic file access patterns targeting diplomatic communications and policy documents
  • Strategic system logs show unauthorized data collection from government operations servers during conflict
  • USB propagation patterns indicate coordinated campaign affecting multiple Ukrainian government ministries

Minute 20 (Tracker Path):

  • Command and control infrastructure analysis reveals nation-state espionage network with geopolitical conflict objectives
  • Exfiltration patterns suggest intelligence collection focused on NATO summit coordination and Ukrainian strategic planning
  • Network traffic correlates with known foreign intelligence operations targeting government during regional tensions

Minute 25 (Communicator Path):

  • Policy Analyst Maria Doroshenko reports suspicious USB behavior during strategic planning over past 3 months
  • Cybersecurity Director Major Kozlov identifies potential foreign intelligence collection affecting diplomatic operations
  • Minister Petrov expresses urgent concern about NATO summit schedule and allied notification requirements

Response Options (With Detailed Trade-offs)

Option A: Emergency Government Isolation & Full International Coordination

  • Immediate Actions: Isolate all compromised government systems, initiate comprehensive counterintelligence investigation with allies, conduct strategic damage assessment
  • Timeline Impact: NATO summit coordination delayed 2-3 weeks for complete forensic analysis and security verification
  • Stakeholder Reactions:
    • Minister Petrov: Concerned about summit timeline but supports national security priority and allied transparency
    • Major Kozlov: Strongly supports comprehensive counterintelligence investigation and NATO coordination
    • Colonel Shevchenko: Emphasizes complete evidence preservation for foreign intelligence investigation and allied cooperation
  • Type Effectiveness: SUPER EFFECTIVE - Complete APT removal prevents continued nation-state surveillance and strategic intelligence theft

Option B: Forensic Preservation & Targeted Remediation

  • Immediate Actions: Preserve counterintelligence evidence, remediate confirmed compromised systems, conduct targeted strategic damage assessment
  • Timeline Impact: Partial summit delay (5-7 days) while maintaining critical diplomatic coordination operations
  • Stakeholder Reactions:
    • Minister Petrov: Appreciates balance between summit requirements and security response
    • Maria Doroshenko: Can continue critical policy work with enhanced monitoring
    • Colonel Shevchenko: Concerned about potential nation-state surveillance in undetected locations
  • Type Effectiveness: MODERATELY EFFECTIVE - Reduces nation-state presence but may not achieve complete elimination

Option C: Diplomatic Continuity & Phased Security Response

  • Immediate Actions: Implement emergency secure summit environment, phase worm removal by strategic priority, establish enhanced monitoring
  • Timeline Impact: Minimal summit delay (1-2 days) with ongoing security remediation during diplomatic operations
  • Stakeholder Reactions:
    • Minister Petrov: Strongly supports maintaining summit schedule and international cooperation timeline
    • Major Kozlov: Serious concerns about inadequate counterintelligence response and national security compliance
    • Colonel Shevchenko: Warns that phased approach may violate international intelligence coordination requirements
  • Type Effectiveness: PARTIALLY EFFECTIVE - Prioritizes diplomatic operations over complete nation-state elimination

Round 1 Pressure Events

Minute 15: NATO allies request status update on summit coordination security and government communications protection

Minute 25: Intelligence services initiate inquiry about potential strategic policy compromise affecting international security cooperation

Minute 30: Minister Petrov receives call from allied diplomats - summit has critical importance for collective defense and Ukrainian support

Round 1 Facilitation Questions

  • “How do you balance NATO summit urgency against comprehensive counterintelligence investigation requirements during conflict?”
  • “What strategic communications exposure assessment is needed before allied notification?”
  • “How does nation-state targeting of Ukrainian government operations affect your response strategy?”
  • “What international security coordination obligations apply to this foreign intelligence collection incident?”

Round 1 Transition to Round 2

Based on team’s chosen response path…

If Emergency Isolation Chosen: “Your emergency government isolation has halted nation-state surveillance, but forensic analysis is revealing the extent of strategic policy exposure. Allied counterintelligence investigation has discovered something alarming about the scope of diplomatic communications theft and geopolitical targeting…”

If Targeted Remediation Chosen: “Your forensic preservation is protecting critical evidence, but continued monitoring is detecting ongoing nation-state activity in unexpected government locations. Colonel Shevchenko has discovered intelligence indicating systematic targeting of multiple Ukrainian ministries during conflict…”

If Diplomatic Continuity Chosen: “Your secure summit environment is maintaining coordination schedule, but Major Kozlov has identified serious national security compliance concerns. Allied intelligence is revealing that strategic policy documents may already be in nation-state hands…”

Round 2: Diplomatic Impact & NATO Coordination (35-45 min)

Investigation Clues (Time-Stamped)

Minute 40 (Critical Discovery):

  • Counterintelligence investigation reveals strategic policy documents found on nation-state intelligence networks
  • Forensic timeline indicates systematic diplomatic communications theft over 6-month period through USB propagation during conflict
  • Intelligence assessment shows potential compromise of NATO summit planning affecting international security cooperation

Minute 50 (Escalation):

  • Allied intelligence confirms multiple Ukrainian government ministries experiencing similar nation-state targeting
  • Strategic damage assessment reveals diplomatic communications and policy specifications transferred to foreign intelligence
  • National security concerns about international coordination in adversary hands during geopolitical conflict

Minute 55 (Stakeholder Pressure):

  • Minister Petrov faces allied inquiry about summit timeline and strategic communications protection
  • Major Kozlov must coordinate international reporting under intelligence cooperation requirements
  • Maria Doroshenko reports government staff morale concerns and diplomatic credibility implications

Minute 65 (Final Pressure):

  • NATO coordination office considering whether summit can proceed given nation-state compromise
  • Intelligence services require comprehensive incident report and remediation verification
  • Allied agencies assess geopolitical implications of Ukrainian government targeting during conflict

Response Options for Final Resolution

Option A: Complete Nation-State Elimination & Allied Security Demonstration

  • Actions: Full government system rebuild with international intelligence verification, comprehensive strategic communications damage assessment, transparent NATO coordination
  • Business Impact: Significant summit delay (3-4 weeks) but maintains long-term allied relationships and national security credibility
  • National Security Impact: Demonstrates responsible government incident management and international security cooperation
  • Learning Focus: Understanding nation-state sophistication and government obligations to diplomatic operations and allied trust

Option B: Verified Remediation & Accelerated Summit Recovery

  • Actions: Complete confirmed worm removal with allied intelligence oversight, targeted strategic communications security verification, expedited NATO notification
  • Business Impact: Moderate summit delay (1-2 weeks) with intensive coordination to resume diplomatic operations
  • National Security Impact: Balances summit requirements with counterintelligence investigation needs
  • Learning Focus: Navigating international security compliance while maintaining strategic diplomatic capabilities

Option C: Risk Acceptance & Enhanced Monitoring Approach

  • Actions: Document residual nation-state risk, implement enhanced government monitoring, maintain summit schedule with security caveats
  • Business Impact: Minimal summit delay but potential long-term national security concerns and allied relationship risks
  • National Security Impact: May violate international intelligence coordination requirements and affect geopolitical partnerships during conflict
  • Learning Focus: Understanding consequences of inadequate response to nation-state targeting of government operations

Victory Conditions

Technical Victory:

  • Complete nation-state worm removal from government systems with preservation of counterintelligence evidence
  • Strategic communications security verified preventing further unauthorized nation-state access during conflict
  • Foreign espionage infrastructure analyzed providing intelligence on government targeting and allied cooperation

Business Victory:

  • NATO summit coordination protected through secure forensic handling and international intelligence cooperation
  • Government operations maintained through professional incident response and allied trust demonstration
  • National security compliance demonstrated preventing diplomatic embarrassment and relationship damage

Learning Victory:

  • Team understands sophisticated nation-state espionage capabilities and long-term government targeting during conflict
  • Participants recognize geopolitical implications of strategic policy theft and diplomatic compromise
  • Group demonstrates coordination between cybersecurity response and counterintelligence investigation for government operations

Debrief Topics (15-20 min)

  1. Nation-State Sophistication: How did Litter Drifter’s USB propagation and language detection enable months of undetected government surveillance during conflict?

  2. Geopolitical Targeting: Why do nation-state adversaries target Ukrainian government operations and NATO coordination during regional tensions?

  3. International Security Obligations: What allied intelligence coordination and counterintelligence cooperation requirements apply to strategic policy compromise?

  4. Diplomatic Impact Balance: How do you weigh NATO summit urgency against comprehensive security investigation during active conflict?

  5. Long-term Implications: What strategic diplomatic and national security consequences result from government intelligence in adversary hands?

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Nation-State Detection (30-35 min)

Open Investigation Framework

Detective Investigation Options:

  • Analyze USB device forensics for nation-state malware indicators and Ukrainian-language targeting mechanisms
  • Investigate government network logs for unauthorized strategic policy access patterns during conflict
  • Research Litter Drifter attribution and known Ukrainian government targeting campaigns
  • Examine digital forensics for foreign intelligence collection and diplomatic exfiltration methods

Protector System Analysis Options:

  • Assess government workstation security for systematic diplomatic communications theft indicators
  • Evaluate strategic system integrity and policy document protection during conflict coordination
  • Monitor USB propagation patterns affecting multiple government ministry workstations
  • Review national security controls for nation-state persistence mechanisms

Tracker Network Investigation Options:

  • Trace command and control infrastructure for nation-state espionage network identification during conflict
  • Analyze exfiltration patterns for strategic policy and NATO coordination targeting
  • Investigate network traffic for geopolitical intelligence collection during regional tensions
  • Map foreign intelligence infrastructure connections to known adversary conflict operations

Communicator Stakeholder Interviews:

  • Interview government staff about suspicious USB behavior during strategic planning and summit coordination
  • Coordinate with Minister Petrov on NATO summit priorities and allied expectations
  • Consult with Major Kozlov on national security requirements and diplomatic implications
  • Engage Colonel Shevchenko on counterintelligence investigation protocols and allied intelligence coordination

NPC Interactions (Realistic Conflicts)

Minister Dr. Olena Petrov:

  • Priority: Maintain NATO summit schedule - international security cooperation depends on Friday coordination
  • Concern: Allied inquiry about security posture and strategic communications protection during conflict
  • Conflict: Pushes for diplomatic continuity approach to avoid summit delays affecting collective defense
  • Information: Summit coordination represents critical diplomatic effort for Ukrainian support and geopolitical position

Major Alexei Kozlov (Cybersecurity Director):

  • Priority: National security compliance and international intelligence coordination requirements for strategic compromise
  • Concern: Government credibility implications and diplomatic trust during counterintelligence investigation
  • Conflict: Demands comprehensive allied investigation regardless of summit timeline impact
  • Information: Intelligence services have specific protocols for foreign espionage incidents affecting government operations

Maria Doroshenko (Senior Policy Analyst):

  • Priority: Government staff safety and strategic policy work continuity during conflict
  • Concern: USB security practices and potential exposure of diplomatic communications
  • Conflict: Caught between summit pressure and national security review concerns
  • Information: Staff have been using USB devices for policy document sharing for months - standard government practice

Colonel Viktor Shevchenko (Intelligence Liaison):

  • Priority: Evidence preservation for foreign intelligence investigation and attribution during conflict
  • Concern: Geopolitical implications of Ukrainian government operation targeting and NATO coordination compromise
  • Conflict: International investigation requirements may conflict with diplomatic continuity needs
  • Information: Intelligence indicates coordinated nation-state campaign targeting multiple Ukrainian ministries during regional tensions

Round 1 Pressure Events

Minute 10: Security alert - additional government workstations showing USB propagation indicators during forensic investigation

Minute 20: NATO coordination office requests immediate status report on summit security and strategic communications protection

Minute 25: Intelligence service notification requirement triggers - allied reporting deadline in 24 hours for diplomatic compromise

Round 1 Facilitation Questions

  • “What forensic evidence do you need before determining the scope of nation-state surveillance during conflict?”
  • “How do you assess whether strategic policy documents have been exfiltrated to foreign intelligence?”
  • “What immediate containment actions balance NATO summit urgency with counterintelligence preservation?”
  • “How do you coordinate with multiple stakeholders who have conflicting but legitimate government priorities?”

Round 2: Strategic Policy Compromise Assessment (40-50 min)

Open Investigation Continuation

Detective Deep Dive:

  • Conduct comprehensive forensic timeline of nation-state surveillance and strategic policy access during conflict
  • Analyze foreign intelligence collection targeting NATO summit coordination and Ukrainian government operations
  • Investigate diplomatic communications exposed through systematic espionage during regional tensions
  • Examine USB propagation vectors and nation-state persistence across government ministries

Protector Impact Analysis:

  • Assess government system compromise extent affecting diplomatic capabilities and strategic communications
  • Evaluate national security controls failures enabling months of undetected surveillance during conflict
  • Review USB device management practices and government network segmentation
  • Analyze potential diplomatic security impact of strategic policy in adversary hands

Tracker Intelligence Correlation:

  • Map nation-state command infrastructure to known foreign intelligence operations during conflict
  • Correlate exfiltration timing with geopolitical events and Ukrainian conflict escalation
  • Investigate multi-target government ministry targeting patterns indicating coordinated campaign
  • Analyze threat intelligence for Litter Drifter attribution and strategic conflict objectives

Communicator Crisis Management:

  • Coordinate NATO notification and summit coordination implications
  • Manage allied intelligence reporting and counterintelligence investigation cooperation
  • Address government staff diplomatic credibility concerns and morale during investigation
  • Facilitate international intelligence agency coordination for geopolitical assessment

NPC Evolution (Escalating Conflicts)

Minister Petrov (Under Allied Pressure):

  • New Development: NATO coordination officer questions whether summit can proceed given nation-state compromise
  • Escalated Concern: International security cooperation at risk - collective defense depends on summit success
  • Increased Conflict: Demands clear timeline for security verification to salvage Friday summit or minimize delay
  • Critical Information: Allied partners considering alternative coordination if Ministry cannot ensure secure operations

Major Kozlov (National Security Crisis):

  • New Development: Intelligence services initiate formal strategic communications compromise investigation
  • Escalated Concern: Government credibility at stake with allies during counterintelligence review
  • Increased Conflict: International reporting requires disclosure of full diplomatic communications exposure
  • Critical Information: Similar incidents at other governments resulted in diplomatic trust damage and partnership concerns

Maria Doroshenko (Government Staff Under Pressure):

  • New Development: Staff facing questions about USB device usage and strategic policy handling during conflict
  • Escalated Concern: Team morale collapsing - fear of diplomatic career damage affecting productivity
  • Increased Conflict: Defensive about standard government practices - “this is how policy work happens” mentality
  • Critical Information: Multiple staff received suspicious USB devices from “trusted” government contacts

Colonel Shevchenko (Geopolitical Intelligence):

  • New Development: Intelligence confirms strategic policy documents found on nation-state networks
  • Escalated Concern: NATO coordination systematically targeted - geopolitical implications for international partnerships
  • Increased Conflict: International investigation taking priority over diplomatic continuity - evidence preservation critical
  • Critical Information: Nation-state adversaries now have intelligence on Ukrainian government operations and allied coordination

Round 2 Pressure Events

Minute 45: Counterintelligence investigation discovers diplomatic communications on foreign intelligence networks - confirmed strategic transfer

Minute 55: Allied intelligence officials arrive for strategic damage assessment and security posture review

Minute 65: Intelligence assessment indicates potential compromise of multiple NATO coordination operations across Ukrainian government

Minute 70: Media reports about nation-state targeting of government operations - public relations concerns about Ministry security practices

Round 2 Facilitation Questions

  • “Now that strategic policy documents are confirmed in adversary hands, how does this change your response strategy?”
  • “What diplomatic security implications exist for NATO coordination compromised by nation-state espionage during conflict?”
  • “How do you balance government staff morale and credibility concerns with comprehensive counterintelligence investigation?”
  • “What long-term allied relationship implications result from inadequate response to nation-state targeting?”

Round 3: Strategic Resolution & Allied Coordination (40-50 min)

Final Investigation & Resolution

Detective Final Analysis:

  • Complete nation-state attribution and government ministry targeting pattern analysis
  • Document comprehensive forensic evidence for counterintelligence investigation and diplomatic assessment
  • Assess long-term geopolitical implications of strategic policy in foreign hands during conflict
  • Develop lessons learned for government USB security and strategic network protection

Protector Security Restoration:

  • Implement complete nation-state worm removal with international intelligence verification
  • Rebuild government environment with enhanced national security controls
  • Establish ongoing monitoring for nation-state persistence and USB propagation
  • Verify strategic communications security for potential NATO summit resumption

Tracker Threat Intelligence:

  • Provide comprehensive foreign intelligence infrastructure analysis to allied agencies
  • Document geopolitical targeting patterns affecting Ukrainian government operations during conflict
  • Support attribution assessment for diplomatic and strategic response coordination
  • Share government sector threat intelligence with NATO partners

Communicator Strategic Coordination:

  • Finalize NATO notification and summit coordination status resolution
  • Complete allied intelligence reporting and counterintelligence investigation cooperation
  • Address diplomatic credibility implications and government staff recovery planning
  • Coordinate public relations response to media coverage of nation-state targeting

Final NPC Resolutions

Minister Petrov (Strategic Decision):

Requires team to present recommendation on NATO summit status:

  • Can summit coordination proceed with security verification?
  • What timeline is realistic for secure strategic communications restoration?
  • How does Ministry demonstrate ongoing security commitment to NATO allies?
  • What international cooperation impact results from nation-state compromise during conflict?

Major Kozlov (Compliance Verification):

Demands comprehensive incident resolution documentation:

  • Complete strategic communications exposure assessment for allied reporting
  • Government credibility status for international trust restoration
  • National security controls improvement plan for ongoing diplomatic operations
  • Counterintelligence investigation cooperation and evidence delivery to allies

Maria Doroshenko (Team Recovery):

Seeks clarity on government staff future:

  • What diplomatic implications exist for staff who used compromised USB devices?
  • How does Ministry support team recovery from investigation stress during conflict?
  • What new strategic handling procedures prevent future nation-state targeting?
  • Can government staff credibility be restored with NATO and allied partners?

Colonel Shevchenko (Geopolitical Assessment):

Provides final counterintelligence context:

  • Nation-state campaign confirmed targeting 8+ Ukrainian government ministries during conflict
  • Strategic policy compromise provides adversaries intelligence advantage during regional tensions
  • Geopolitical response requires coordination between government, intelligence community, and diplomatic channels
  • Ministry response quality affects broader Ukrainian government security posture and international partnerships

Round 3 Pressure Events

Minute 85: NATO makes final decision on summit coordination - requires team recommendation with security justification

Minute 95: Intelligence services complete assessment - diplomatic credibility and allied trust depend on incident response quality

Minute 105: Allied intelligence agencies coordinate with Ukrainian government partners - geopolitical implications of strategic compromise

Minute 110: Government sector briefing scheduled - Ministry experience becomes case study for nation-state threat awareness during conflict

Victory Condition Assessment

Technical Victory Indicators:

Business Victory Indicators:

Learning Victory Indicators:

Debrief Topics (20-25 min)

  1. Nation-State APT Sophistication:
    • How did Litter Drifter’s USB propagation and Ukrainian-language detection enable months of undetected government surveillance?
    • What government ministry targeting patterns indicate coordinated nation-state campaign during conflict?
    • Why is attribution important for diplomatic and strategic response?
  2. Government Security Obligations:
    • What international intelligence coordination and counterintelligence cooperation requirements apply?
    • How do diplomatic credibility processes protect strategic communications?
    • What intelligence service oversight ensures government security during conflict?
  3. Geopolitical Context:
    • Why do nation-state adversaries target Ukrainian government operations and NATO coordination?
    • What strategic advantage do adversaries gain from diplomatic communications compromise during conflict?
    • How do hybrid warfare operations integrate cyber espionage with kinetic military actions?
  4. Diplomatic-Security Balance:
    • How do you weigh NATO summit urgency against comprehensive security investigation?
    • What long-term allied relationship implications result from incident response quality?
    • When is it appropriate to accept summit delays for national security priorities?
  5. USB Security in Government Environments:
    • What makes USB devices particularly dangerous in government ministry settings during conflict?
    • How should strategic networks handle removable media given espionage risks?
    • What technical controls and user training prevent nation-state USB propagation?
  6. Lessons for Real-World IR:
    • How do nation-state incidents differ from criminal malware in government investigation requirements?
    • What makes government incidents unique compared to commercial sector?
    • When should cybersecurity teams escalate to counterintelligence and allied intelligence agencies?

Advanced Challenge Materials (150-170 min, 3+ rounds)

Advanced Challenge Modifications

Remove Reference Materials:

  • No access to Malmon compendium for Litter Drifter technical details
  • Must recall nation-state behavior patterns and government targeting from training during conflict
  • Test knowledge of international intelligence coordination and allied cooperation protocols
  • Challenge players to remember USB propagation mechanisms and APT persistence techniques

Add Red Herrings:

  • Legitimate government policy work causing false positive USB activity alerts
  • Routine strategic document transfers appearing as suspicious exfiltration in logs during summit coordination
  • Authorized NATO security audit traffic resembling nation-state command and control
  • Standard allied partner coordination emails flagged as potential intelligence collection

Ambiguous Containment Scenarios:

  • Forensic evidence suggests possible nation-state removal but residual indicators persist
  • Conflicting intelligence about whether diplomatic communications were fully exfiltrated
  • Uncertain timeline of initial compromise during conflict - may predate current logging
  • Multiple potential nation-state adversaries with similar targeting - attribution uncertain

Incomplete Information Challenges:

  • Government system logs missing critical periods due to retention policies
  • Some ministry workstations lack adequate monitoring - compromise scope uncertain during conflict
  • Counterintelligence investigation ongoing - strategic intelligence not yet available
  • NATO security assessment delayed - must make critical decisions without full diplomatic impact analysis

Deep Coordination Requirements:

  • Must justify all counterintelligence decisions with incomplete strategic communications exposure data
  • Navigate conflicting stakeholder priorities without clear NATO guidance
  • Coordinate with allied intelligence while evidence collection continues
  • Balance international reporting requirements with ongoing forensic investigation needs

Advanced Challenge Scenario Variants

Variant A: Multi-Actor Attribution Challenge

  • Evidence suggests both Russian and Chinese nation-state activity in government environment during conflict
  • Must distinguish between Litter Drifter (Russian) and other APT operations (Chinese)
  • Geopolitical response depends on accurate attribution - diplomatic implications significant
  • Some USB devices may be counterintelligence from friendly nations testing security during tensions

Variant B: Allied Coordination Compromise Complexity

  • USB devices traced to “trusted” NATO partner communications - potential coordination compromise
  • Must assess whether compromise affects multiple Ukrainian ministries beyond Digital Infrastructure
  • Allied partners considering alternative coordination - decision depends on Ministry investigation findings
  • Government sector coordination required for nation-wide threat mitigation during conflict

Variant C: Insider Threat Dimension:

  • Some government staff have suspicious foreign contacts - background investigation concerns during conflict
  • Counterintelligence cannot rule out insider facilitation of nation-state access
  • Diplomatic trust adjudication depends on incident response team’s assessment
  • Must balance investigation of potential insider threats with government team morale

Variant D: Active Conflict Operations:

  • Strategic communications already being used in ongoing diplomatic negotiations - operational security critical
  • Compromise may affect active NATO coordination - urgent diplomatic assessment required
  • Allied partners considering emergency coordination changes - strategic implications during conflict
  • Diplomatic commanders demand immediate clarity on government compromise scope

Advanced NPC Complications

Minister Petrov (Competing Pressures):

  • Receiving conflicting guidance from NATO coordination and Ukrainian government leadership
  • Personal reputation at stake - career diplomatic project now under counterintelligence investigation
  • Political career affected by incident resolution - legacy and credibility concerns
  • May pressure team for conclusions that support diplomatic continuity over security thoroughness

Major Kozlov (National Security Stress):

  • Under intense allied intelligence scrutiny - Ministry security posture under international review
  • Responsible for government security that enabled months of undetected nation-state surveillance
  • Career implications if Ministry loses NATO credibility or coordination role due to incident
  • May become overly risk-averse and demand excessive security measures disrupting diplomatic operations

Maria Doroshenko (Under Investigation):

  • Personal diplomatic role questioned pending counterintelligence investigation completion
  • Defensive about government practices - fears career damage and credibility loss
  • May withhold information about USB usage that could compromise colleagues
  • Potential insider threat concern adds complexity to stakeholder coordination

Colonel Shevchenko (Conflicting Intelligence Missions):

  • Counterintelligence investigation priorities may conflict with team’s incident response needs
  • Cannot share all classified intelligence about geopolitical context and nation-state operations during conflict
  • Pressure from multiple allied agencies with different investigation objectives and timelines
  • May request team actions that serve intelligence collection but complicate incident resolution

Advanced Pressure Events

Minute 25: Forensic analysis reveals possible second nation-state actor - attribution becomes complex during conflict

Minute 50: Government staff representatives demand evidence of insider threat accusations before credibility questioning

Minute 75: Media leaked information about nation-state targeting - public pressure for rapid incident resolution

Minute 100: NATO partners request intelligence sharing about strategic compromise affecting joint operations during conflict

Minute 125: Intelligence service preliminary findings question Ministry coordination role eligibility

Minute 140: Counterintelligence investigation discovers strategic policy on dark web - wider exposure than expected during conflict

Advanced Facilitation Challenges

If Team Oversimplifies Attribution:

“Colonel Shevchenko shows you traffic analysis suggesting multiple nation-state actors with different objectives. How do you distinguish between Russian Litter Drifter operations and possible Chinese APT activity when diplomatic response depends on accurate attribution during conflict?”

If Team Ignores Insider Threat Indicators:

“Major Kozlov must report to allied intelligence about government staff with suspicious foreign contacts who had access to compromised systems. How do you investigate potential insider facilitation without destroying team morale or assuming guilt during conflict?”

If Team Rushes to Conclusions:

“Minister Petrov is pushing for quick resolution to salvage summit timeline, but forensic evidence remains incomplete with critical log gaps. How do you justify counterintelligence decisions when strategic compromise scope is uncertain during conflict?”

If Team Neglects Geopolitical Context:

“NATO coordination office is requesting intelligence about what diplomatic capabilities have been compromised, but counterintelligence hasn’t completed attribution. How does your incident response affect international partnerships and geopolitical strategy during conflict?”

Advanced Debrief Topics (30-35 min)

  1. Attribution Complexity in Nation-State Incidents:
    • How do you distinguish between multiple APT actors with similar techniques during conflict?
    • Why is attribution critical for diplomatic, strategic, and government response?
    • What forensic evidence supports or contradicts attribution conclusions?
    • When is “we’re not sure” an acceptable answer vs. avoiding responsibility?
  2. Insider Threat in Government Environments:
    • How do you investigate potential insider involvement without assuming guilt during conflict?
    • What counterintelligence indicators suggest deliberate facilitation vs. exploitation?
    • How do diplomatic trust processes balance security concerns with due process?
    • What organizational culture factors enable or prevent insider threats?
  3. Decision-Making Under Uncertainty:
    • How do you make critical security decisions with incomplete forensic evidence during conflict?
    • What level of confidence is required before NATO notification or international reporting?
    • How do you communicate uncertainty to stakeholders demanding definitive answers?
    • When should investigation continue vs. implementing response with imperfect information?
  4. Government Interdependencies:
    • How do individual ministry incidents affect government-wide security posture during conflict?
    • What information sharing obligations exist between ministries for threat intelligence?
    • How do coordination compromises complicate attribution and remediation?
    • What role does allied coordination play in orchestrating government response?
  5. Balancing Speed vs. Thoroughness:
    • When is rapid incident resolution appropriate vs. comprehensive investigation during conflict?
    • How do diplomatic pressures affect incident response quality and long-term security?
    • What are the consequences of premature “all clear” declarations in APT incidents?
    • How do you manage stakeholder expectations when thoroughness requires time?
  6. Real-World Nation-State Response Lessons:
    • What actual government nation-state incidents inform this scenario?
    • How have real incidents balanced diplomatic operational needs with security response?
    • What government changes resulted from high-profile nation-state compromises?
    • How do government environments create unique challenges compared to commercial incident response?