LitterDrifter Scenario: Government Ministry Coordination
APT • LitterDrifter
STAKES
National security + Government operations + International coordination + Public trust
HOOK
Security teams at Udenrigsministeriet are seeing ministry workstations launch unknown processes when USB devices are inserted, diplomatic files open without user action, and outbound sessions to unfamiliar infrastructure from restricted offices. Multiple teams supporting Ukraine coordination report the same pattern, indicating targeted surveillance of government planning workflows.
PRESSURE
- Strategic briefing due Thursday for 420 million DKK aid package
- Targeted surveillance threatens diplomatic and interagency decision-making
- Operational scope: Ministry of Foreign Affairs, 1,500 employees, managing Ukraine diplomatic and military aid coordination
FRONT • 150 minutes • Expert
APT • LitterDrifter
NPCs
- Katrine Fonsmark (Minister’s Chief of Staff): Owns executive coordination and escalation decisions
- Kasper Juul (IT Director): Leads containment and infrastructure continuity
- Bent Sejro (Department Head): Represents mission operations and policy delivery risk
- Philip Christensen (Security Advisor): Coordinates evidence handling and national-security reporting
SECRETS
- Trusted administrative USB workflows bypassed expected control checkpoints
- Sensitive policy and coordination files were accessed outside approved windows
- Similar telemetry is emerging across related public-sector organizations
LitterDrifter Scenario: Government Ministry Coordination
APT • LitterDrifter
STAKES
National security + Government operations + International coordination + Public trust
HOOK
Security teams at Majandus- ja Kommunikatsiooniministeerium are seeing ministry workstations launch unknown processes when USB devices are inserted, strategic files open without user action, and outbound sessions to unfamiliar infrastructure from restricted offices. Multiple teams supporting digital-government operations report the same pattern, indicating targeted surveillance of policy and infrastructure planning workflows.
PRESSURE
- Strategic briefing due Thursday for EUR 38 million digital resilience program
- Targeted surveillance threatens diplomatic and interagency decision-making
- Operational scope: Ministry of Economic Affairs and Communications, 800 employees, managing X-Road digital infrastructure and EU cyber policy
FRONT • 150 minutes • Expert
APT • LitterDrifter
NPCs
- Toomas Tamm (Kantsler): Owns executive coordination and escalation decisions
- Liis Kaljurand (IT Director): Leads containment and infrastructure continuity
- Andres Kask (Department Head): Represents mission operations and policy delivery risk
- Kadri Luik (Security Advisor): Coordinates evidence handling and national-security reporting
SECRETS
- Trusted administrative USB workflows bypassed expected control checkpoints
- Sensitive policy and coordination files were accessed outside approved windows
- Similar telemetry is emerging across related public-sector organizations
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Litter Drifter Government Ministry Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Scenario Details for IMs
Hook
“It is Monday morning at Udenrigsministeriet. Staff preparing cross-ministry coordination packages for Ukraine support report USB devices triggering unexpected executables, strategic documents opening outside normal workflows, and endpoint logs showing repeated outbound sessions to unfamiliar hosts. Similar behavior appears in several offices handling high-sensitivity policy material, and leadership now needs an immediate decision on containment and reporting.”
“It is Monday morning at Majandus- ja Kommunikatsiooniministeerium. Staff preparing digital-government coordination packages report USB devices triggering unexpected executables, strategic documents opening outside normal workflows, and endpoint logs showing repeated outbound sessions to unfamiliar hosts. Similar behavior appears in several offices tied to national digital infrastructure, and leadership now needs an immediate decision on containment and reporting.”
Initial Symptoms to Present:
- “USB devices trigger unknown process launches on ministry workstations”
- “Strategic planning files open outside authorized review sessions”
- “Endpoint logs show recurring outbound traffic to unfamiliar infrastructure”
- “Cross-team reports indicate coordinated targeting of high-sensitivity workflows”
Key Discovery Paths:
Detective Investigation Leads:
- Forensic review links execution to removable-media paths embedded in routine admin operations
- Access timelines show sustained collection of policy coordination artifacts
- Artifact cadence suggests long-dwell intelligence gathering rather than immediate disruption
Protector System Analysis:
- Endpoint controls allow signed but unapproved binaries from removable media
- Segmentation limits direct spread but not credential-mediated document access
- Containment options diverge between rapid isolation and evidence-preserving triage
Tracker Network Investigation:
- Beacon intervals and destination rotation indicate deliberate low-noise exfiltration behavior
- Cross-organization telemetry alignment suggests coordinated campaign tasking
- Infrastructure overlaps with prior government-sector surveillance activity
Communicator Stakeholder Interviews:
- Executive staff need a defensible recommendation on continuity versus containment depth
- Policy teams need guidance on what work can continue without contaminating evidence
- External affairs teams need clear messaging for partner organizations and oversight bodies
Mid-Scenario Pressure Points:
- Hour 1: Leadership requests a go/no-go recommendation for this week’s strategic briefing
- Hour 2: External partners request assurance about information integrity and handling
- Hour 3: Investigators detect additional suspicious access in adjacent policy teams
- Hour 4: Executive office requires a written incident posture for regulators and security agencies
Evolution Triggers:
- If containment is delayed, additional coordination teams show parallel unauthorized access activity
- If isolation is partial, operators observe renewed beaconing after host restart cycles
- If decisions are made without integrity assurance, partner trust in ministry outputs degrades rapidly
Resolution Pathways:
Technical Success Indicators:
- Removable-media execution controls are enforced across ministry endpoint tiers
- Evidence timeline supports attribution and legal reporting needs
- Clean working baselines are re-established for high-sensitivity document repositories
Business Success Indicators:
- Leadership receives a defensible recommendation for schedule impact and policy confidence
- Interagency and external partner communication remains aligned and evidence-based
- Incident posture supports both regulatory and national-security obligations
Learning Success Indicators:
- Team distinguishes intelligence-collection incidents from disruptive malware response patterns
- Participants practice making high-impact decisions under uncertainty and public-sector scrutiny
- Group coordinates technical, policy, and executive functions without breaking evidence integrity
Common IM Facilitation Challenges:
If Containment Is Too Slow:
“You can keep operations moving, but what evidence supports confidence in this week’s strategic briefing package?”
If Executive Escalation Is Delayed:
“Leadership needs an immediate recommendation: expand isolation now, or continue operations with documented residual risk?”
If Reporting Obligations Are Deferred:
“Datatilsynet requests incident status and asks whether personal or controlled government data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.”
“AKI requests incident status and asks whether personal or controlled government data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Detecting removable-media surveillance behavior in government workflows
Key Actions: Map initial access path, isolate high-risk endpoints, issue first executive recommendation
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinating containment with public-sector reporting duties
Key Actions: Build evidence timeline, assess policy-output integrity, align communications to agencies and partners
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end ministry incident response under strategic deadline pressure
Key Actions: Run containment and reporting in parallel, make confidence-based delivery decision, define durable control strategy
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Multi-agency coordination ambiguity, cross-institution telemetry correlation, high-consequence uncertainty framing
Additional Challenges: Conflicting partner signals, constrained evidence windows, executive pressure for immediate assurance
This Danish variation can be adapted to other EU countries during facilitation. All EU countries share GDPR (72-hour breach notification) but use different public-sector cyber and intelligence institutions.
When running this scenario for another EU country, substitute these elements:
| Estonia |
AKI |
RIA / CERT-EE |
KAPO |
X-Road and digital ID ecosystem |
| France |
CNIL |
ANSSI / CERT-FR |
DGSI |
Centralized state digital services |
| Germany |
BfDI |
BSI / CERT-Bund |
BfV |
Federal and state-level digital governance |
| Netherlands |
Autoriteit Persoonsgegevens |
NCSC-NL |
AIVD |
Highly networked interagency services |
| Poland |
UODO |
NASK / CSIRT GOV |
ABW |
National digital administration modernization |
| Sweden |
IMY |
CERT-SE / MSB |
Sapo |
Distributed agency digital platform model |
Notes:
- Estonia context: X-Road dependencies make integrity concerns especially visible across agencies.
- Policy context: Similar technical findings can trigger different escalation paths by country.
- Facilitation tip: Keep technical indicators stable while swapping legal and institutional wrappers.
Organization names and NPC names are left to the IM's discretion.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Udenrigsministeriet detects repeated process execution from removable media on restricted ministry endpoints.
- Clue 2 (Minute 10): Timeline analysis shows sensitive workflow documents being accessed from hosts outside normal coordination lanes.
- Clue 3 (Minute 15): Department Head Bent Sejro confirms unauthorized reads of interagency briefing files tied to Ukraine aid commitments.
- Clue 1 (Minute 5): Security operations at Majandus- ja Kommunikatsiooniministeerium detects repeated process execution from removable media on restricted ministry endpoints.
- Clue 2 (Minute 10): Timeline analysis shows sensitive workflow documents being accessed from hosts outside normal coordination lanes.
- Clue 3 (Minute 15): Department Head Andres Kask confirms unauthorized reads of interagency briefing files tied to national digital-infrastructure commitments.
Pre-Defined Response Options
- Option A: Immediate Endpoint Isolation
- Action: Isolate affected systems and disable removable-media execution while triage completes.
- Pros: Fast containment with clear technical boundary.
- Cons: High immediate disruption to coordination workflows.
- Type Effectiveness: Super effective against low-noise espionage collection behavior.
- Option B: Evidence-First Segmented Containment
- Action: Preserve volatile evidence on high-value endpoints and isolate confirmed compromised segments first.
- Pros: Better legal and attribution posture.
- Cons: Requires disciplined execution under time pressure.
- Type Effectiveness: Moderately effective when telemetry quality is high.
- Option C: Continuity-Weighted Monitoring
- Action: Keep priority workflows active with compensating controls and focused monitoring.
- Pros: Minimizes schedule disruption in the short term.
- Cons: Residual access risk remains if scope is underestimated.
- Type Effectiveness: Partially effective and risk-heavy for broad campaigns.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Initial Detection and Scope (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Endpoint telemetry flags unexpected execution from removable-media paths.
- Clue 2 (Minute 10): High-sensitivity documents are accessed outside expected review channels.
- Clue 3 (Minute 15): Department Head Bent Sejro confirms unauthorized reads of interagency briefing files tied to Ukraine aid commitments.
- Clue 3 (Minute 15): Department Head Andres Kask confirms unauthorized reads of interagency briefing files tied to national digital-infrastructure commitments.
- Clue 4 (Minute 20): Cross-organization sharing indicates similar indicators in adjacent institutions.
Round 2: Reporting and Confidence Decision (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): Integrity review finds suspicious edits and access metadata in coordination working sets.
- Clue 6 (Minute 40): Datatilsynet requests incident status and asks whether personal or controlled government data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.
- Clue 6 (Minute 40): AKI requests incident status and asks whether personal or controlled government data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.
- Clue 7 (Minute 50): Leadership requests a written confidence statement for this week’s deliverables.
- Clue 8 (Minute 55): Partner teams ask whether shared planning artifacts should be treated as potentially exposed.
Round Transition Narrative
After Round 1 -> Round 2:
“CFCS shares matching USB-driven indicators from another Danish public-sector organization supporting Ukraine planning.”
“RIA / CERT-EE shares matching USB-driven indicators from another Estonian institution connected to digital-government workflows.”
Facilitation questions:
- “What is your minimum evidence threshold before certifying strategic package integrity?”
- “Which decision can be safely deferred, and which cannot wait another hour?”
- “How do you communicate uncertainty without losing stakeholder confidence?”
Debrief Focus:
- Running containment and reporting in parallel under public-sector scrutiny
- Preserving evidence while maintaining policy-operational continuity
- Framing technically uncertain findings for executive decision-making
Full Game Materials (120-140 min, 3 rounds)
The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate containment to institutional hardening and trust recovery.
Round 1: Executive Briefing and Scope Discovery (35-40 min)
Minister’s Chief of Staff Katrine Fonsmark calls an emergency meeting and states that Denmark cannot lose control of coordination data ahead of this week’s diplomatic milestones. IT Director Kasper Juul confirms the behavior is tied to removable media paths. Department Head Bent Sejro reports that policy drafts were accessed outside approved review windows. Security Advisor Philip Christensen requests immediate forensic containment while preserving evidence for PET and CFCS coordination.
Kantsler Toomas Tamm opens an emergency briefing and states that Estonia cannot risk losing trust in digital-government coordination ahead of this week’s strategic deadlines. IT Director Liis Kaljurand confirms the behavior is tied to removable media paths. Department Head Andres Kask reports that policy drafts were accessed outside approved review windows. Security Advisor Kadri Luik requests immediate forensic containment while preserving evidence for KAPO and RIA coordination.
Players investigate openly using role capabilities. Key findings include removable-media execution, policy-file access anomalies, and external telemetry overlap.
If team stalls: “You can keep systems running, but leadership still needs a defensible statement on whether this week’s outputs remain trustworthy.”
Round 2: Agency Coordination and Integrity Decision (35-40 min)
- Technical teams complete artifact collection and present containment options with risk tradeoffs.
- Executive staff request a clear recommendation on schedule impact and confidence level.
- Reporting and security coordination now spans GDPR, Datatilsynet, CFCS, and PET channels.
- Mission continuity assessment focuses on Ukraine diplomatic and aid coordination systems.
- Reporting and security coordination now spans GDPR, AKI, RIA / CERT-EE, and KAPO channels.
- Mission continuity assessment focuses on X-Road digital government backbone.
Facilitation questions:
- “What combination of controls would let you proceed with bounded and explicit residual risk?”
- “How will you document decision rationale so it remains defensible in post-incident review?”
Round 3: Strategic Recovery and Control Redesign (40-45 min)
Opening: Two weeks later, immediate threats are contained and leadership asks for a durable strategy covering removable-media policy, interagency telemetry exchange, and evidence-retention standards.
Pressure events:
- Partner institutions request proof of control improvements before sharing high-sensitivity planning artifacts
- Oversight stakeholders request a formal lessons-learned package with accountable owners
- Executive office requires a 90-day roadmap with measurable milestones
Victory conditions for full 3-round arc:
- Verified clean baseline for affected ministry systems and planning repositories
- Defensible reporting package aligned to regulatory and national-security expectations
- Sustainable control improvements for removable-media risk and cross-institution signal sharing
Debrief Questions
- “Which early indicator most strongly signaled sustained surveillance rather than isolated misuse?”
- “How did strategic deadlines alter risk tolerance and communication quality?”
- “What evidence was essential for external trust, and what was optional?”
- “How should ministries coordinate faster on shared indicators without overexposing sensitive workflows?”
Debrief Focus
- Surveillance-oriented incidents demand different decision patterns than purely disruptive events
- Removable-media and trust-boundary controls remain critical in government operational environments
- Executive confidence depends on technical rigor, timing discipline, and explicit uncertainty handling
Advanced Challenge Materials (150-170 min)
Red Herrings and Misdirection
- Routine removable-media maintenance workflows generate benign signals similar to malicious execution.
- A legitimate interagency data-transfer event overlaps with suspicious timeline artifacts.
- A separate credentials-hygiene issue appears related but is operationally independent.
Removed Resources and Constraints
- No ready-made incident playbook for removable-media espionage in policy environments
- Limited historical telemetry retention on selected administrative endpoints
- Delayed external partner responses during the first executive decision window
Enhanced Pressure
- Leadership requests same-day assurance for strategic outputs despite incomplete evidence
- External partners demand immediate indicator sharing before legal review is finalized
- Program teams request containment exceptions to preserve policy deadlines
Ethical Dilemmas
- Preserve richer evidence and accept short-term operational risk, or isolate faster and reduce attribution depth.
- Delay deliverables for stronger confidence, or proceed with explicit residual risk to protect policy timelines.
- Share broad technical indicators to help partners quickly, or restrict disclosure to protect internal architecture details.
Advanced Debrief Topics
- Designing ministry incident doctrine for low-noise, long-dwell collection campaigns
- Structuring executive governance when confidence is uneven across technical teams
- Strengthening interagency readiness without eroding confidentiality boundaries