Litter Drifter Scenario: International Aid Organization

Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations
APT • LitterDrifter
STAKES
Humanitarian operations + Refugee data + International coordination + Field safety
HOOK
Global Relief is coordinating emergency humanitarian assistance in conflict zones when aid workers discover USB malware targeting organizations supporting Ukrainian refugee operations. Nation-state surveillance worm is collecting intelligence on humanitarian logistics and international relief coordination during active conflict.
PRESSURE
Emergency aid convoy departs Wednesday - intelligence collection threatens humanitarian operations and refugee safety
FRONT • 150 minutes • Expert
Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations
APT • LitterDrifter
NPCs
  • Operations Director Dr. Anna Volkov: Coordinating humanitarian aid with nation-state surveillance affecting refugee operations
  • Field Security Manager Captain David Shaw: Investigating targeting of humanitarian organizations and field worker safety
  • Refugee Services Coordinator Elena Marchenko: Reporting intelligence collection affecting vulnerable populations and aid delivery
  • International Relations Officer Ambassador Patricia Chen: Assessing diplomatic implications and international cooperation
SECRETS
  • Humanitarian workers received USB devices containing nation-state worm targeting Ukrainian refugee assistance
  • Foreign intelligence has systematic surveillance of humanitarian operations and international relief coordination
  • Refugee data and humanitarian logistics have been systematically collected through targeted espionage operations

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter International Aid Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter International Aid Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at Global Relief Alliance, and the international aid organization is preparing an emergency humanitarian convoy scheduled to depart Wednesday for conflict zones where Ukrainian refugees desperately need assistance. But field security teams have discovered something alarming: USB malware specifically targeting organizations supporting Ukrainian refugee operations. This isn’t random malware - it’s a sophisticated nation-state surveillance worm propagating through removable media, systematically collecting intelligence on humanitarian logistics and international relief coordination during active conflict.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB devices automatically spreading surveillance malware targeting humanitarian organizations supporting Ukrainian refugees”
  • “Aid coordination documents being accessed through nation-state espionage operations”
  • “Refugee data and field logistics showing signs of unauthorized foreign intelligence collection”
  • “Network traffic indicating systematic exfiltration of humanitarian operations to nation-state command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal sophisticated nation-state USB-propagating worm targeting humanitarian organizations
  • Aid coordination network analysis shows geopolitical targeting of Ukrainian refugee assistance and international relief
  • Intelligence timeline indicates months of undetected foreign surveillance of humanitarian operations

Protector System Analysis:

  • Humanitarian workstation monitoring reveals systematic intelligence collection through USB propagation targeting refugee data
  • Aid coordination system assessment shows unauthorized nation-state access to field logistics and vulnerable population information
  • International relief network security analysis indicates coordinated campaign targeting multiple humanitarian organizations during conflict

Tracker Network Investigation:

  • Command and control traffic analysis reveals nation-state espionage infrastructure targeting humanitarian operations
  • Geopolitical intelligence patterns suggest strategic coordination of refugee data theft supporting foreign conflict objectives
  • Humanitarian communication analysis indicates systematic nation-state targeting of Ukrainian relief operations and international coordination

Communicator Stakeholder Interviews:

  • Humanitarian staff interviews reveal suspicious USB behavior during emergency aid coordination and refugee assistance planning
  • International coordination regarding potential compromise of field logistics and vulnerable population safety
  • Intelligence community coordination with agencies regarding nation-state targeting of humanitarian organizations during conflict

Mid-Scenario Pressure Points:

  • Hour 1: United Nations agencies discover potential compromise of humanitarian convoy logistics affecting refugee safety and aid delivery
  • Hour 2: Intelligence assessment reveals evidence of nation-state targeting of Ukrainian refugee operations during active conflict
  • Hour 3: Refugee data and humanitarian logistics found on nation-state intelligence networks affecting vulnerable population protection
  • Hour 4: International relief assessment indicates potential compromise of multiple humanitarian organizations requiring coordinated response

Evolution Triggers:

  • If investigation reveals refugee data transfer, humanitarian protection obligations and international cooperation are compromised
  • If nation-state surveillance continues, adversaries maintain persistent access for long-term humanitarian intelligence collection during conflict
  • If aid logistics theft is confirmed, refugee safety and humanitarian operations are severely compromised affecting vulnerable populations

Resolution Pathways:

Technical Success Indicators:

  • Complete nation-state worm removal from humanitarian systems with preservation of intelligence evidence
  • Refugee data and aid coordination security verified preventing further unauthorized nation-state access during conflict
  • Foreign espionage infrastructure analysis provides intelligence on coordinated humanitarian targeting and geopolitical objectives

Business Success Indicators:

  • Emergency aid convoy protected through secure forensic handling and international intelligence cooperation
  • Humanitarian operations maintained through professional incident response demonstrating commitment to refugee protection
  • International cooperation obligations demonstrated preventing diplomatic complications and protecting vulnerable populations

Learning Success Indicators:

  • Team understands sophisticated nation-state espionage capabilities and humanitarian organization targeting through USB propagation during conflict
  • Participants recognize targeting of vulnerable populations and ethical implications of refugee data theft
  • Group demonstrates coordination between cybersecurity response and humanitarian protection requirements for aid organizations

Common IM Facilitation Challenges:

If Nation-State Sophistication Is Underestimated:

“Your USB malware removal is progressing, but Captain Shaw discovered that nation-state adversaries have been systematically collecting refugee data for months through geopolitical targeting. How does sophisticated foreign surveillance change your humanitarian protection approach during active conflict?”

If Humanitarian Implications Are Ignored:

“While you’re cleaning infected systems, Ambassador Chen needs to know: have refugee data and aid logistics been transferred to nation-state adversaries? How do you coordinate cybersecurity response with humanitarian protection obligations and international cooperation?”

If Vulnerable Population Impact Is Overlooked:

“Elena just learned that refugee information and field logistics may be in nation-state hands affecting vulnerable population safety. How do you assess the humanitarian impact of stolen aid coordination intelligence during conflict operations?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

  • Rounds: 1
  • Actions per Player: 1
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: Use the “Hook” and “Initial Symptoms” to quickly establish nation-state humanitarian espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing targeting of humanitarian organizations and refugee protection implications.

Lunch & Learn (75-90 min)

  • Rounds: 2
  • Actions per Player: 2
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: This template allows for deeper exploration of humanitarian organization espionage challenges. Use the full set of NPCs to create realistic aid convoy and refugee protection pressures. The two rounds allow discovery of refugee data theft and field logistics compromise, raising stakes. Debrief can explore balance between cybersecurity response and humanitarian ethics coordination.

Full Game (120-140 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing emergency aid delivery, refugee data protection, international cooperation, and humanitarian ethics obligations. The three rounds allow for full narrative arc including nation-state discovery, vulnerable population impact assessment, and UN coordination.

Advanced Challenge (150-170 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Complexity: Add red herrings (e.g., legitimate humanitarian communications causing false positives). Make containment ambiguous, requiring players to justify protection decisions with incomplete intelligence about geopolitical targeting during active conflict. Remove access to reference materials to test knowledge recall of nation-state behavior and humanitarian security principles. Include deep coordination with UN agencies and Ukrainian refugee protection implications.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Digital forensics reveal sophisticated nation-state USB-propagating worm (Litter Drifter) targeting Global Relief Alliance humanitarian workstations with refugee assistance operation detection. Security analysis shows foreign intelligence systematically collecting aid coordination documents through USB devices affecting humanitarian operations during active geopolitical conflict. Aid workers report USB malware spreading automatically during emergency convoy planning affecting refugee safety and field logistics.”

Clue 2 (Minute 10): “Intelligence timeline indicates nation-state surveillance maintained for months through targeted USB devices distributed to humanitarian organizations supporting Ukrainian refugees. Command and control traffic analysis reveals geopolitical espionage infrastructure coordinating multi-target humanitarian intelligence collection supporting foreign conflict objectives. Aid coordination system assessment shows unauthorized access to refugee data and field logistics affecting vulnerable population protection and international relief operations.”

Clue 3 (Minute 15): “International intelligence cooperation discovers refugee data and humanitarian logistics on nation-state networks confirming vulnerable population information transfer affecting aid delivery security. UN coordination reveals potential compromise of emergency convoy planning threatening field worker safety and refugee assistance operations. Intelligence assessment indicates coordinated nation-state targeting of multiple humanitarian organizations requiring immediate response and international cooperation coordination.”

Pre-Defined Response Options

Option A: Emergency Aid Isolation & International Coordination

  • Action: Immediately isolate compromised humanitarian systems from USB propagation, coordinate comprehensive intelligence investigation with international agencies, conduct refugee data damage assessment, implement emergency security protocols for convoy protection and UN notification.
  • Pros: Completely eliminates nation-state worm preventing further refugee intelligence theft through USB propagation; demonstrates responsible humanitarian security incident management; maintains international cooperation through transparent intelligence coordination.
  • Cons: Humanitarian system isolation disrupts emergency convoy coordination affecting refugee assistance and aid delivery; intelligence investigation requires extensive international coordination; damage assessment may reveal significant refugee data compromise affecting vulnerable population protection.
  • Type Effectiveness: Super effective against APT malmon type; complete nation-state worm removal prevents continued humanitarian surveillance and refugee intelligence theft through USB propagation during conflict.

Option B: Forensic Preservation & Targeted Remediation

  • Action: Preserve intelligence evidence while remediating confirmed compromised systems, conduct targeted refugee data damage assessment, coordinate selective international notification, implement enhanced monitoring while maintaining humanitarian operations.
  • Pros: Balances emergency convoy requirements with intelligence investigation; protects critical humanitarian operations; enables focused refugee protection response and aid coordination.
  • Cons: Risks continued nation-state surveillance in undetected USB propagation locations; selective remediation may miss coordinated targeting; forensic requirements may delay refugee data protection and convoy coordination.
  • Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate nation-state presence through USB propagation; delays complete humanitarian security restoration and vulnerable population protection.

Option C: Humanitarian Continuity & Phased Security Response

  • Action: Implement emergency secure convoy coordination environment isolated from USB threats, phase nation-state worm removal by aid priority, establish enhanced humanitarian monitoring, coordinate gradual international notification while maintaining refugee operations.
  • Pros: Maintains critical emergency convoy timeline protecting refugee assistance and vulnerable population safety; enables continued humanitarian operations during conflict; supports controlled international coordination.
  • Cons: Phased approach extends nation-state surveillance timeline through continued USB propagation; emergency operations may not prevent continued refugee intelligence theft; gradual notification delays may violate international cooperation requirements.
  • Type Effectiveness: Partially effective against APT malmon type; prioritizes humanitarian operations over complete nation-state elimination through USB propagation; doesn’t guarantee refugee data protection or vulnerable population safety.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Nation-State Discovery & Humanitarian Impact Assessment (35-40 min)

Investigation Clues (Time-Stamped)

Minute 0-5 (Opening):

  • Security alert: USB devices showing automated propagation behavior targeting humanitarian organization systems supporting Ukrainian refugees
  • Aid coordination documents accessed through unauthorized means during emergency convoy preparations
  • Network traffic patterns indicating potential data exfiltration to foreign command infrastructure during conflict

Minute 10 (Detective Path):

  • Digital forensics identify sophisticated USB-propagating worm (Litter Drifter) with nation-state tradecraft targeting humanitarian operations
  • Malware designed specifically to target organizations supporting Ukrainian refugee assistance during active conflict
  • Timeline analysis reveals potential months of undetected presence during humanitarian crisis response

Minute 15 (Protector Path):

  • Humanitarian workstation monitoring reveals systematic file access patterns targeting refugee data and aid logistics
  • Aid coordination system logs show unauthorized data collection from humanitarian operations servers
  • USB propagation patterns indicate coordinated campaign affecting multiple humanitarian organizations

Minute 20 (Tracker Path):

  • Command and control infrastructure analysis reveals nation-state espionage network with conflict zone objectives
  • Exfiltration patterns suggest intelligence collection focused on Ukrainian refugee operations and international relief coordination
  • Network traffic correlates with known foreign intelligence operations targeting humanitarian organizations

Minute 25 (Communicator Path):

  • Refugee Services Coordinator Elena Marchenko reports suspicious USB behavior during convoy planning over past 3 months
  • Field Security Manager Captain Shaw identifies potential foreign intelligence collection affecting vulnerable populations
  • Director Dr. Volkov expresses urgent concern about convoy schedule and UN notification requirements

Response Options (With Detailed Trade-offs)

Option A: Emergency Aid Isolation & Full International Coordination

  • Immediate Actions: Isolate all compromised humanitarian systems, initiate comprehensive intelligence investigation with UN agencies, conduct refugee data damage assessment
  • Timeline Impact: Emergency convoy delayed 2-3 weeks for complete forensic analysis and security verification
  • Stakeholder Reactions:
    • Dr. Volkov: Concerned about convoy timeline but supports humanitarian protection priority and international transparency
    • Captain Shaw: Strongly supports comprehensive intelligence investigation and field security coordination
    • Ambassador Chen: Emphasizes complete evidence preservation for international cooperation and vulnerable population protection
  • Type Effectiveness: SUPER EFFECTIVE - Complete APT removal prevents continued nation-state surveillance and refugee intelligence theft

Option B: Forensic Preservation & Targeted Remediation

  • Immediate Actions: Preserve intelligence evidence, remediate confirmed compromised systems, conduct targeted refugee data damage assessment
  • Timeline Impact: Partial convoy delay (5-7 days) while maintaining critical humanitarian operations
  • Stakeholder Reactions:
    • Dr. Volkov: Appreciates balance between convoy requirements and security response
    • Elena Marchenko: Can continue critical aid work with enhanced monitoring
    • Ambassador Chen: Concerned about potential nation-state surveillance in undetected locations
  • Type Effectiveness: MODERATELY EFFECTIVE - Reduces nation-state presence but may not achieve complete elimination

Option C: Humanitarian Continuity & Phased Security Response

  • Immediate Actions: Implement emergency secure convoy environment, phase worm removal by aid priority, establish enhanced monitoring
  • Timeline Impact: Minimal convoy delay (1-2 days) with ongoing security remediation during humanitarian operations
  • Stakeholder Reactions:
    • Dr. Volkov: Strongly supports maintaining convoy schedule and refugee assistance timeline
    • Captain Shaw: Serious concerns about inadequate intelligence response and vulnerable population protection
    • Ambassador Chen: Warns that phased approach may violate international cooperation requirements
  • Type Effectiveness: PARTIALLY EFFECTIVE - Prioritizes humanitarian operations over complete nation-state elimination

Round 1 Pressure Events

Minute 15: UN agencies request status update on convoy security and refugee data protection

Minute 25: International intelligence community initiates inquiry about potential humanitarian data compromise affecting field operations

Minute 30: Dr. Volkov receives call from donor agencies - convoy has critical importance for refugee safety and vulnerable population assistance

Round 1 Facilitation Questions

  • “How do you balance emergency convoy urgency against comprehensive intelligence investigation requirements during conflict?”
  • “What refugee data exposure assessment is needed before international notification?”
  • “How does nation-state targeting of Ukrainian refugee operations affect your humanitarian response strategy?”
  • “What international cooperation obligations apply to this foreign intelligence collection incident affecting vulnerable populations?”

Round 1 Transition to Round 2

Based on team’s chosen response path…

If Emergency Isolation Chosen: “Your emergency aid isolation has halted nation-state surveillance, but forensic analysis is revealing the extent of refugee data exposure. International intelligence investigation has discovered something alarming about the scope of humanitarian logistics theft and vulnerable population targeting…”

If Targeted Remediation Chosen: “Your forensic preservation is protecting critical evidence, but continued monitoring is detecting ongoing nation-state activity in unexpected humanitarian locations. Ambassador Chen has discovered intelligence indicating systematic targeting of multiple aid organizations during conflict…”

If Humanitarian Continuity Chosen: “Your secure convoy environment is maintaining assistance schedule, but Captain Shaw has identified serious field security concerns. International intelligence is revealing that refugee data may already be in nation-state hands…”

Round 2: Vulnerable Population Impact & UN Coordination (35-45 min)

Investigation Clues (Time-Stamped)

Minute 40 (Critical Discovery):

  • Intelligence investigation reveals refugee data and aid logistics found on nation-state intelligence networks
  • Forensic timeline indicates systematic humanitarian operations surveillance over 6-month period through USB propagation
  • UN assessment shows potential compromise of emergency convoy planning affecting vulnerable population safety

Minute 50 (Escalation):

  • International intelligence confirms multiple humanitarian organizations experiencing similar nation-state targeting during conflict
  • Refugee data damage assessment reveals vulnerable population information and field logistics transferred to foreign intelligence
  • Field security concerns about aid operations in adversary hands during humanitarian crisis

Minute 55 (Stakeholder Pressure):

  • Dr. Volkov faces UN inquiry about convoy timeline and refugee data protection
  • Captain Shaw must coordinate international reporting under humanitarian security requirements
  • Elena Marchenko reports aid staff morale concerns and field worker safety implications

Minute 65 (Final Pressure):

  • UN coordination office considering whether convoy can proceed given nation-state compromise
  • Intelligence services require comprehensive incident report and remediation verification
  • International agencies assess humanitarian implications of refugee data in adversary hands during conflict

Response Options for Final Resolution

Option A: Complete Nation-State Elimination & International Security Demonstration

  • Actions: Full humanitarian system rebuild with international intelligence verification, comprehensive refugee data damage assessment, transparent UN coordination
  • Business Impact: Significant convoy delay (3-4 weeks) but maintains long-term international relationships and humanitarian credibility
  • Humanitarian Impact: Demonstrates responsible aid organization incident management and vulnerable population protection
  • Learning Focus: Understanding nation-state sophistication and humanitarian obligations to refugee safety and international trust

Option B: Verified Remediation & Accelerated Convoy Recovery

  • Actions: Complete confirmed worm removal with international intelligence oversight, targeted refugee data security verification, expedited UN notification
  • Business Impact: Moderate convoy delay (1-2 weeks) with intensive coordination to resume humanitarian operations
  • Humanitarian Impact: Balances convoy requirements with intelligence investigation needs and vulnerable population safety
  • Learning Focus: Navigating international cooperation while maintaining critical refugee assistance capabilities

Option C: Risk Acceptance & Enhanced Monitoring Approach

  • Actions: Document residual nation-state risk, implement enhanced humanitarian monitoring, maintain convoy schedule with security caveats
  • Business Impact: Minimal convoy delay but potential long-term field security concerns and vulnerable population risks
  • Humanitarian Impact: May violate international cooperation requirements and affect refugee protection during conflict
  • Learning Focus: Understanding consequences of inadequate response to nation-state targeting of humanitarian operations

Victory Conditions

Technical Victory:

  • Complete nation-state worm removal from humanitarian systems with preservation of intelligence evidence
  • Refugee data and aid coordination security verified preventing further unauthorized nation-state access
  • Foreign espionage infrastructure analyzed providing intelligence on humanitarian targeting and vulnerable population exploitation

Business Victory:

  • Emergency convoy coordination protected through secure forensic handling and international intelligence cooperation
  • Humanitarian operations maintained through professional incident response and international trust demonstration
  • Field security obligations demonstrated preventing vulnerable population compromise and donor relationship damage

Learning Victory:

  • Team understands sophisticated nation-state espionage capabilities and humanitarian organization targeting during conflict
  • Participants recognize targeting of vulnerable populations and ethical implications of refugee data theft
  • Group demonstrates coordination between cybersecurity response and humanitarian protection requirements

Debrief Topics (15-20 min)

  1. Nation-State Sophistication: How did Litter Drifter’s USB propagation enable months of undetected humanitarian surveillance during refugee crisis?

  2. Humanitarian Targeting: Why do nation-state adversaries target organizations supporting Ukrainian refugees during active conflict?

  3. International Cooperation Obligations: What UN coordination and intelligence cooperation requirements apply to refugee data compromise?

  4. Ethical Impact Balance: How do you weigh emergency convoy urgency against comprehensive security investigation when vulnerable populations are at risk?

  5. Long-term Implications: What field security and humanitarian consequences result from refugee intelligence in adversary hands during conflict?

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Nation-State Detection (30-35 min)

Open Investigation Framework

Detective Investigation Options:

  • Analyze USB device forensics for nation-state malware indicators and humanitarian organization targeting mechanisms
  • Investigate aid coordination network logs for unauthorized refugee data access patterns during conflict
  • Research Litter Drifter attribution and known humanitarian organization targeting campaigns
  • Examine digital forensics for foreign intelligence collection and vulnerable population data exfiltration methods

Protector System Analysis Options:

  • Assess humanitarian workstation security for systematic refugee data theft indicators
  • Evaluate aid coordination system integrity and field logistics protection during crisis response
  • Monitor USB propagation patterns affecting multiple humanitarian organization workstations
  • Review field security controls for nation-state persistence mechanisms

Tracker Network Investigation Options:

  • Trace command and control infrastructure for nation-state espionage network identification targeting aid operations
  • Analyze exfiltration patterns for refugee data and Ukrainian assistance targeting
  • Investigate network traffic for conflict zone intelligence collection coordination
  • Map foreign intelligence infrastructure connections to known adversary humanitarian targeting operations

Communicator Stakeholder Interviews:

  • Interview aid workers about suspicious USB behavior during convoy planning and refugee assistance
  • Coordinate with Dr. Volkov on emergency convoy priorities and UN expectations
  • Consult with Captain Shaw on field security requirements and vulnerable population implications
  • Engage Ambassador Chen on international cooperation protocols and humanitarian intelligence coordination

NPC Interactions (Realistic Conflicts)

Dr. Anna Volkov (Operations Director):

  • Priority: Maintain emergency convoy schedule - refugee safety depends on Wednesday departure
  • Concern: UN inquiry about security posture and refugee data protection during conflict
  • Conflict: Pushes for humanitarian continuity approach to avoid convoy delays affecting vulnerable populations
  • Information: Convoy represents critical humanitarian response for Ukrainian refugees in desperate need

Captain David Shaw (Field Security Manager):

  • Priority: Field worker safety and vulnerable population protection requirements for refugee data compromise
  • Concern: Aid organization security implications and international trust during intelligence investigation
  • Conflict: Demands comprehensive international investigation regardless of convoy timeline impact
  • Information: Intelligence agencies have specific protocols for foreign espionage incidents affecting humanitarian operations

Elena Marchenko (Refugee Services Coordinator):

  • Priority: Humanitarian staff safety and refugee assistance work continuity during conflict
  • Concern: USB security practices and potential exposure of vulnerable population data
  • Conflict: Caught between convoy pressure and field security review concerns
  • Information: Staff have been using USB devices for refugee data sharing for months - standard aid practice

Ambassador Patricia Chen (International Relations Officer):

  • Priority: Evidence preservation for international intelligence investigation and humanitarian protection
  • Concern: Diplomatic implications of Ukrainian refugee operation targeting and UN coordination compromise
  • Conflict: International investigation requirements may conflict with humanitarian continuity needs
  • Information: Intelligence indicates coordinated nation-state campaign targeting multiple aid organizations during conflict

Round 1 Pressure Events

Minute 10: Security alert - additional humanitarian workstations showing USB propagation indicators during forensic investigation

Minute 20: UN coordination office requests immediate status report on convoy security and refugee data protection

Minute 25: International intelligence notification requirement triggers - humanitarian reporting deadline in 24 hours for vulnerable population compromise

Round 1 Facilitation Questions

  • “What forensic evidence do you need before determining the scope of nation-state surveillance of refugee operations?”
  • “How do you assess whether vulnerable population data has been exfiltrated to foreign intelligence?”
  • “What immediate containment actions balance emergency convoy urgency with intelligence preservation?”
  • “How do you coordinate with multiple stakeholders who have conflicting but legitimate humanitarian priorities?”

Round 2: Refugee Data Compromise Assessment (40-50 min)

Open Investigation Continuation

Detective Deep Dive:

  • Conduct comprehensive forensic timeline of nation-state surveillance and refugee data access during conflict
  • Analyze foreign intelligence collection targeting Ukrainian refugee operations and humanitarian coordination
  • Investigate vulnerable population data exposed through systematic espionage during crisis
  • Examine USB propagation vectors and nation-state persistence across humanitarian organizations

Protector Impact Analysis:

  • Assess humanitarian system compromise extent affecting refugee assistance capabilities and field logistics
  • Evaluate field security controls failures enabling months of undetected surveillance during conflict
  • Review USB device management practices and aid coordination network segmentation
  • Analyze potential vulnerable population security impact of refugee data in adversary hands

Tracker Intelligence Correlation:

  • Map nation-state command infrastructure to known foreign intelligence operations targeting aid organizations
  • Correlate exfiltration timing with conflict events and Ukrainian refugee crisis escalation
  • Investigate multi-target humanitarian organization patterns indicating coordinated campaign
  • Analyze threat intelligence for Litter Drifter attribution and humanitarian targeting objectives

Communicator Crisis Management:

  • Coordinate UN notification and emergency convoy implications
  • Manage international intelligence reporting and humanitarian investigation cooperation
  • Address aid staff field security concerns and morale during investigation
  • Facilitate international agency coordination for vulnerable population assessment

NPC Evolution (Escalating Conflicts)

Dr. Volkov (Under UN Pressure):

  • New Development: UN coordination officer questions whether convoy can proceed given nation-state compromise
  • Escalated Concern: Refugee assistance at risk - vulnerable population safety depends on convoy success
  • Increased Conflict: Demands clear timeline for security verification to salvage Wednesday convoy or minimize delay
  • Critical Information: International donors considering alternative aid organizations if Global Relief cannot ensure secure operations

Captain Shaw (Field Security Crisis):

  • New Development: Intelligence services initiate formal refugee data compromise investigation
  • Escalated Concern: Field worker safety at stake with vulnerable population data in adversary hands
  • Increased Conflict: International reporting requires disclosure of full refugee data exposure
  • Critical Information: Similar incidents at other aid organizations resulted in field operation suspensions and trust damage

Elena Marchenko (Aid Staff Under Pressure):

  • New Development: Staff facing questions about USB device usage and refugee data handling during conflict
  • Escalated Concern: Team morale collapsing - fear of field worker safety and career damage affecting productivity
  • Increased Conflict: Defensive about standard humanitarian practices - “this is how aid work happens” mentality
  • Critical Information: Multiple staff received suspicious USB devices from “trusted” humanitarian contacts

Ambassador Chen (Geopolitical Intelligence):

  • New Development: Intelligence confirms refugee data and aid logistics found on nation-state networks
  • Escalated Concern: Ukrainian refugee operations systematically targeted - diplomatic implications for humanitarian partnerships
  • Increased Conflict: International investigation taking priority over humanitarian continuity - evidence preservation critical
  • Critical Information: Nation-state adversaries now have intelligence on vulnerable population locations and humanitarian operations

Round 2 Pressure Events

Minute 45: Intelligence investigation discovers refugee data on foreign intelligence networks - confirmed vulnerable population information transfer

Minute 55: UN security officials arrive for humanitarian damage assessment and field security posture review

Minute 65: International assessment indicates potential compromise of multiple Ukrainian refugee operations across aid sector

Minute 70: Media reports about nation-state targeting of humanitarian organizations - public relations concerns about Global Relief security practices

Round 2 Facilitation Questions

  • “Now that refugee data is confirmed in adversary hands, how does this change your humanitarian response strategy?”
  • “What field security implications exist for vulnerable populations compromised by nation-state espionage during conflict?”
  • “How do you balance aid staff morale and field worker safety concerns with comprehensive intelligence investigation?”
  • “What long-term international relationship implications result from inadequate response to nation-state targeting of humanitarian operations?”

Round 3: Strategic Resolution & UN Coordination (40-50 min)

Final Investigation & Resolution

Detective Final Analysis:

  • Complete nation-state attribution and humanitarian organization targeting pattern analysis
  • Document comprehensive forensic evidence for intelligence investigation and vulnerable population assessment
  • Assess long-term field security implications of refugee data in foreign hands during conflict
  • Develop lessons learned for humanitarian USB security and aid coordination network protection

Protector Security Restoration:

  • Implement complete nation-state worm removal with international intelligence verification
  • Rebuild humanitarian environment with enhanced field security controls
  • Establish ongoing monitoring for nation-state persistence and USB propagation
  • Verify refugee data security for potential emergency convoy resumption

Tracker Threat Intelligence:

  • Provide comprehensive foreign intelligence infrastructure analysis to international agencies
  • Document conflict zone targeting patterns affecting Ukrainian refugee operations
  • Support attribution assessment for diplomatic and humanitarian response coordination
  • Share aid sector threat intelligence with UN partners

Communicator Strategic Coordination:

  • Finalize UN notification and emergency convoy status resolution
  • Complete international intelligence reporting and humanitarian investigation cooperation
  • Address field security implications and aid staff recovery planning
  • Coordinate public relations response to media coverage of nation-state targeting

Final NPC Resolutions

Dr. Volkov (Strategic Decision):

Requires team to present recommendation on emergency convoy status:

  • Can convoy coordination proceed with security verification?
  • What timeline is realistic for secure refugee data restoration?
  • How does Global Relief demonstrate ongoing security commitment to UN partners?
  • What humanitarian impact results from nation-state compromise affecting vulnerable populations?

Captain Shaw (Security Verification):

Demands comprehensive incident resolution documentation:

  • Complete refugee data exposure assessment for international reporting
  • Field worker safety status for vulnerable population protection restoration
  • Field security controls improvement plan for ongoing humanitarian operations
  • Intelligence investigation cooperation and evidence delivery to international agencies

Elena Marchenko (Team Recovery):

Seeks clarity on aid staff future:

  • What field security implications exist for staff who used compromised USB devices?
  • How does Global Relief support team recovery from investigation stress during conflict?
  • What new refugee data handling procedures prevent future nation-state targeting?
  • Can aid staff credibility be restored with UN and international partners?

Ambassador Chen (Humanitarian Assessment):

Provides final international intelligence context:

  • Nation-state campaign confirmed targeting 10+ humanitarian organizations supporting Ukrainian refugees
  • Refugee data compromise provides adversaries intelligence on vulnerable population locations during conflict
  • Humanitarian response requires coordination between aid sector, intelligence community, and UN agencies
  • Global Relief response quality affects broader humanitarian sector security posture and international partnerships

Round 3 Pressure Events

Minute 85: UN makes final decision on convoy coordination - requires team recommendation with security justification

Minute 95: Intelligence services complete assessment - field security and vulnerable population safety depend on incident response quality

Minute 105: International agencies coordinate with Ukrainian refugee partners - humanitarian implications of data compromise

Minute 110: Aid sector briefing scheduled - Global Relief experience becomes case study for nation-state threat awareness during conflict

Victory Condition Assessment

Technical Victory Indicators:

Business Victory Indicators:

Learning Victory Indicators:

Debrief Topics (20-25 min)

  1. Nation-State APT Sophistication:
    • How did Litter Drifter’s USB propagation enable months of undetected humanitarian surveillance during refugee crisis?
    • What aid organization targeting patterns indicate coordinated nation-state campaign?
    • Why is attribution important for humanitarian and diplomatic response?
  2. Humanitarian Organization Security Obligations:
    • What international intelligence coordination and UN cooperation requirements apply?
    • How do field security processes protect vulnerable population data?
    • What intelligence agency oversight ensures humanitarian security during conflict?
  3. Ethical Context:
    • Why do nation-state adversaries target Ukrainian refugee operations and humanitarian assistance?
    • What strategic advantage do adversaries gain from refugee data compromise during conflict?
    • How do hybrid warfare operations integrate cyber espionage targeting vulnerable populations?
  4. Humanitarian-Security Balance:
    • How do you weigh emergency convoy urgency against comprehensive security investigation?
    • What long-term international relationship implications result from incident response quality?
    • When is it appropriate to accept convoy delays for vulnerable population protection?
  5. USB Security in Humanitarian Environments:
    • What makes USB devices particularly dangerous in aid organization settings during conflict?
    • How should refugee data systems handle removable media given espionage risks?
    • What technical controls and user training prevent nation-state USB propagation?
  6. Lessons for Real-World IR:
    • How do nation-state incidents differ from criminal malware in humanitarian investigation requirements?
    • What makes aid organization incidents unique compared to commercial or government sectors?
    • When should cybersecurity teams escalate to intelligence agencies and UN coordination?

Advanced Challenge Materials (150-170 min, 3+ rounds)

Advanced Challenge Modifications

Remove Reference Materials:

  • No access to Malmon compendium for Litter Drifter technical details
  • Must recall nation-state behavior patterns and humanitarian targeting from training
  • Test knowledge of UN coordination and international cooperation protocols during conflict
  • Challenge players to remember USB propagation mechanisms and APT persistence techniques

Add Red Herrings:

  • Legitimate humanitarian aid work causing false positive USB activity alerts
  • Routine refugee data transfers appearing as suspicious exfiltration in convoy coordination logs
  • Authorized UN security audit traffic resembling nation-state command and control
  • Standard international partner coordination emails flagged as potential intelligence collection

Ambiguous Containment Scenarios:

  • Forensic evidence suggests possible nation-state removal but residual indicators persist
  • Conflicting intelligence about whether refugee data was fully exfiltrated
  • Uncertain timeline of initial compromise during conflict - may predate current logging
  • Multiple potential nation-state adversaries with similar targeting - attribution uncertain

Incomplete Information Challenges:

  • Humanitarian system logs missing critical periods due to field operation constraints
  • Some aid worker systems lack adequate monitoring - compromise scope uncertain during conflict
  • Intelligence investigation ongoing - vulnerable population impact intelligence not yet available
  • UN security assessment delayed - must make critical decisions without full humanitarian impact analysis

Deep Coordination Requirements:

  • Must justify all intelligence decisions with incomplete refugee data exposure information
  • Navigate conflicting stakeholder priorities without clear UN guidance
  • Coordinate with international intelligence while evidence collection continues
  • Balance humanitarian reporting requirements with ongoing forensic investigation needs

Advanced Challenge Scenario Variants

Variant A: Multi-Actor Attribution Challenge

  • Evidence suggests both Russian and other nation-state activity in humanitarian environment
  • Must distinguish between Litter Drifter (Russian) and other APT operations
  • Humanitarian response depends on accurate attribution - diplomatic implications significant
  • Some USB devices may be from hostile actors testing aid organization security during conflict

Variant B: Field Coordination Compromise Complexity

  • USB devices traced to “trusted” UN partner communications - potential coordination compromise
  • Must assess whether compromise affects multiple aid organizations beyond Global Relief
  • International partners considering alternative coordination - decision depends on investigation findings
  • Humanitarian sector coordination required for global threat mitigation during conflict

Variant C: Insider Threat Dimension:

  • Some aid staff have connections to conflict zone - background investigation concerns
  • Intelligence cannot rule out insider facilitation of nation-state access
  • Field worker trust adjudication depends on incident response team’s assessment
  • Must balance investigation of potential insider threats with humanitarian team morale

Variant D: Active Field Operations:

  • Refugee data already being used in ongoing humanitarian coordination - operational security critical
  • Compromise may affect active field operations - urgent vulnerable population assessment required
  • UN partners considering emergency coordination changes - humanitarian implications during conflict
  • Field commanders demand immediate clarity on refugee data compromise scope

Advanced NPC Complications

Dr. Volkov (Competing Pressures):

  • Receiving conflicting guidance from UN coordination and donor agencies
  • Personal reputation at stake - career humanitarian project now under intelligence investigation
  • Professional legacy affected by incident resolution - credibility concerns in aid sector
  • May pressure team for conclusions that support humanitarian continuity over security thoroughness

Captain Shaw (Field Security Stress):

  • Under intense UN security scrutiny - Global Relief security posture under international review
  • Responsible for aid organization security that enabled months of undetected nation-state surveillance
  • Career implications if organization loses UN credibility or field operation authorization due to incident
  • May become overly risk-averse and demand excessive security measures disrupting humanitarian operations

Elena Marchenko (Under Investigation):

  • Personal humanitarian role questioned pending intelligence investigation completion
  • Defensive about aid practices - fears career damage and field worker safety concerns
  • May withhold information about USB usage that could compromise colleagues
  • Potential insider threat concern adds complexity to stakeholder coordination

Ambassador Chen (Conflicting Missions):

  • Intelligence investigation priorities may conflict with team’s incident response needs
  • Cannot share all classified intelligence about conflict zone context and nation-state operations
  • Pressure from multiple international agencies with different investigation objectives and timelines
  • May request team actions that serve intelligence collection but complicate humanitarian resolution

Advanced Pressure Events

Minute 25: Forensic analysis reveals possible second nation-state actor - attribution becomes complex

Minute 50: Aid staff representatives demand evidence of insider threat accusations before questioning

Minute 75: Media leaked information about vulnerable population targeting - public pressure for rapid resolution

Minute 100: UN partners request intelligence sharing about refugee data compromise affecting field operations

Minute 125: Intelligence service preliminary findings question Global Relief field authorization eligibility

Minute 140: Investigation discovers refugee data on dark web - wider exposure than expected during conflict

Advanced Facilitation Challenges

If Team Oversimplifies Attribution:

“Ambassador Chen shows you traffic analysis suggesting multiple nation-state actors with different objectives. How do you distinguish between Russian Litter Drifter operations and other APT activity when humanitarian response depends on accurate attribution?”

If Team Ignores Insider Threat Indicators:

“Captain Shaw must report to UN security about aid staff with conflict zone connections who had access to compromised systems. How do you investigate potential insider facilitation without destroying team morale or assuming guilt?”

If Team Rushes to Conclusions:

“Dr. Volkov is pushing for quick resolution to salvage convoy timeline, but forensic evidence remains incomplete with critical log gaps. How do you justify intelligence decisions when refugee data compromise scope is uncertain?”

If Team Neglects Humanitarian Context:

“UN coordination office is requesting intelligence about what vulnerable population data has been compromised, but investigation hasn’t completed attribution. How does your incident response affect refugee safety and international partnerships during conflict?”

Advanced Debrief Topics (30-35 min)

  1. Attribution Complexity in Nation-State Incidents:
    • How do you distinguish between multiple APT actors with similar techniques during humanitarian crisis?
    • Why is attribution critical for humanitarian, diplomatic, and aid sector response?
    • What forensic evidence supports or contradicts attribution conclusions?
    • When is “we’re not sure” an acceptable answer vs. avoiding responsibility?
  2. Insider Threat in Humanitarian Environments:
    • How do you investigate potential insider involvement without assuming guilt during conflict?
    • What intelligence indicators suggest deliberate facilitation vs. exploitation?
    • How do field security processes balance security concerns with humanitarian mission?
    • What organizational culture factors enable or prevent insider threats in aid work?
  3. Decision-Making Under Uncertainty:
    • How do you make critical security decisions with incomplete forensic evidence during crisis?
    • What level of confidence is required before UN notification or international reporting?
    • How do you communicate uncertainty to stakeholders demanding definitive answers?
    • When should investigation continue vs. implementing response with imperfect information?
  4. Humanitarian Sector Interdependencies:
    • How do individual organization incidents affect sector-wide security posture during conflict?
    • What information sharing obligations exist between aid organizations for threat intelligence?
    • How do field coordination compromises complicate attribution and remediation?
    • What role does UN coordination play in orchestrating humanitarian response?
  5. Balancing Speed vs. Thoroughness:
    • When is rapid incident resolution appropriate vs. comprehensive investigation during humanitarian crisis?
    • How do refugee assistance pressures affect incident response quality and long-term security?
    • What are the consequences of premature “all clear” declarations in APT incidents affecting vulnerable populations?
    • How do you manage stakeholder expectations when thoroughness requires time?
  6. Real-World Nation-State Response Lessons:
    • What actual humanitarian organization nation-state incidents inform this scenario?
    • How have real incidents balanced field operational needs with security response?
    • What aid sector changes resulted from high-profile nation-state compromises?
    • How do humanitarian environments create unique challenges compared to other sectors?