Litter Drifter Scenario: International Aid Organization

Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations

APT • LitterDrifter

STAKES

Humanitarian operations + Refugee data + International coordination + Field safety

HOOK

Global Relief is coordinating emergency humanitarian assistance in conflict zones when aid workers discover USB malware targeting organizations supporting Ukrainian refugee operations. Nation-state surveillance worm is collecting intelligence on humanitarian logistics and international relief coordination during active conflict.

PRESSURE

Emergency aid convoy departs Wednesday - intelligence collection threatens humanitarian operations and refugee safety

FRONT • 150 minutes • Expert

Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations

APT • LitterDrifter

NPCs

Operations Director Dr. Anna Volkov: Coordinating humanitarian aid with nation-state surveillance affecting refugee operations
Field Security Manager Captain David Shaw: Investigating targeting of humanitarian organizations and field worker safety
Refugee Services Coordinator Elena Marchenko: Reporting intelligence collection affecting vulnerable populations and aid delivery
International Relations Officer Ambassador Patricia Chen: Assessing diplomatic implications and international cooperation

SECRETS

Humanitarian workers received USB devices containing nation-state worm targeting Ukrainian refugee assistance
Foreign intelligence has systematic surveillance of humanitarian operations and international relief coordination
Refugee data and humanitarian logistics have been systematically collected through targeted espionage operations

Planning Resources

📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter International Aid Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter International Aid Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Global Relief Alliance: Humanitarian NGO Facing Intelligence Collection During Crisis Response

Organization Profile

Type: International humanitarian aid organization coordinating emergency relief operations, refugee assistance programs, and development initiatives across conflict zones and disaster-affected regions worldwide
Size: 240 staff (120 field operations personnel deployed across 15 countries, 60 program coordination and logistics, 35 donor relations and fundraising, 25 headquarters administration and IT support), registered nonprofit with $85M annual budget from government donors, multilateral agencies, and private foundations
Operations: Emergency humanitarian response and aid distribution, refugee camp management and protection services, coordination with UN agencies and international relief partners, secure communications for field staff in conflict zones, donor reporting and compliance documentation, humanitarian supply chain logistics across contested borders
Critical Services: Field communications systems (satellite phones, encrypted messaging for staff safety), refugee database management (biometric registration, protection case files, family reunification tracking), humanitarian logistics platforms (supply convoy routing, warehouse inventory, customs coordination), donor reporting systems (grant management, financial compliance, impact measurement), international coordination tools (UN cluster system participation, NGO consortium collaboration)
Technology: Laptop computers for field staff with offline database capabilities, USB drives for data transfer in low-connectivity environments, satellite internet terminals for remote locations, mobile devices for refugee registration and biometric collection, encrypted email for sensitive protection cases and international coordination

Global Relief Alliance is established international humanitarian organization with strong reputation for effective emergency response and refugee protection in complex operating environments. The organization works in politically sensitive contexts where field operations require coordination with multiple governments, UN agencies, military forces, and local partners while maintaining humanitarian neutrality and protecting beneficiary confidentiality. Current status: Final days before Wednesday aid convoy deployment—critical humanitarian operation delivering winter supplies to Ukrainian refugee camps serving 45,000 displaced persons across three countries (Poland, Moldova, Romania), coordinated with UNHCR and European Commission humanitarian funding, representing organization’s largest single refugee response and demonstrating capacity for complex cross-border humanitarian logistics in active conflict zone.

Key Assets & Impact

What’s At Risk:

Refugee Protection Data & Beneficiary Safety: 9 months of Ukrainian refugee assistance producing comprehensive protection databases—biometric registration of 45,000 displaced persons including children separated from families, protection case files documenting vulnerable individuals at risk of trafficking or exploitation, family reunification tracking containing contact information and movement patterns, and medical records identifying refugees with urgent healthcare needs. LitterDrifter USB worm providing adversary surveillance of humanitarian databases threatens not just Wednesday convoy but fundamental protection mandate where stolen refugee data enables hostile intelligence services to identify specific individuals for targeting (Ukrainian refugees with military family connections become intelligence collection targets, activists and journalists among displaced populations face retaliation risk, vulnerable women and children in protection databases become human trafficking targets), compromised family reunification data reveals refugee movement patterns exposing humanitarian networks adversaries seek to disrupt, and beneficiary registration information circulating among intelligence agencies destroys refugee trust in humanitarian confidentiality fundamental to protection work. Discovery of weeks-long intelligence collection means sensitive protection data likely already exfiltrated requiring disclosure to refugee communities potentially triggering mass departure from protection programs and humanitarian services refugees desperately need.
Humanitarian Operations Security & Field Staff Safety: Global Relief Alliance’s operational model depends on maintaining humanitarian neutrality enabling staff to work in conflict zones—field operations require crossing military checkpoints, negotiating access with armed groups, coordinating with government authorities, and operating in contested territories where all parties respect humanitarian mandate. LitterDrifter compromise exposing operational communications creates catastrophic field safety risk where adversary intelligence collection reveals humanitarian logistics planning (convoy routes become military intelligence allowing interdiction or targeting), staff communication patterns expose security protocols and evacuation procedures (adversaries learn how humanitarian workers maintain safety in conflict zones), international coordination discussions reveal relationships with UN agencies and government donors (information potentially weaponized to portray humanitarian neutrality as Western intelligence gathering), and protection case discussions identify refugees humanitarian staff are actively assisting (enabling targeting of both beneficiaries and aid workers). Field staff safety depends on operational security—when adversaries possess complete surveillance of humanitarian communications through USB worm propagating across field laptops, staff operating in active war zones face elevated targeting risk as military intelligence services view humanitarian operations as espionage platforms rather than neutral relief providers.
Donor Trust & International Humanitarian Funding: Global Relief Alliance’s $85M annual budget depends on government donors, UN agencies, and foundations trusting organization’s operational security and beneficiary data protection—major institutional funders evaluate humanitarian partners based on demonstrated ability to maintain confidentiality of sensitive protection information, implement robust data security practices in challenging operating environments, and protect both beneficiaries and donor funding from diversion or intelligence exploitation. USB worm intelligence collection affecting refugee assistance creates donor crisis where current institutional funders question whether Global Relief Alliance infrastructure adequately protects sensitive humanitarian data in conflict zones (European Commission and UNHCR require security audits before releasing additional funding), prospective government donors eliminate Global Relief Alliance from consideration for major humanitarian programs requiring classified information handling (no Western government will partner with NGO experiencing publicized intelligence compromise), and foundation supporters express concern about reputational risk association with organization whose systems were exploited for adversary espionage operations. Humanitarian funding is highly competitive—established organizations with proven security practices will capture institutional grants Global Relief Alliance loses due to demonstrated operational security failures affecting beneficiary protection.

Immediate Business Pressure

Monday morning, 48 hours before critical humanitarian aid convoy deployment representing Global Relief Alliance’s largest Ukrainian refugee response operation. Executive Director Dr. Sarah Thompson leading final convoy preparation—9 months of intensive refugee assistance program development, $12M European Commission grant funding winter emergency response, coordination across three countries requiring precise customs clearance and border crossing permissions, and demonstration of organizational capacity for complex cross-border humanitarian logistics in active conflict zone. The Wednesday convoy departure is immovable deadline: winter weather window is closing (snow and freezing temperatures make border crossings increasingly dangerous after this week), refugee camps are critically low on supplies (45,000 displaced persons face immediate health risks without winter shelter materials and heating fuel), donor contracts include delivery milestones tied to seasonal needs (European Commission grant requirements mandate winter supply distribution by mid-December), and international media coordination is scheduled (donor visibility for humanitarian response affects future European refugee funding). Delaying Wednesday convoy risks refugee lives as winter conditions worsen, forfeits donor delivery milestones potentially requiring grant fund returns, and signals operational failure damaging organization’s reputation for emergency response reliability.

Field Coordinator Michael Rodriguez reports alarming discovery to Sarah during Monday morning operations briefing via secure video call: “Sarah, I need to report suspicious activity I discovered while preparing convoy logistics data. Yesterday I was consolidating refugee camp supply requests from our field teams across Poland, Moldova, and Romania using USB drives they sent to headquarters. When I inserted the first USB drive into my laptop, I noticed my antivirus flagging unusual files attempting to execute automatically. I investigated and found every USB drive from field locations contained identical hidden malware files that weren’t part of our normal data transfers. These malicious files were trying to spread to my laptop and access our refugee database systems. Field teams didn’t knowingly send malware—something infected their laptops and is systematically propagating through our USB-based data transfer workflows targeting our humanitarian operations.”

IT Manager Jennifer Park immediately escalates to emergency investigation: “Sarah, Michael’s report indicates potential worm malware exploiting our field data transfer procedures. Our humanitarian operations depend on USB drives for offline data synchronization—field staff in low-connectivity refugee camps use USB to transfer registration data, protection cases, and supply requests back to headquarters. If malware is spreading through this critical workflow, we could have comprehensive compromise across all field systems containing sensitive refugee protection information. I’m activating incident response and bringing in specialized forensics. We need immediate assessment: what refugee data was accessed, how long USB worm existed in our field operations, whether our international partners using our shared data systems were also infected, and what intelligence collection affects Wednesday convoy security and beneficiary protection.”

Emergency forensic investigation reveals LitterDrifter—nation-state USB worm specifically designed to target humanitarian operations supporting Ukrainian refugees. The malware spreads through USB drives transferring between field laptops and headquarters systems: infected files automatically propagate when USB devices connect to Windows computers (exploiting AutoRun functionality humanitarian workers use for convenient data access), worm exfiltrates humanitarian databases and communications collecting refugee registration data and operational planning information, command-and-control infrastructure routes stolen data through multiple countries obscuring ultimate destination, and malware characteristics match intelligence reporting attributing LitterDrifter to Russian cyber operations targeting Ukrainian refugee assistance and Western humanitarian support networks. Network forensics reveal 38 compromised field laptops across Poland, Moldova, and Romania field offices, 15 infected USB drives circulating among humanitarian staff, timeline shows worm presence extending back six weeks covering critical refugee assistance operations including family reunification programs and protection case management, and exfiltrated data includes complete refugee registration database with biometric information for 45,000 displaced persons, protection case files identifying vulnerable individuals and trafficking risks, field staff communication revealing convoy logistics and border crossing procedures, and donor coordination emails discussing European Commission funding and UNHCR collaboration—comprehensive intelligence collection providing Russian services complete surveillance of Western humanitarian refugee assistance operations.

UNHCR Liaison Officer David Chen calls emergency coordination meeting Monday afternoon: “Sarah, I’ve been briefed by your IT team that you’ve discovered Russian intelligence malware on Global Relief Alliance systems containing UNHCR refugee registration data we share for family reunification. Our protection protocols require immediate investigation because this potentially constitutes beneficiary data breach affecting 45,000 refugees under international protection. Wednesday convoy represents critical humanitarian lifeline, but UNHCR has mandatory security review requirements when partner organizations experience intelligence compromise affecting refugee data. I need comprehensive understanding: what specific refugee protection information was accessed, whether Russian intelligence services have systematic surveillance of our joint humanitarian operations, what risk exists for refugees whose information was stolen, and whether your field operations maintain adequate security for continued UNHCR partnership.”

Donor Relations Director Lisa Morgan provides funding impact assessment: “Sarah, our European Commission grant contract includes strict data protection provisions requiring immediate notification of unauthorized access to beneficiary information funded under humanitarian assistance programs. If we disclose LitterDrifter compromise affecting refugee data, EC grant management will immediately freeze remaining funding pending security audit and likely require returning already-disbursed funds if we cannot demonstrate adequate data protection compliance. Our $85M annual budget is 65% dependent on institutional government donors and UN agency partnerships—security breach affecting refugee protection creates existential funding crisis where current donors suspend relationships and future proposals face heightened scrutiny about operational security capabilities. Either we proceed with Wednesday convoy hoping intelligence collection doesn’t surface publicly, or we disclose breach triggering donor crisis that potentially ends Global Relief Alliance’s ability to conduct humanitarian operations.”

Critical Timeline:

Current moment (Monday 10am): LitterDrifter USB worm discovered on 38 field laptops and 15 USB drives, six weeks intelligence collection confirmed with complete refugee database and protection case files likely stolen by Russian services, Wednesday morning convoy departure delivering winter supplies to 45,000 Ukrainian refugees across three countries, UNHCR security review required before continuing partnership on shared refugee data, European Commission grant freeze likely if data breach disclosed
Stakes: 9-month refugee assistance program threatened with intelligence compromise where stolen protection data enables Russian targeting of vulnerable Ukrainian refugees (family reunification information reveals refugee connections to Ukrainian military or government, protection cases identifying trafficking-vulnerable women and children become target lists, beneficiary registration patterns expose humanitarian networks Russia seeks to disrupt), field staff safety at risk if operational security communications were fully surveilled by adversary intelligence (convoy routes, border procedures, security protocols all potentially known to hostile services operating in conflict zone), donor funding crisis where institutional funders learn humanitarian operations lack adequate data security (European Commission, UNHCR, and government donors suspend partnerships destroying 65% of organizational budget)
Dependencies: Wednesday morning convoy departure is humanitarian necessity—winter weather window closing after this week (border crossings become increasingly dangerous with snow and freezing conditions), refugee camps critically low on winter supplies (45,000 displaced persons face immediate health risks without shelter materials and heating fuel delivery), European Commission grant delivery milestones tied to seasonal emergency response timeline (failure to distribute winter supplies by mid-December triggers grant compliance penalties), international media coordination scheduled for convoy visibility (donor reporting and future funding justification depends on demonstrating humanitarian response effectiveness)

Cultural & Organizational Factors

Why This Vulnerability Exists:

Humanitarian urgency overrides IT security during emergency response operations: Global Relief Alliance organizational culture reflects humanitarian imperative: “saving lives and protecting refugees in active conflict zones is paramount—administrative security procedures cannot delay emergency assistance when displaced populations face immediate survival threats”—this creates measurable pressure to maintain operational velocity during crisis response. Weekly field coordination calls track “beneficiaries reached” and “emergency distributions completed” as primary metrics directly affecting donor reporting and organizational reputation for effective humanitarian response. Sarah’s directive during Ukrainian refugee crisis: “Security processes requiring field system downtime or data access interruptions get streamlined during emergency operations—we cannot afford delays when refugees in camps lack basic survival needs and winter weather creates life-threatening conditions. Russian aggression creates humanitarian crisis we must address regardless of administrative obstacles.” Field staff learned that IT security requirements involving system updates, USB scanning, or data transfer validation procedures receive expedited approvals during active emergency response to avoid interrupting critical refugee assistance workflows essential for protection mandate. Offline data synchronization procedures requiring security review were informally relaxed for “urgent field data” to accelerate refugee registration processing during high-volume displacement periods. Result: Infected USB drives from field locations successfully bypassed security validation because data transfer procedures were streamlined during emergency response phase, field staff used USB devices without comprehensive malware scanning because humanitarian urgency prioritized rapid beneficiary data processing over security protocols, and LitterDrifter propagated undetected for six weeks because endpoint monitoring focused on preventing data loss rather than detecting nation-state intelligence collection specifically targeting humanitarian operations—creating perfect conditions when sophisticated adversaries distributed USB worm through field environments knowing humanitarian emergency context would reduce security vigilance in favor of operational velocity.
Field operating environment limitations creating dependency on USB-based workflows vulnerable to physical malware propagation: Humanitarian operations in conflict zones operate under severe technical constraints: field locations in refugee camps lack reliable internet connectivity (displaced populations in border regions depend on humanitarian satellite links with limited bandwidth), electricity supply is intermittent or generator-dependent (field offices cannot maintain always-on systems required for cloud synchronization), physical security conditions prevent leaving equipment unattended overnight (laptops and USB drives are transported between field sites and stored in secure locations when not in use), and humanitarian staff rotate frequently between field assignments (creating USB drive sharing patterns as convenient data transfer method when moving between locations). This austere operating environment creates operational dependency on offline data workflows where USB drives serve as primary mechanism for refugee registration data transfer from field collection points to headquarters database systems. Michael describes the field reality: “Our refugee camp operations cannot depend on internet connectivity that doesn’t exist or isn’t reliable enough for transferring gigabytes of biometric registration data. Field teams collect refugee information using laptops with offline databases, then physically transport USB drives to headquarters when they rotate back from field assignments. This USB-based workflow is not security carelessness—it’s operational necessity when working in environments where humanitarian urgency requires beneficiary data processing even when technical infrastructure is inadequate for modern cybersecurity best practices.” This field constraint creates adversary opportunity where LitterDrifter USB worm exploits exactly the offline data transfer workflows that humanitarian operating environments necessitate—malware doesn’t need internet connectivity to propagate (spreads through physical USB device sharing inherent to field operations), infected systems often lack real-time security updates (humanitarian laptops operate offline for weeks limiting antivirus signature updates), and USB devices circulate among multiple field staff and locations (enabling rapid worm propagation across entire humanitarian operation without triggering centralized security monitoring), making USB-based malware ideal attack vector for intelligence collection targeting humanitarian assistance in conflict zones where technical infrastructure limitations are well-understood by adversaries with operational knowledge of aid industry practices.
Humanitarian data sharing culture prioritizing beneficiary assistance over information compartmentation: Global Relief Alliance operates through extensive inter-agency coordination: refugee registration data shared with UNHCR for international protection and family reunification, protection case information exchanged with specialized NGOs for medical referrals and legal assistance, supply distribution coordination with local government authorities for customs clearance and border crossing permissions, and donor reporting systems requiring detailed beneficiary demographics for European Commission grant compliance. Humanitarian effectiveness depends on this information sharing—refugees benefit when multiple agencies coordinate assistance avoiding duplication while ensuring comprehensive protection coverage. Sarah explains the humanitarian philosophy: “We don’t believe in restrictive data compartmentation that prevents effective refugee protection. Our beneficiary databases integrate with UNHCR systems to enable family reunification, our protection cases are shared with medical NGOs to ensure trafficking survivors receive specialized care, and our supply logistics coordinate with government authorities to facilitate border crossings for humanitarian convoys. Information sharing enables protection—refusing to share refugee data with trusted humanitarian partners would diminish our ability to serve vulnerable populations.” This collaboration-focused approach creates comprehensive data exposure where single compromise point affects entire humanitarian ecosystem: Michael’s infected laptop providing adversary access not just to Global Relief Alliance’s refugee database but to integrated UNHCR registration records, shared protection case files from partner NGOs, government coordination communications revealing border procedures and customs relationships, and donor reporting documents exposing European Commission funding mechanisms and humanitarian coordination structures across three countries. What begins as USB worm infection of one field coordinator’s laptop expands to intelligence collection affecting entire Western humanitarian response to Ukrainian refugee crisis because information sharing culture deliberately concentrated protection data across organizational boundaries for humanitarian effectiveness—never anticipating scenario where nation-state adversary would systematically exploit humanitarian data integration to achieve comprehensive surveillance of refugee assistance operations supporting displaced Ukrainians fleeing Russian military aggression.
Humanitarian neutrality principle creating operational transparency vulnerable to adversary intelligence exploitation: International humanitarian organizations maintain “humanitarian neutrality”—operating in conflict zones by demonstrating impartiality and transparency to all parties ensuring access to affected populations regardless of territorial control or military affiliation. This principle manifests through operational visibility: Global Relief Alliance publicly announces humanitarian programs and beneficiary populations served, shares convoy routes and supply distribution locations with military forces controlling territory, coordinates with government authorities across conflict lines to facilitate aid delivery, and maintains transparent communication about humanitarian objectives to enable safe passage through contested areas. Jennifer describes the protection value: “Humanitarian transparency keeps our staff safe—when we openly communicate our convoy routes and refugee assistance activities to all parties in conflict, military forces understand we’re neutral humanitarian actors not intelligence platforms, checkpoints allow aid convoys to pass because our logistics are not concealing military activities, and field staff can work in conflict zones because we demonstrate we’re not covert operatives gathering intelligence under humanitarian cover.” This transparency-based security model creates adversary intelligence opportunity where LitterDrifter doesn’t need sophisticated espionage tradecraft to access humanitarian operational details—Global Relief Alliance intentionally shares convoy logistics with multiple government authorities (any of whom could be intelligence collection targets or adversary partners), field staff communications assume humanitarian transparency means operational security through neutrality rather than operational security through secrecy, and protection databases openly identify vulnerable beneficiary populations precisely because humanitarian mandate requires sharing this information with UN agencies and government partners for effective assistance. Result: when nation-state adversary compromises humanitarian systems through USB worm, stolen data includes not just what Global Relief Alliance tried to keep confidential but also extensive operational information organization deliberately shared with multiple parties under humanitarian transparency principle—creating comprehensive intelligence picture of Western refugee assistance operations because humanitarian security model assumed transparency would protect neutrality, never anticipating adversary would exploit humanitarian openness as intelligence collection opportunity specifically targeting Ukrainian refugee support that Russian military strategy seeks to undermine.

Operational Context

Global Relief Alliance operates in international humanitarian system where organizational legitimacy and donor funding depend on demonstrating effective emergency response, beneficiary data protection, and operational security adequate for working in complex conflict environments. The organization’s reputation relies on proven track record delivering assistance in challenging contexts while maintaining humanitarian neutrality and protecting vulnerable populations from exploitation or targeting.

Ukrainian refugee response represents Global Relief Alliance’s largest single displacement operation and strategic opportunity demonstrating organizational capacity for complex multi-country coordination: $12M European Commission grant is 14% of annual budget, successful winter emergency response positions organization for expanded UNHCR partnership worth estimated $25M+ multi-year refugee assistance programming across Eastern Europe, and convoy operation visibility through international media provides donor communication credential enabling future institutional fundraising from government humanitarian budgets. Donor Relations Director Lisa’s funding strategy depends on Wednesday convoy demonstrating capabilities that differentiate Global Relief Alliance from larger international NGOs: ability to rapidly deploy humanitarian logistics across contested borders in active conflict zone, proven operational security protecting beneficiary data in challenging field environments, and execution reliability meeting seasonal emergency needs despite complex coordination requirements.

Wednesday convoy timing creates impossible constraint: winter weather window is closing making border crossings increasingly dangerous after this week (snow and ice conditions particularly affecting mountain passes between Poland and Ukraine), refugee camps are critically short on winter supplies (UNHCR field reports indicate 45,000 displaced persons in three camps facing immediate health risks without shelter materials and heating fuel), European Commission grant compliance requires demonstrating winter supply distribution within specific seasonal timeframe (delayed delivery could trigger grant amendment requiring fund returns or reduced future allocations), and international media coordination is scheduled with journalists embedded in convoy for donor visibility reporting (postponement loses publicity opportunity that justifies future European humanitarian funding for refugee assistance). Grant contract includes delivery milestone provisions where Global Relief Alliance must demonstrate completion of specified emergency distributions to receive final tranche of EC funding.

Legal and ethical complexity amplifies Monday’s discovery pressure: humanitarian data protection is governed by both donor contract requirements and international protection standards—European Commission grants include mandatory beneficiary data security provisions requiring “immediate notification of unauthorized access,” UNHCR protection protocols mandate security review when partner organizations experience data breaches affecting refugee information, and General Data Protection Regulation (GDPR) applies to humanitarian organizations processing personal data of European residents including refugees. Legal counsel must determine: does LitterDrifter intelligence collection constitute “unauthorized access” triggering immediate multi-party notification obligations (European Commission, UNHCR, refugee community notification all have different requirements and timelines), or does incomplete forensic understanding allow delayed disclosure until investigation determines full scope of Russian intelligence access to protection data?

Michael’s emotional dimension reveals field staff perspective: “I’ve spent 9 months in refugee camps working with Ukrainian families who lost everything fleeing Russian military operations—registering separated children trying to find parents, documenting trafficking-vulnerable women needing protection, recording displaced persons’ stories to secure their international refugee status. These aren’t abstract database entries—they’re real people whose safety depends on us protecting their information from exactly the adversary intelligence services they fled. Discovering that Russian-linked malware was systematically stealing this protection data through my laptop and USB drives feels like betraying every refugee who trusted us with their most sensitive information. I didn’t just fail cybersecurity procedures—I potentially enabled targeting of vulnerable displaced persons by the same regime they were escaping.”

Humanitarian protection principles create unique ethical dimension absent from commercial security incidents: Global Relief Alliance’s fundamental mandate is “do no harm” to beneficiary populations—when organizational security failures potentially enable adversary targeting of vulnerable refugees, this represents not just operational security breach but profound violation of humanitarian protection responsibility. International humanitarian law and protection standards hold aid organizations accountable for safeguarding beneficiary data specifically because displaced populations in conflict zones face elevated risks from intelligence services, armed groups, and criminal networks who would exploit personal information for targeting, trafficking, or political persecution.

Key Stakeholders

All stakeholders face impossible choices where protecting one critical interest requires sacrificing another:

Executive Director Dr. Sarah Thompson - responsible for organizational mission and humanitarian operations, facing impossible decision between proceeding with Wednesday convoy maintaining emergency response timeline (delivering life-saving winter supplies to 45,000 vulnerable refugees despite intelligence compromise uncertainty) OR postponing convoy pending comprehensive forensic assessment determining Russian intelligence access to refugee data (protecting beneficiary safety and organizational legal compliance but forfeiting critical seasonal supply delivery potentially resulting in refugee deaths from exposure and triggering donor grant penalties for failed delivery milestones)—either path creates refugee harm or organizational collapse

IT Manager Jennifer Park - responsible for information security and incident response, facing impossible decision between conducting thorough forensic investigation across 38 field laptops and international infrastructure determining full scope of Russian intelligence collection (ensuring accurate damage assessment and UNHCR compliance but requiring 5-7 days guaranteeing Wednesday convoy impossibility and donor grant default) OR expedited assessment enabling Wednesday decision within 24 hours (protecting convoy timeline and organizational mission but incomplete forensic understanding risks underestimating refugee data exposure potentially enabling Russian targeting of vulnerable displaced persons through stolen protection information)—either path sacrifices beneficiary protection or organizational viability

UNHCR Liaison Officer David Chen - representing United Nations refugee protection mandate, facing impossible decision between requiring comprehensive security audit before approving continued UNHCR partnership and refugee data sharing (protecting 45,000 beneficiaries from further intelligence exposure and maintaining international protection standards) OR accepting expedited security review enabling Wednesday convoy and ongoing humanitarian coordination (maintaining critical refugee assistance continuity but potentially enabling continued Russian intelligence collection through compromised humanitarian systems if investigation is insufficient)—either path affects refugee protection or humanitarian effectiveness

Donor Relations Director Lisa Morgan - responsible for institutional funding relationships and organizational sustainability, facing impossible decision between immediately disclosing LitterDrifter breach to European Commission and UNHCR (protecting legal compliance and demonstrating responsible data protection despite triggering grant freeze and partner suspension threatening organizational survival) OR delaying disclosure until after Wednesday convoy completion (preserving donor relationships and grant funding enabling continued humanitarian operations but creating severe legal exposure if investigation subsequently reveals extensive Russian intelligence access to EC-funded refugee assistance that Global Relief Alliance failed to promptly report)—either path destroys institutional funding or creates legal liability threatening organizational existence

Why This Matters

You’re not just managing USB worm removal from humanitarian field operations. You’re navigating nation-state intelligence collection targeting refugee protection data where compromised beneficiary information threatens vulnerable displaced persons fleeing the same adversary now systematically surveilling their international assistance.

Every choice carries catastrophic consequences:

Proceed with Wednesday convoy → Risk continuing humanitarian operations while Russian intelligence services potentially possess complete surveillance of refugee protection data (enabling targeting of vulnerable displaced persons whose information was stolen, exposing humanitarian logistics and field staff to elevated security risks in conflict zone, compromising UNHCR partnership and EC funding through undisclosed data breach if subsequent investigation reveals extensive intelligence collection)
Postpone Wednesday convoy → Trigger immediate humanitarian crisis where 45,000 Ukrainian refugees face winter without critical supplies (health risks from exposure as temperatures drop, loss of life from inadequate shelter and heating in refugee camps), forfeit European Commission grant delivery milestones (requiring fund returns and threatening future humanitarian funding), demonstrate operational failure (undermining donor confidence in organization’s emergency response reliability and destroying positioning for expanded UNHCR partnership worth $25M+ multi-year funding)
Immediate multi-party breach disclosure → Guarantee European Commission grant freeze and UNHCR partnership suspension (eliminating 65% of organizational funding and making Wednesday convoy financially impossible), trigger refugee community notification creating mass departure from protection programs (displaced persons lose trust in humanitarian confidentiality fundamental to accepting assistance), destroy institutional donor relationships (government funders and UN agencies eliminate Global Relief Alliance from future humanitarian programming requiring beneficiary data handling)
Delay breach notification → Enable Wednesday convoy and preserve donor relationships (protecting immediate humanitarian mission and organizational survival), maintain refugee protection program continuity (45,000 displaced persons continue receiving assistance without learning their data was compromised), but create severe legal liability if forensic investigation reveals extensive Russian intelligence access to refugee data and European Commission learns Global Relief Alliance delayed mandatory disclosure violating grant compliance and GDPR requirements (exposing organization to litigation, funding clawbacks, and complete institutional funding loss destroying humanitarian operations)

The impossible decision framework:

Global Relief Alliance cannot simultaneously protect refugee beneficiary data (requires comprehensive investigation determining Russian intelligence access to protection information), execute Wednesday convoy (depends on proceeding despite incomplete forensic understanding), maintain donor compliance (requires immediate breach disclosure triggering grant freeze), preserve organizational funding (needs continued EC partnership and UNHCR relationship expedited security review cannot guarantee), and ensure field staff safety (mandates understanding whether Russian intelligence possesses operational security details before deploying humanitarian workers to conflict zone). Every stakeholder priority directly conflicts—Sarah’s humanitarian mission mandate contradicts Jennifer’s forensic thoroughness requirements, David’s refugee protection standards depend on security audit Sarah’s convoy timeline cannot accommodate, Lisa’s organizational survival through delayed disclosure destroys donor trust David’s UNHCR protocols mandate.

This is what incident response looks like in humanitarian operations where beneficiary protection, organizational mission, institutional funding, and legal compliance create impossible choices between delivering life-saving assistance, protecting vulnerable populations from intelligence exploitation, maintaining donor relationships, and safeguarding field staff operating in active conflict zones—decisions where every option carries severe consequences and optimal path depends on information forensic investigation timeline makes unavailable before refugees face winter without supplies and donors withdraw funding that sustains humanitarian operations.

IM Facilitation Notes

Common player assumptions to address:

“Just postpone the convoy until you complete the security investigation” - Players need to understand postponement creates immediate humanitarian harm: 45,000 Ukrainian refugees face winter without shelter materials and heating fuel (health risks from exposure as temperatures drop below freezing), seasonal weather window for safe border crossings closes after this week (convoy becomes operationally infeasible as snow and ice conditions worsen), European Commission grant delivery milestones tied to seasonal emergency response create financial penalties for delayed distribution, and refugee camps are already critically low on supplies meaning postponement could result in preventable deaths from exposure. Emphasize humanitarian imperative differs from commercial business continuity—delayed humanitarian assistance has life-or-death consequences, not just financial impacts.
“Notify everyone immediately—refugees deserve to know their data was compromised” - Players need to recognize immediate disclosure triggers catastrophic cascade: European Commission immediately freezes grant funding making convoy financially impossible, UNHCR suspends partnership eliminating organization’s legitimacy for refugee protection work, refugee community notification creates mass exodus from humanitarian programs (displaced persons lose trust in confidentiality causing vulnerable populations to refuse assistance they desperately need), and institutional donors eliminate Global Relief Alliance from future humanitarian programming destroying organizational capacity to serve any displaced populations. Push players to grapple with: disclosure protects legal compliance and respects beneficiary autonomy, but timing determines whether organization survives to continue protecting refugees after this crisis.
“Improve field IT security and stop using USB drives” - Players need to understand humanitarian operating environment constraints: refugee camps lack reliable internet connectivity making USB-based data transfer operational necessity not security carelessness, field locations operate on generator power with intermittent electricity preventing cloud synchronization, humanitarian workers rotate between high-risk conflict zones requiring portable offline systems, and security measures significantly impacting field data workflows reduce humanitarian effectiveness when beneficiary registration and protection case processing directly affects refugee assistance delivery. Highlight tension between security best practices and humanitarian operational reality where saving lives in conflict zones sometimes requires accepting security risks commercial organizations would never tolerate.
“Let the IT team handle the malware while humanitarian staff focus on the convoy” - Players need to recognize technical and humanitarian decisions are inseparable: forensic investigation timeline directly determines convoy possibility (comprehensive 5-7 day investigation makes Wednesday departure impossible), Russian intelligence access scope discovered during forensics determines whether proceeding with convoy exposes field staff to elevated targeting risk, refugee data breach extent affects UNHCR partnership continuation and EC grant compliance, and every technical finding changes humanitarian mission calculus. Jennifer cannot provide “purely technical” security assessment divorced from convoy implications—her forensic recommendations ARE humanitarian decisions affecting refugee safety and organizational survival.
“Focus on preventing future USB infections rather than worrying about this incident” - Players need to understand post-incident prevention doesn’t solve current crisis: deploying better USB scanning doesn’t recover stolen refugee protection data or prevent Russian intelligence from targeting vulnerable displaced persons whose information was already exfiltrated, implementing field security training doesn’t address whether Wednesday convoy proceeds or postpones, and comprehensive security improvements don’t resolve legal obligations for breach notification or donor compliance requirements. Emphasize “lessons learned” matter for protecting future beneficiaries but don’t address impossible decisions about current refugee population facing winter without supplies and Russian intelligence possessing their protection information.
“Surely Russian intelligence already knows about Ukrainian refugees—what harm does stolen data actually cause?” - Players need to grapple with specific targeting risks: refugee protection databases identify particularly vulnerable individuals (separated children, trafficking survivors, witnesses to war crimes) who become specific intelligence targets rather than general displaced population, family reunification data reveals refugee connections to Ukrainian military or government officials making them valuable intelligence collection targets, protection case files document refugees’ reasons for fleeing (political activism, journalism, military service) providing Russian services precise target lists for intimidation or retaliation, and beneficiary registration patterns expose humanitarian networks Russia systematically seeks to disrupt as part of broader strategy undermining Western support for Ukrainian refugees. Challenge players: does knowing someone is a refugee differ from possessing detailed protection case file enabling their specific targeting?
“At least this was caught before even more damage occurred” - Players need to recognize discovery timing creates its own pressure: finding LitterDrifter six weeks into compromise means extensive refugee data already exfiltrated to Russian intelligence, but learning about it Monday before Wednesday convoy creates impossible time constraint where thorough investigation and convoy deployment are mutually exclusive, and rushed disclosure decisions under uncertainty risk either abandoning legal compliance (delayed notification violating EC grant and UNHCR requirements) or abandoning humanitarian mission (disclosure preventing life-saving supply delivery to vulnerable populations). Monday discovery is worst timing—late enough that major intelligence collection occurred, early enough that convoy decision cannot wait for complete forensic understanding, and urgent enough that incomplete assessment drives irreversible choices affecting both refugee safety and organizational survival.

Opening Presentation

“It’s Monday morning at Global Relief Alliance, and the international aid organization is preparing an emergency humanitarian convoy scheduled to depart Wednesday for conflict zones where Ukrainian refugees desperately need assistance. But field security teams have discovered something alarming: USB malware specifically targeting organizations supporting Ukrainian refugee operations. This isn’t random malware - it’s a sophisticated nation-state surveillance worm propagating through removable media, systematically collecting intelligence on humanitarian logistics and international relief coordination during active conflict.”

Initial Symptoms to Present:

🚨 Initial User Reports

“USB devices automatically spreading surveillance malware targeting humanitarian organizations supporting Ukrainian refugees”
“Aid coordination documents being accessed through nation-state espionage operations”
“Refugee data and field logistics showing signs of unauthorized foreign intelligence collection”
“Network traffic indicating systematic exfiltration of humanitarian operations to nation-state command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

🔍 Detective Investigation Path

Digital forensics reveal sophisticated nation-state USB-propagating worm targeting humanitarian organizations
Aid coordination network analysis shows geopolitical targeting of Ukrainian refugee assistance and international relief
Intelligence timeline indicates months of undetected foreign surveillance of humanitarian operations

Protector System Analysis:

🛡️ Protector System Analysis

Humanitarian workstation monitoring reveals systematic intelligence collection through USB propagation targeting refugee data
Aid coordination system assessment shows unauthorized nation-state access to field logistics and vulnerable population information
International relief network security analysis indicates coordinated campaign targeting multiple humanitarian organizations during conflict

Tracker Network Investigation:

🌐 Tracker Network Investigation

Command and control traffic analysis reveals nation-state espionage infrastructure targeting humanitarian operations
Geopolitical intelligence patterns suggest strategic coordination of refugee data theft supporting foreign conflict objectives
Humanitarian communication analysis indicates systematic nation-state targeting of Ukrainian relief operations and international coordination

Communicator Stakeholder Interviews:

🗣️ Communicator Stakeholder Interviews

Humanitarian staff interviews reveal suspicious USB behavior during emergency aid coordination and refugee assistance planning
International coordination regarding potential compromise of field logistics and vulnerable population safety
Intelligence community coordination with agencies regarding nation-state targeting of humanitarian organizations during conflict

Mid-Scenario Pressure Points:

Hour 1: United Nations agencies discover potential compromise of humanitarian convoy logistics affecting refugee safety and aid delivery
Hour 2: Intelligence assessment reveals evidence of nation-state targeting of Ukrainian refugee operations during active conflict
Hour 3: Refugee data and humanitarian logistics found on nation-state intelligence networks affecting vulnerable population protection
Hour 4: International relief assessment indicates potential compromise of multiple humanitarian organizations requiring coordinated response

Evolution Triggers:

If investigation reveals refugee data transfer, humanitarian protection obligations and international cooperation are compromised
If nation-state surveillance continues, adversaries maintain persistent access for long-term humanitarian intelligence collection during conflict
If aid logistics theft is confirmed, refugee safety and humanitarian operations are severely compromised affecting vulnerable populations

Resolution Pathways:

Technical Success Indicators:

Complete nation-state worm removal from humanitarian systems with preservation of intelligence evidence
Refugee data and aid coordination security verified preventing further unauthorized nation-state access during conflict
Foreign espionage infrastructure analysis provides intelligence on coordinated humanitarian targeting and geopolitical objectives

Business Success Indicators:

Emergency aid convoy protected through secure forensic handling and international intelligence cooperation
Humanitarian operations maintained through professional incident response demonstrating commitment to refugee protection
International cooperation obligations demonstrated preventing diplomatic complications and protecting vulnerable populations

Learning Success Indicators:

Team understands sophisticated nation-state espionage capabilities and humanitarian organization targeting through USB propagation during conflict
Participants recognize targeting of vulnerable populations and ethical implications of refugee data theft
Group demonstrates coordination between cybersecurity response and humanitarian protection requirements for aid organizations

Common IM Facilitation Challenges:

If Nation-State Sophistication Is Underestimated:

“Your USB malware removal is progressing, but Captain Shaw discovered that nation-state adversaries have been systematically collecting refugee data for months through geopolitical targeting. How does sophisticated foreign surveillance change your humanitarian protection approach during active conflict?”

If Humanitarian Implications Are Ignored:

“While you’re cleaning infected systems, Ambassador Chen needs to know: have refugee data and aid logistics been transferred to nation-state adversaries? How do you coordinate cybersecurity response with humanitarian protection obligations and international cooperation?”

If Vulnerable Population Impact Is Overlooked:

“Elena just learned that refugee information and field logistics may be in nation-state hands affecting vulnerable population safety. How do you assess the humanitarian impact of stolen aid coordination intelligence during conflict operations?”

Success Metrics for Session:

Team understands sophisticated nation-state espionage capabilities and humanitarian organization targeting operations during conflict
Refugee data protection and aid coordination security maintained throughout intelligence investigation
Coordinated response demonstrates understanding of humanitarian cybersecurity obligations to vulnerable populations
Learning includes geopolitical targeting of aid organizations and refugee protection requirements during active conflict
Response strategy balances immediate threat containment with humanitarian ethics and international coordination

Template Compatibility

Quick Demo (35-40 min)

Rounds: 1
Actions per Player: 1
Investigation: Guided
Response: Pre-defined
Focus: Use the “Hook” and “Initial Symptoms” to quickly establish nation-state humanitarian espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing targeting of humanitarian organizations and refugee protection implications.

Lunch & Learn (75-90 min)

Rounds: 2
Actions per Player: 2
Investigation: Guided
Response: Pre-defined
Focus: This template allows for deeper exploration of humanitarian organization espionage challenges. Use the full set of NPCs to create realistic aid convoy and refugee protection pressures. The two rounds allow discovery of refugee data theft and field logistics compromise, raising stakes. Debrief can explore balance between cybersecurity response and humanitarian ethics coordination.

Full Game (120-140 min)

Rounds: 3
Actions per Player: 2
Investigation: Open
Response: Creative
Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing emergency aid delivery, refugee data protection, international cooperation, and humanitarian ethics obligations. The three rounds allow for full narrative arc including nation-state discovery, vulnerable population impact assessment, and UN coordination.

Advanced Challenge (150-170 min)

Rounds: 3
Actions per Player: 2
Investigation: Open
Response: Creative
Complexity: Add red herrings (e.g., legitimate humanitarian communications causing false positives). Make containment ambiguous, requiring players to justify protection decisions with incomplete intelligence about geopolitical targeting during active conflict. Remove access to reference materials to test knowledge recall of nation-state behavior and humanitarian security principles. Include deep coordination with UN agencies and Ukrainian refugee protection implications.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Digital forensics reveal sophisticated nation-state USB-propagating worm (Litter Drifter) targeting Global Relief Alliance humanitarian workstations with refugee assistance operation detection. Security analysis shows foreign intelligence systematically collecting aid coordination documents through USB devices affecting humanitarian operations during active geopolitical conflict. Aid workers report USB malware spreading automatically during emergency convoy planning affecting refugee safety and field logistics.”

Clue 2 (Minute 10): “Intelligence timeline indicates nation-state surveillance maintained for months through targeted USB devices distributed to humanitarian organizations supporting Ukrainian refugees. Command and control traffic analysis reveals geopolitical espionage infrastructure coordinating multi-target humanitarian intelligence collection supporting foreign conflict objectives. Aid coordination system assessment shows unauthorized access to refugee data and field logistics affecting vulnerable population protection and international relief operations.”

Clue 3 (Minute 15): “International intelligence cooperation discovers refugee data and humanitarian logistics on nation-state networks confirming vulnerable population information transfer affecting aid delivery security. UN coordination reveals potential compromise of emergency convoy planning threatening field worker safety and refugee assistance operations. Intelligence assessment indicates coordinated nation-state targeting of multiple humanitarian organizations requiring immediate response and international cooperation coordination.”

Pre-Defined Response Options

Option A: Emergency Aid Isolation & International Coordination

Action: Immediately isolate compromised humanitarian systems from USB propagation, coordinate comprehensive intelligence investigation with international agencies, conduct refugee data damage assessment, implement emergency security protocols for convoy protection and UN notification.
Pros: Completely eliminates nation-state worm preventing further refugee intelligence theft through USB propagation; demonstrates responsible humanitarian security incident management; maintains international cooperation through transparent intelligence coordination.
Cons: Humanitarian system isolation disrupts emergency convoy coordination affecting refugee assistance and aid delivery; intelligence investigation requires extensive international coordination; damage assessment may reveal significant refugee data compromise affecting vulnerable population protection.
Type Effectiveness: Super effective against APT malmon type; complete nation-state worm removal prevents continued humanitarian surveillance and refugee intelligence theft through USB propagation during conflict.

Option B: Forensic Preservation & Targeted Remediation

Action: Preserve intelligence evidence while remediating confirmed compromised systems, conduct targeted refugee data damage assessment, coordinate selective international notification, implement enhanced monitoring while maintaining humanitarian operations.
Pros: Balances emergency convoy requirements with intelligence investigation; protects critical humanitarian operations; enables focused refugee protection response and aid coordination.
Cons: Risks continued nation-state surveillance in undetected USB propagation locations; selective remediation may miss coordinated targeting; forensic requirements may delay refugee data protection and convoy coordination.
Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate nation-state presence through USB propagation; delays complete humanitarian security restoration and vulnerable population protection.

Option C: Humanitarian Continuity & Phased Security Response

Action: Implement emergency secure convoy coordination environment isolated from USB threats, phase nation-state worm removal by aid priority, establish enhanced humanitarian monitoring, coordinate gradual international notification while maintaining refugee operations.
Pros: Maintains critical emergency convoy timeline protecting refugee assistance and vulnerable population safety; enables continued humanitarian operations during conflict; supports controlled international coordination.
Cons: Phased approach extends nation-state surveillance timeline through continued USB propagation; emergency operations may not prevent continued refugee intelligence theft; gradual notification delays may violate international cooperation requirements.
Type Effectiveness: Partially effective against APT malmon type; prioritizes humanitarian operations over complete nation-state elimination through USB propagation; doesn’t guarantee refugee data protection or vulnerable population safety.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Nation-State Discovery & Humanitarian Impact Assessment (35-40 min)

Investigation Clues (Time-Stamped)

Minute 0-5 (Opening):

Security alert: USB devices showing automated propagation behavior targeting humanitarian organization systems supporting Ukrainian refugees
Aid coordination documents accessed through unauthorized means during emergency convoy preparations
Network traffic patterns indicating potential data exfiltration to foreign command infrastructure during conflict

Minute 10 (Detective Path):

Digital forensics identify sophisticated USB-propagating worm (Litter Drifter) with nation-state tradecraft targeting humanitarian operations
Malware designed specifically to target organizations supporting Ukrainian refugee assistance during active conflict
Timeline analysis reveals potential months of undetected presence during humanitarian crisis response

Minute 15 (Protector Path):

Humanitarian workstation monitoring reveals systematic file access patterns targeting refugee data and aid logistics
Aid coordination system logs show unauthorized data collection from humanitarian operations servers
USB propagation patterns indicate coordinated campaign affecting multiple humanitarian organizations

Minute 20 (Tracker Path):

Command and control infrastructure analysis reveals nation-state espionage network with conflict zone objectives
Exfiltration patterns suggest intelligence collection focused on Ukrainian refugee operations and international relief coordination
Network traffic correlates with known foreign intelligence operations targeting humanitarian organizations

Minute 25 (Communicator Path):

Refugee Services Coordinator Elena Marchenko reports suspicious USB behavior during convoy planning over past 3 months
Field Security Manager Captain Shaw identifies potential foreign intelligence collection affecting vulnerable populations
Director Dr. Volkov expresses urgent concern about convoy schedule and UN notification requirements

Response Options (With Detailed Trade-offs)

Option A: Emergency Aid Isolation & Full International Coordination

Immediate Actions: Isolate all compromised humanitarian systems, initiate comprehensive intelligence investigation with UN agencies, conduct refugee data damage assessment
Timeline Impact: Emergency convoy delayed 2-3 weeks for complete forensic analysis and security verification
Stakeholder Reactions:
- Dr. Volkov: Concerned about convoy timeline but supports humanitarian protection priority and international transparency
- Captain Shaw: Strongly supports comprehensive intelligence investigation and field security coordination
- Ambassador Chen: Emphasizes complete evidence preservation for international cooperation and vulnerable population protection
Type Effectiveness: SUPER EFFECTIVE - Complete APT removal prevents continued nation-state surveillance and refugee intelligence theft

Option B: Forensic Preservation & Targeted Remediation

Immediate Actions: Preserve intelligence evidence, remediate confirmed compromised systems, conduct targeted refugee data damage assessment
Timeline Impact: Partial convoy delay (5-7 days) while maintaining critical humanitarian operations
Stakeholder Reactions:
- Dr. Volkov: Appreciates balance between convoy requirements and security response
- Elena Marchenko: Can continue critical aid work with enhanced monitoring
- Ambassador Chen: Concerned about potential nation-state surveillance in undetected locations
Type Effectiveness: MODERATELY EFFECTIVE - Reduces nation-state presence but may not achieve complete elimination

Option C: Humanitarian Continuity & Phased Security Response

Immediate Actions: Implement emergency secure convoy environment, phase worm removal by aid priority, establish enhanced monitoring
Timeline Impact: Minimal convoy delay (1-2 days) with ongoing security remediation during humanitarian operations
Stakeholder Reactions:
- Dr. Volkov: Strongly supports maintaining convoy schedule and refugee assistance timeline
- Captain Shaw: Serious concerns about inadequate intelligence response and vulnerable population protection
- Ambassador Chen: Warns that phased approach may violate international cooperation requirements
Type Effectiveness: PARTIALLY EFFECTIVE - Prioritizes humanitarian operations over complete nation-state elimination

Round 1 Pressure Events

Minute 15: UN agencies request status update on convoy security and refugee data protection

Minute 25: International intelligence community initiates inquiry about potential humanitarian data compromise affecting field operations

Minute 30: Dr. Volkov receives call from donor agencies - convoy has critical importance for refugee safety and vulnerable population assistance

Round 1 Facilitation Questions

“How do you balance emergency convoy urgency against comprehensive intelligence investigation requirements during conflict?”
“What refugee data exposure assessment is needed before international notification?”
“How does nation-state targeting of Ukrainian refugee operations affect your humanitarian response strategy?”
“What international cooperation obligations apply to this foreign intelligence collection incident affecting vulnerable populations?”

Round 1 Transition to Round 2

Based on team’s chosen response path…

If Emergency Isolation Chosen: “Your emergency aid isolation has halted nation-state surveillance, but forensic analysis is revealing the extent of refugee data exposure. International intelligence investigation has discovered something alarming about the scope of humanitarian logistics theft and vulnerable population targeting…”

If Targeted Remediation Chosen: “Your forensic preservation is protecting critical evidence, but continued monitoring is detecting ongoing nation-state activity in unexpected humanitarian locations. Ambassador Chen has discovered intelligence indicating systematic targeting of multiple aid organizations during conflict…”

If Humanitarian Continuity Chosen: “Your secure convoy environment is maintaining assistance schedule, but Captain Shaw has identified serious field security concerns. International intelligence is revealing that refugee data may already be in nation-state hands…”

Round 2: Vulnerable Population Impact & UN Coordination (35-45 min)

Investigation Clues (Time-Stamped)

Minute 40 (Critical Discovery):

Intelligence investigation reveals refugee data and aid logistics found on nation-state intelligence networks
Forensic timeline indicates systematic humanitarian operations surveillance over 6-month period through USB propagation
UN assessment shows potential compromise of emergency convoy planning affecting vulnerable population safety

Minute 50 (Escalation):

International intelligence confirms multiple humanitarian organizations experiencing similar nation-state targeting during conflict
Refugee data damage assessment reveals vulnerable population information and field logistics transferred to foreign intelligence
Field security concerns about aid operations in adversary hands during humanitarian crisis

Minute 55 (Stakeholder Pressure):

Dr. Volkov faces UN inquiry about convoy timeline and refugee data protection
Captain Shaw must coordinate international reporting under humanitarian security requirements
Elena Marchenko reports aid staff morale concerns and field worker safety implications

Minute 65 (Final Pressure):

UN coordination office considering whether convoy can proceed given nation-state compromise
Intelligence services require comprehensive incident report and remediation verification
International agencies assess humanitarian implications of refugee data in adversary hands during conflict

Response Options for Final Resolution

Option A: Complete Nation-State Elimination & International Security Demonstration

Actions: Full humanitarian system rebuild with international intelligence verification, comprehensive refugee data damage assessment, transparent UN coordination
Business Impact: Significant convoy delay (3-4 weeks) but maintains long-term international relationships and humanitarian credibility
Humanitarian Impact: Demonstrates responsible aid organization incident management and vulnerable population protection
Learning Focus: Understanding nation-state sophistication and humanitarian obligations to refugee safety and international trust

Option B: Verified Remediation & Accelerated Convoy Recovery

Actions: Complete confirmed worm removal with international intelligence oversight, targeted refugee data security verification, expedited UN notification
Business Impact: Moderate convoy delay (1-2 weeks) with intensive coordination to resume humanitarian operations
Humanitarian Impact: Balances convoy requirements with intelligence investigation needs and vulnerable population safety
Learning Focus: Navigating international cooperation while maintaining critical refugee assistance capabilities

Option C: Risk Acceptance & Enhanced Monitoring Approach

Actions: Document residual nation-state risk, implement enhanced humanitarian monitoring, maintain convoy schedule with security caveats
Business Impact: Minimal convoy delay but potential long-term field security concerns and vulnerable population risks
Humanitarian Impact: May violate international cooperation requirements and affect refugee protection during conflict
Learning Focus: Understanding consequences of inadequate response to nation-state targeting of humanitarian operations

Victory Conditions

Technical Victory:

Complete nation-state worm removal from humanitarian systems with preservation of intelligence evidence
Refugee data and aid coordination security verified preventing further unauthorized nation-state access
Foreign espionage infrastructure analyzed providing intelligence on humanitarian targeting and vulnerable population exploitation

Business Victory:

Emergency convoy coordination protected through secure forensic handling and international intelligence cooperation
Humanitarian operations maintained through professional incident response and international trust demonstration
Field security obligations demonstrated preventing vulnerable population compromise and donor relationship damage

Learning Victory:

Team understands sophisticated nation-state espionage capabilities and humanitarian organization targeting during conflict
Participants recognize targeting of vulnerable populations and ethical implications of refugee data theft
Group demonstrates coordination between cybersecurity response and humanitarian protection requirements

Debrief Topics (15-20 min)

Nation-State Sophistication: How did Litter Drifter’s USB propagation enable months of undetected humanitarian surveillance during refugee crisis?
Humanitarian Targeting: Why do nation-state adversaries target organizations supporting Ukrainian refugees during active conflict?
International Cooperation Obligations: What UN coordination and intelligence cooperation requirements apply to refugee data compromise?
Ethical Impact Balance: How do you weigh emergency convoy urgency against comprehensive security investigation when vulnerable populations are at risk?
Long-term Implications: What field security and humanitarian consequences result from refugee intelligence in adversary hands during conflict?

Advanced Challenge Materials (150-170 min, 3+ rounds)

Advanced Challenge Modifications

Remove Reference Materials:

No access to Malmon compendium for Litter Drifter technical details
Must recall nation-state behavior patterns and humanitarian targeting from training
Test knowledge of UN coordination and international cooperation protocols during conflict
Challenge players to remember USB propagation mechanisms and APT persistence techniques

Add Red Herrings:

Legitimate humanitarian aid work causing false positive USB activity alerts
Routine refugee data transfers appearing as suspicious exfiltration in convoy coordination logs
Authorized UN security audit traffic resembling nation-state command and control
Standard international partner coordination emails flagged as potential intelligence collection

Ambiguous Containment Scenarios:

Forensic evidence suggests possible nation-state removal but residual indicators persist
Conflicting intelligence about whether refugee data was fully exfiltrated
Uncertain timeline of initial compromise during conflict - may predate current logging
Multiple potential nation-state adversaries with similar targeting - attribution uncertain

Incomplete Information Challenges:

Humanitarian system logs missing critical periods due to field operation constraints
Some aid worker systems lack adequate monitoring - compromise scope uncertain during conflict
Intelligence investigation ongoing - vulnerable population impact intelligence not yet available
UN security assessment delayed - must make critical decisions without full humanitarian impact analysis

Deep Coordination Requirements:

Must justify all intelligence decisions with incomplete refugee data exposure information
Navigate conflicting stakeholder priorities without clear UN guidance
Coordinate with international intelligence while evidence collection continues
Balance humanitarian reporting requirements with ongoing forensic investigation needs

Advanced Challenge Scenario Variants

Variant A: Multi-Actor Attribution Challenge

Evidence suggests both Russian and other nation-state activity in humanitarian environment
Must distinguish between Litter Drifter (Russian) and other APT operations
Humanitarian response depends on accurate attribution - diplomatic implications significant
Some USB devices may be from hostile actors testing aid organization security during conflict

Variant B: Field Coordination Compromise Complexity

USB devices traced to “trusted” UN partner communications - potential coordination compromise
Must assess whether compromise affects multiple aid organizations beyond Global Relief
International partners considering alternative coordination - decision depends on investigation findings
Humanitarian sector coordination required for global threat mitigation during conflict

Variant C: Insider Threat Dimension:

Some aid staff have connections to conflict zone - background investigation concerns
Intelligence cannot rule out insider facilitation of nation-state access
Field worker trust adjudication depends on incident response team’s assessment
Must balance investigation of potential insider threats with humanitarian team morale

Variant D: Active Field Operations:

Refugee data already being used in ongoing humanitarian coordination - operational security critical
Compromise may affect active field operations - urgent vulnerable population assessment required
UN partners considering emergency coordination changes - humanitarian implications during conflict
Field commanders demand immediate clarity on refugee data compromise scope

Advanced NPC Complications

Dr. Volkov (Competing Pressures):

Receiving conflicting guidance from UN coordination and donor agencies
Personal reputation at stake - career humanitarian project now under intelligence investigation
Professional legacy affected by incident resolution - credibility concerns in aid sector
May pressure team for conclusions that support humanitarian continuity over security thoroughness

Captain Shaw (Field Security Stress):

Under intense UN security scrutiny - Global Relief security posture under international review
Responsible for aid organization security that enabled months of undetected nation-state surveillance
Career implications if organization loses UN credibility or field operation authorization due to incident
May become overly risk-averse and demand excessive security measures disrupting humanitarian operations

Elena Marchenko (Under Investigation):

Personal humanitarian role questioned pending intelligence investigation completion
Defensive about aid practices - fears career damage and field worker safety concerns
May withhold information about USB usage that could compromise colleagues
Potential insider threat concern adds complexity to stakeholder coordination

Ambassador Chen (Conflicting Missions):

Intelligence investigation priorities may conflict with team’s incident response needs
Cannot share all classified intelligence about conflict zone context and nation-state operations
Pressure from multiple international agencies with different investigation objectives and timelines
May request team actions that serve intelligence collection but complicate humanitarian resolution

Advanced Pressure Events

Minute 25: Forensic analysis reveals possible second nation-state actor - attribution becomes complex

Minute 50: Aid staff representatives demand evidence of insider threat accusations before questioning

Minute 75: Media leaked information about vulnerable population targeting - public pressure for rapid resolution

Minute 100: UN partners request intelligence sharing about refugee data compromise affecting field operations

Minute 125: Intelligence service preliminary findings question Global Relief field authorization eligibility

Minute 140: Investigation discovers refugee data on dark web - wider exposure than expected during conflict

Advanced Facilitation Challenges

If Team Oversimplifies Attribution:

“Ambassador Chen shows you traffic analysis suggesting multiple nation-state actors with different objectives. How do you distinguish between Russian Litter Drifter operations and other APT activity when humanitarian response depends on accurate attribution?”

If Team Ignores Insider Threat Indicators:

“Captain Shaw must report to UN security about aid staff with conflict zone connections who had access to compromised systems. How do you investigate potential insider facilitation without destroying team morale or assuming guilt?”

If Team Rushes to Conclusions:

“Dr. Volkov is pushing for quick resolution to salvage convoy timeline, but forensic evidence remains incomplete with critical log gaps. How do you justify intelligence decisions when refugee data compromise scope is uncertain?”

If Team Neglects Humanitarian Context:

“UN coordination office is requesting intelligence about what vulnerable population data has been compromised, but investigation hasn’t completed attribution. How does your incident response affect refugee safety and international partnerships during conflict?”

Advanced Debrief Topics (30-35 min)

Attribution Complexity in Nation-State Incidents:
- How do you distinguish between multiple APT actors with similar techniques during humanitarian crisis?
- Why is attribution critical for humanitarian, diplomatic, and aid sector response?
- What forensic evidence supports or contradicts attribution conclusions?
- When is “we’re not sure” an acceptable answer vs. avoiding responsibility?
Insider Threat in Humanitarian Environments:
- How do you investigate potential insider involvement without assuming guilt during conflict?
- What intelligence indicators suggest deliberate facilitation vs. exploitation?
- How do field security processes balance security concerns with humanitarian mission?
- What organizational culture factors enable or prevent insider threats in aid work?
Decision-Making Under Uncertainty:
- How do you make critical security decisions with incomplete forensic evidence during crisis?
- What level of confidence is required before UN notification or international reporting?
- How do you communicate uncertainty to stakeholders demanding definitive answers?
- When should investigation continue vs. implementing response with imperfect information?
Humanitarian Sector Interdependencies:
- How do individual organization incidents affect sector-wide security posture during conflict?
- What information sharing obligations exist between aid organizations for threat intelligence?
- How do field coordination compromises complicate attribution and remediation?
- What role does UN coordination play in orchestrating humanitarian response?
Balancing Speed vs. Thoroughness:
- When is rapid incident resolution appropriate vs. comprehensive investigation during humanitarian crisis?
- How do refugee assistance pressures affect incident response quality and long-term security?
- What are the consequences of premature “all clear” declarations in APT incidents affecting vulnerable populations?
- How do you manage stakeholder expectations when thoroughness requires time?
Real-World Nation-State Response Lessons:
- What actual humanitarian organization nation-state incidents inform this scenario?
- How have real incidents balanced field operational needs with security response?
- What aid sector changes resulted from high-profile nation-state compromises?
- How do humanitarian environments create unique challenges compared to other sectors?

Litter Drifter Scenario: International Aid Organization

Planning Resources

Scenario Details for IMs

Global Relief Alliance: Humanitarian NGO Facing Intelligence Collection During Crisis Response

Organization Profile

Key Assets & Impact

Immediate Business Pressure

Cultural & Organizational Factors

Operational Context

Key Stakeholders

Why This Matters

IM Facilitation Notes

Opening Presentation

Initial Symptoms to Present:

Key Discovery Paths:

Detective Investigation Leads:

Protector System Analysis:

Tracker Network Investigation:

Communicator Stakeholder Interviews:

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Nation-State Sophistication Is Underestimated:

If Humanitarian Implications Are Ignored:

If Vulnerable Population Impact Is Overlooked:

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

Lunch & Learn (75-90 min)

Full Game (120-140 min)

Advanced Challenge (150-170 min)

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Nation-State Discovery & Humanitarian Impact Assessment (35-40 min)

Investigation Clues (Time-Stamped)

Response Options (With Detailed Trade-offs)

Round 1 Pressure Events

Round 1 Facilitation Questions

Round 1 Transition to Round 2

Round 2: Vulnerable Population Impact & UN Coordination (35-45 min)

Investigation Clues (Time-Stamped)

Response Options for Final Resolution

Victory Conditions

Debrief Topics (15-20 min)

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Nation-State Detection (30-35 min)

Open Investigation Framework

NPC Interactions (Realistic Conflicts)

Round 1 Pressure Events

Round 1 Facilitation Questions

Round 2: Refugee Data Compromise Assessment (40-50 min)

Open Investigation Continuation

NPC Evolution (Escalating Conflicts)

Round 2 Pressure Events

Round 2 Facilitation Questions

Round 3: Strategic Resolution & UN Coordination (40-50 min)

Final Investigation & Resolution

Final NPC Resolutions

Round 3 Pressure Events

Victory Condition Assessment

Debrief Topics (20-25 min)

Advanced Challenge Materials (150-170 min, 3+ rounds)

Advanced Challenge Modifications

Advanced Challenge Scenario Variants

Advanced NPC Complications

Advanced Pressure Events

Advanced Facilitation Challenges

Advanced Debrief Topics (30-35 min)