Litter Drifter Scenario: News Media Network

Independent Media Network: News organization, 150 journalists, covering international conflicts
APT • LitterDrifter
STAKES
Press freedom + Source protection + Information integrity + Journalist safety
HOOK
Independent Media is reporting on conflict zones when newsroom systems are infected by USB malware specifically targeting journalists covering Ukrainian conflicts. Nation-state espionage worm is collecting intelligence on news sources, journalist communications, and editorial operations to influence information warfare.
PRESSURE
Major investigative report publishes Thursday - intelligence collection threatens source protection and press freedom
FRONT • 150 minutes • Expert
Independent Media Network: News organization, 150 journalists, covering international conflicts
APT • LitterDrifter
NPCs
  • Editor-in-Chief Alexandra Kuznetsova: Leading conflict reporting with nation-state surveillance affecting journalist operations
  • Cybersecurity Consultant Mark Thompson: Investigating targeting of media organizations and source protection systems
  • Investigative Journalist Sofia Petrov: Reporting intelligence collection affecting confidential sources and news operations
  • Digital Security Trainer Dr. Michael Rodriguez: Assessing journalist safety and digital security in hostile environments
SECRETS
  • Journalists received USB devices containing nation-state espionage malware targeting media coverage of Ukrainian conflicts
  • Foreign intelligence has systematic surveillance of news operations and confidential source communications
  • Investigative reports and journalist sources have been systematically compromised through targeted media espionage

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter Media Network Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter Media Network Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Independent Media Network

News organization, 150 journalists, covering international conflicts

Key Assets At Risk:

  • Press freedom
  • Source protection
  • Information integrity
  • Journalist safety

Business Pressure

Major investigative report publishes Thursday - intelligence collection threatens source protection and press freedom

Cultural Factors

  • Journalists received USB devices containing nation-state espionage malware targeting media coverage of Ukrainian conflicts
  • Foreign intelligence has systematic surveillance of news operations and confidential source communications
  • Investigative reports and journalist sources have been systematically compromised through targeted media espionage

Opening Presentation

“It’s Monday morning at Independent Media Network, and the news organization is finalizing a major investigative report scheduled to publish Thursday covering Ukrainian conflict zones and international relations. But cybersecurity consultants have discovered something alarming: USB malware specifically targeting journalists covering Ukrainian conflicts. This isn’t random malware - it’s a sophisticated nation-state espionage worm propagating through removable media, systematically collecting intelligence on news sources, journalist communications, and editorial operations to influence information warfare.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB devices automatically spreading espionage malware targeting journalists covering Ukrainian conflict reporting”
  • “News source communications being accessed through nation-state surveillance operations”
  • “Investigative reports and journalist contacts showing signs of unauthorized foreign intelligence collection”
  • “Network traffic indicating systematic exfiltration of newsroom operations to nation-state command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal sophisticated nation-state USB-propagating worm targeting media organizations
  • Newsroom network analysis shows geopolitical targeting of Ukrainian conflict coverage and journalist operations
  • Intelligence timeline indicates months of undetected foreign surveillance of news sources and editorial planning

Protector System Analysis:

  • Journalist workstation monitoring reveals systematic intelligence collection through USB propagation targeting confidential sources
  • Editorial system assessment shows unauthorized nation-state access to investigative reports and source communications
  • Media network security analysis indicates coordinated campaign targeting multiple news organizations covering conflicts

Tracker Network Investigation:

  • Command and control traffic analysis reveals nation-state espionage infrastructure targeting press operations
  • Information warfare patterns suggest strategic coordination of journalist surveillance supporting foreign propaganda objectives
  • Media communication analysis indicates systematic nation-state targeting of Ukrainian conflict reporting and press freedom

Communicator Stakeholder Interviews:

  • Journalist interviews reveal suspicious USB behavior during conflict reporting and confidential source coordination
  • Press freedom coordination regarding potential compromise of source protection and editorial independence
  • Digital security coordination with media organizations experiencing similar targeting and surveillance operations

Mid-Scenario Pressure Points:

  • Hour 1: Press freedom organizations discover potential compromise of investigative reporting affecting source protection and journalist safety
  • Hour 2: Intelligence assessment reveals evidence of nation-state targeting of Ukrainian conflict coverage for information warfare
  • Hour 3: Confidential source information and journalist communications found on nation-state intelligence networks affecting press operations
  • Hour 4: Media security assessment indicates potential compromise of multiple news organizations requiring coordinated response

Evolution Triggers:

  • If investigation reveals source data transfer, press freedom obligations and journalist safety are compromised
  • If nation-state surveillance continues, adversaries maintain persistent access for long-term media intelligence collection supporting information warfare
  • If investigative report theft is confirmed, editorial independence and press freedom are severely compromised

Resolution Pathways:

Technical Success Indicators:

  • Complete nation-state worm removal from newsroom systems with preservation of intelligence evidence
  • Source protection and journalist communication security verified preventing further unauthorized nation-state access
  • Foreign espionage infrastructure analysis provides intelligence on coordinated media targeting and information warfare objectives

Business Success Indicators:

  • Major investigative report protected through secure forensic handling and source protection coordination
  • Editorial operations maintained through professional incident response demonstrating commitment to press freedom
  • Press freedom obligations demonstrated preventing intimidation effects and protecting journalist safety

Learning Success Indicators:

  • Team understands sophisticated nation-state espionage capabilities and media organization targeting through USB propagation
  • Participants recognize targeting of press freedom and ethical implications of source protection compromise
  • Group demonstrates coordination between cybersecurity response and journalist safety requirements for news organizations

Common IM Facilitation Challenges:

If Nation-State Sophistication Is Underestimated:

“Your USB malware removal is progressing, but Dr. Rodriguez discovered that nation-state adversaries have been systematically monitoring journalists for months through geopolitical targeting. How does sophisticated foreign surveillance change your source protection approach?”

If Press Freedom Implications Are Ignored:

“While you’re cleaning infected systems, Alexandra needs to know: have confidential sources and investigative reports been transferred to nation-state adversaries? How do you coordinate cybersecurity response with press freedom obligations and journalist safety?”

If Information Warfare Impact Is Overlooked:

“Sofia just learned that source communications and editorial planning may be in nation-state hands affecting information integrity. How do you assess the press freedom impact of stolen journalist intelligence supporting information warfare?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

  • Rounds: 1
  • Actions per Player: 1
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: Use the “Hook” and “Initial Symptoms” to quickly establish nation-state media espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing targeting of journalism and source protection implications.

Lunch & Learn (75-90 min)

  • Rounds: 2
  • Actions per Player: 2
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: This template allows for deeper exploration of media organization espionage challenges. Use the full set of NPCs to create realistic investigative reporting and press freedom pressures. The two rounds allow discovery of source compromise and information warfare targeting, raising stakes. Debrief can explore balance between cybersecurity response and journalist safety coordination.

Full Game (120-140 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing investigative publication, source protection, press freedom obligations, and journalist safety. The three rounds allow for full narrative arc including nation-state discovery, source compromise impact assessment, and press freedom coordination.

Advanced Challenge (150-170 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Complexity: Add red herrings (e.g., legitimate journalist communications causing false positives). Make containment ambiguous, requiring players to justify source protection decisions with incomplete intelligence about geopolitical targeting. Remove access to reference materials to test knowledge recall of nation-state behavior and press freedom principles. Include deep coordination with press freedom organizations and information warfare implications.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Digital forensics reveal sophisticated nation-state USB-propagating worm (Litter Drifter) targeting Independent Media Network journalist workstations covering Ukrainian conflicts. Security analysis shows foreign intelligence systematically collecting source communications through USB devices affecting newsroom operations during information warfare. Journalists report USB malware spreading automatically during investigative report development affecting source protection and editorial independence.”

Clue 2 (Minute 10): “Intelligence timeline indicates nation-state surveillance maintained for months through targeted USB devices distributed to journalists covering conflict zones. Command and control traffic analysis reveals information warfare infrastructure coordinating multi-target media intelligence collection supporting foreign propaganda objectives. Editorial system assessment shows unauthorized access to investigative reports and confidential source communications affecting press freedom and journalist safety.”

Clue 3 (Minute 15): “Press freedom investigation discovers confidential source information and journalist communications on nation-state intelligence networks confirming source protection compromise affecting editorial operations. Digital security coordination reveals potential compromise of investigative reporting threatening press operations and information integrity. Intelligence assessment indicates coordinated nation-state targeting of multiple news organizations requiring immediate response and press freedom coordination.”

Pre-Defined Response Options

Option A: Emergency Newsroom Isolation & Press Freedom Coordination

  • Action: Immediately isolate compromised journalist systems from USB propagation, coordinate comprehensive intelligence investigation with press freedom organizations, conduct source protection damage assessment, implement emergency security protocols for investigative report protection.
  • Pros: Completely eliminates nation-state worm preventing further source intelligence theft through USB propagation; demonstrates responsible press freedom incident management; maintains editorial independence through transparent source protection coordination.
  • Cons: Newsroom system isolation disrupts investigative report publication affecting press operations; intelligence investigation requires extensive press freedom coordination; damage assessment may reveal significant source compromise affecting journalist safety.
  • Type Effectiveness: Super effective against APT malmon type; complete nation-state worm removal prevents continued media surveillance and source intelligence theft through USB propagation.

Option B: Forensic Preservation & Targeted Remediation

  • Action: Preserve intelligence evidence while remediating confirmed compromised systems, conduct targeted source protection damage assessment, coordinate selective press freedom notification, implement enhanced monitoring while maintaining editorial operations.
  • Pros: Balances investigative report requirements with intelligence investigation; protects critical newsroom operations; enables focused source protection response.
  • Cons: Risks continued nation-state surveillance in undetected USB propagation locations; selective remediation may miss coordinated targeting; forensic requirements may delay source protection and publication operations.
  • Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate nation-state presence through USB propagation; delays complete newsroom security restoration and source protection.

Option C: Editorial Continuity & Phased Security Response

  • Action: Implement emergency secure investigative reporting environment isolated from USB threats, phase nation-state worm removal by editorial priority, establish enhanced media monitoring, coordinate gradual press freedom notification while maintaining publication operations.
  • Pros: Maintains critical investigative report timeline protecting press freedom and information integrity; enables continued newsroom operations; supports controlled press freedom coordination.
  • Cons: Phased approach extends nation-state surveillance timeline through continued USB propagation; emergency operations may not prevent continued source intelligence theft; gradual notification delays may violate press freedom requirements.
  • Type Effectiveness: Partially effective against APT malmon type; prioritizes editorial operations over complete nation-state elimination through USB propagation; doesn’t guarantee source protection or journalist safety.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Nation-State Discovery & Source Protection Assessment (35-40 min)

Investigation Clues (Time-Stamped)

Minute 0-5 (Opening):

  • Security alert: USB devices showing automated propagation behavior targeting journalist workstations covering Ukrainian conflict
  • News source communications accessed through unauthorized means during investigative report preparations
  • Network traffic patterns indicating potential data exfiltration to foreign command infrastructure during information warfare

Minute 10 (Detective Path):

  • Digital forensics identify sophisticated USB-propagating worm (Litter Drifter) with nation-state tradecraft targeting media organizations
  • Malware designed specifically to target journalists covering Ukrainian conflict reporting and press operations
  • Timeline analysis reveals potential months of undetected presence during investigative journalism work

Minute 15 (Protector Path):

  • Journalist workstation monitoring reveals systematic file access patterns targeting confidential sources and investigative reports
  • Editorial system logs show unauthorized data collection from newsroom operations servers
  • USB propagation patterns indicate coordinated campaign affecting multiple news organizations

Minute 20 (Tracker Path):

  • Command and control infrastructure analysis reveals nation-state espionage network with information warfare objectives
  • Exfiltration patterns suggest intelligence collection focused on Ukrainian conflict coverage and press freedom operations
  • Network traffic correlates with known foreign intelligence operations targeting media organizations

Minute 25 (Communicator Path):

  • Investigative Journalist Sofia Petrov reports suspicious USB behavior during conflict reporting over past 3 months
  • Cybersecurity Consultant Mark Thompson identifies potential foreign intelligence collection affecting source protection
  • Editor-in-Chief Alexandra expresses urgent concern about publication schedule and press freedom notification requirements

Response Options (With Detailed Trade-offs)

Option A: Emergency Newsroom Isolation & Full Press Freedom Coordination

  • Immediate Actions: Isolate all compromised journalist systems, initiate comprehensive intelligence investigation with press freedom organizations, conduct source protection damage assessment
  • Timeline Impact: Investigative report delayed 2-3 weeks for complete forensic analysis and security verification
  • Stakeholder Reactions:
    • Alexandra Kuznetsova: Concerned about publication timeline but supports source protection priority and editorial independence
    • Mark Thompson: Strongly supports comprehensive intelligence investigation and journalist safety coordination
    • Dr. Rodriguez: Emphasizes complete evidence preservation for press freedom investigation and source protection
  • Type Effectiveness: SUPER EFFECTIVE - Complete APT removal prevents continued nation-state surveillance and source intelligence theft

Option B: Forensic Preservation & Targeted Remediation

  • Immediate Actions: Preserve intelligence evidence, remediate confirmed compromised systems, conduct targeted source protection damage assessment
  • Timeline Impact: Partial publication delay (5-7 days) while maintaining critical editorial operations
  • Stakeholder Reactions:
    • Alexandra Kuznetsova: Appreciates balance between publication requirements and security response
    • Sofia Petrov: Can continue critical investigative work with enhanced monitoring
    • Dr. Rodriguez: Concerned about potential nation-state surveillance in undetected locations
  • Type Effectiveness: MODERATELY EFFECTIVE - Reduces nation-state presence but may not achieve complete elimination

Option C: Editorial Continuity & Phased Security Response

  • Immediate Actions: Implement emergency secure reporting environment, phase worm removal by editorial priority, establish enhanced monitoring
  • Timeline Impact: Minimal publication delay (1-2 days) with ongoing security remediation during newsroom operations
  • Stakeholder Reactions:
    • Alexandra Kuznetsova: Strongly supports maintaining publication schedule and press freedom timeline
    • Mark Thompson: Serious concerns about inadequate intelligence response and source protection
    • Dr. Rodriguez: Warns that phased approach may violate press freedom coordination requirements
  • Type Effectiveness: PARTIALLY EFFECTIVE - Prioritizes editorial operations over complete nation-state elimination

Round 1 Pressure Events

Minute 15: Press freedom organizations request status update on publication security and source protection

Minute 25: Digital security community initiates inquiry about potential journalist data compromise affecting press operations

Minute 30: Alexandra receives call from editorial board - investigative report has critical importance for public information and press freedom

Round 1 Facilitation Questions

  • “How do you balance investigative publication urgency against comprehensive intelligence investigation requirements?”
  • “What source protection exposure assessment is needed before press freedom notification?”
  • “How does nation-state targeting of Ukrainian conflict coverage affect your editorial response strategy?”
  • “What press freedom obligations apply to this foreign intelligence collection incident affecting journalists?”

Round 1 Transition to Round 2

Based on team’s chosen response path…

If Emergency Isolation Chosen: “Your emergency newsroom isolation has halted nation-state surveillance, but forensic analysis is revealing the extent of source protection exposure. Press freedom investigation has discovered something alarming about the scope of journalist communications theft and information warfare targeting…”

If Targeted Remediation Chosen: “Your forensic preservation is protecting critical evidence, but continued monitoring is detecting ongoing nation-state activity in unexpected newsroom locations. Dr. Rodriguez has discovered intelligence indicating systematic targeting of multiple news organizations during conflict…”

If Editorial Continuity Chosen: “Your secure reporting environment is maintaining publication schedule, but Mark Thompson has identified serious source protection concerns. Intelligence is revealing that confidential source communications may already be in nation-state hands…”

Round 2: Source Compromise Impact & Press Freedom Coordination (35-45 min)

Investigation Clues (Time-Stamped)

Minute 40 (Critical Discovery):

  • Intelligence investigation reveals confidential source communications and investigative reports found on nation-state intelligence networks
  • Forensic timeline indicates systematic newsroom operations surveillance over 6-month period through USB propagation
  • Press freedom assessment shows potential compromise of investigative reporting affecting journalist safety and editorial independence

Minute 50 (Escalation):

  • Digital security intelligence confirms multiple news organizations experiencing similar nation-state targeting
  • Source protection damage assessment reveals journalist communications and confidential source information transferred to foreign intelligence
  • Editorial security concerns about press operations in adversary hands during information warfare

Minute 55 (Stakeholder Pressure):

  • Alexandra faces editorial board inquiry about publication timeline and source protection
  • Mark Thompson must coordinate press freedom reporting under journalist safety requirements
  • Sofia Petrov reports newsroom staff morale concerns and source trust implications

Minute 65 (Final Pressure):

  • Editorial board considering whether publication can proceed given nation-state compromise
  • Press freedom organizations require comprehensive incident report and remediation verification
  • Digital security organizations assess press freedom implications of source data in adversary hands

Response Options for Final Resolution

Option A: Complete Nation-State Elimination & Press Freedom Demonstration

  • Actions: Full newsroom system rebuild with press freedom organization verification, comprehensive source protection damage assessment, transparent coordination
  • Business Impact: Significant publication delay (3-4 weeks) but maintains long-term source trust and editorial credibility
  • Press Freedom Impact: Demonstrates responsible journalism incident management and source protection commitment
  • Learning Focus: Understanding nation-state sophistication and media obligations to journalist safety and press freedom

Option B: Verified Remediation & Accelerated Publication Recovery

  • Actions: Complete confirmed worm removal with press freedom oversight, targeted source protection security verification, expedited notification
  • Business Impact: Moderate publication delay (1-2 weeks) with intensive coordination to resume editorial operations
  • Press Freedom Impact: Balances publication requirements with intelligence investigation needs and source protection
  • Learning Focus: Navigating press freedom principles while maintaining critical investigative reporting capabilities

Option C: Risk Acceptance & Enhanced Monitoring Approach

  • Actions: Document residual nation-state risk, implement enhanced newsroom monitoring, maintain publication schedule with security caveats
  • Business Impact: Minimal publication delay but potential long-term source trust concerns and journalist safety risks
  • Press Freedom Impact: May violate press freedom coordination requirements and affect source protection
  • Learning Focus: Understanding consequences of inadequate response to nation-state targeting of press operations

Victory Conditions

Technical Victory:

  • Complete nation-state worm removal from newsroom systems with preservation of intelligence evidence
  • Source protection and journalist communication security verified preventing further unauthorized nation-state access
  • Foreign espionage infrastructure analyzed providing intelligence on media targeting and information warfare

Business Victory:

  • Investigative report protected through secure forensic handling and press freedom coordination
  • Editorial operations maintained through professional incident response and source trust demonstration
  • Press freedom obligations demonstrated preventing intimidation effects and protecting journalist safety

Learning Victory:

  • Team understands sophisticated nation-state espionage capabilities and media organization targeting
  • Participants recognize targeting of press freedom and ethical implications of source protection compromise
  • Group demonstrates coordination between cybersecurity response and journalist safety requirements

Debrief Topics (15-20 min)

  1. Nation-State Sophistication: How did Litter Drifter’s USB propagation enable months of undetected newsroom surveillance during conflict coverage?

  2. Press Freedom Targeting: Why do nation-state adversaries target journalists covering Ukrainian conflicts for information warfare?

  3. Source Protection Obligations: What press freedom coordination and journalist safety requirements apply to source data compromise?

  4. Editorial Ethics Balance: How do you weigh investigative publication urgency against comprehensive security investigation when source protection is at risk?

  5. Long-term Implications: What press freedom and journalist safety consequences result from source intelligence in adversary hands?

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Nation-State Detection (30-35 min)

Open Investigation Framework

Detective Investigation Options:

  • Analyze USB device forensics for nation-state malware indicators and media organization targeting mechanisms
  • Investigate newsroom network logs for unauthorized source communication access patterns
  • Research Litter Drifter attribution and known media organization targeting campaigns
  • Examine digital forensics for foreign intelligence collection and journalist surveillance methods

Protector System Analysis Options:

  • Assess journalist workstation security for systematic source data theft indicators
  • Evaluate editorial system integrity and investigative report protection
  • Monitor USB propagation patterns affecting multiple newsroom workstations
  • Review press freedom security controls for nation-state persistence mechanisms

Tracker Network Investigation Options:

  • Trace command and control infrastructure for nation-state espionage network identification targeting press operations
  • Analyze exfiltration patterns for source communications and Ukrainian conflict coverage targeting
  • Investigate network traffic for information warfare intelligence collection coordination
  • Map foreign intelligence infrastructure connections to known adversary media targeting operations

Communicator Stakeholder Interviews:

  • Interview journalists about suspicious USB behavior during conflict reporting and source coordination
  • Coordinate with Alexandra on investigative publication priorities and editorial board expectations
  • Consult with Mark Thompson on journalist safety requirements and source protection implications
  • Engage Dr. Rodriguez on press freedom protocols and media intelligence coordination

NPC Interactions (Realistic Conflicts)

Alexandra Kuznetsova (Editor-in-Chief):

  • Priority: Maintain investigative report schedule - press freedom depends on Thursday publication
  • Concern: Editorial board inquiry about security posture and source protection during information warfare
  • Conflict: Pushes for editorial continuity approach to avoid publication delays affecting press freedom
  • Information: Investigative report represents critical journalism exposing conflict zone human rights violations

Mark Thompson (Cybersecurity Consultant):

  • Priority: Journalist safety and source protection requirements for newsroom data compromise
  • Concern: Media organization security implications and press freedom trust during intelligence investigation
  • Conflict: Demands comprehensive investigation regardless of publication timeline impact
  • Information: Intelligence agencies have protocols for foreign espionage incidents affecting press operations

Sofia Petrov (Investigative Journalist):

  • Priority: Newsroom staff safety and investigative work continuity
  • Concern: USB security practices and potential exposure of confidential source communications
  • Conflict: Caught between publication pressure and source protection concerns
  • Information: Journalists have been using USB devices for source document transfers for months - standard press practice

Dr. Michael Rodriguez (Digital Security Trainer):

  • Priority: Evidence preservation for press freedom investigation and journalist protection
  • Concern: Information warfare implications of Ukrainian conflict coverage targeting and source compromise
  • Conflict: Press freedom investigation requirements may conflict with editorial continuity needs
  • Information: Intelligence indicates coordinated nation-state campaign targeting multiple news organizations

Round 1 Pressure Events

Minute 10: Security alert - additional journalist workstations showing USB propagation indicators during forensic investigation

Minute 20: Press freedom organizations request immediate status report on publication security and source protection

Minute 25: Digital security notification requirement triggers - press freedom reporting deadline in 24 hours for journalist compromise

Round 1 Facilitation Questions

  • “What forensic evidence do you need before determining the scope of nation-state surveillance of press operations?”
  • “How do you assess whether confidential source communications have been exfiltrated to foreign intelligence?”
  • “What immediate containment actions balance investigative publication urgency with source protection preservation?”
  • “How do you coordinate with multiple stakeholders who have conflicting but legitimate press freedom priorities?”

Round 2: Source Data Compromise Assessment (40-50 min)

Open Investigation Continuation

Detective Deep Dive:

  • Conduct comprehensive forensic timeline of nation-state surveillance and source communication access
  • Analyze foreign intelligence collection targeting Ukrainian conflict coverage and newsroom operations
  • Investigate confidential source data exposed through systematic espionage
  • Examine USB propagation vectors and nation-state persistence across news organizations

Protector Impact Analysis:

  • Assess newsroom system compromise extent affecting investigative capabilities and source protection
  • Evaluate editorial security controls failures enabling months of undetected surveillance
  • Review USB device management practices and newsroom network segmentation
  • Analyze potential journalist safety impact of source communications in adversary hands

Tracker Intelligence Correlation:

  • Map nation-state command infrastructure to known foreign intelligence operations targeting media
  • Correlate exfiltration timing with conflict events and Ukrainian coverage escalation
  • Investigate multi-target news organization patterns indicating coordinated campaign
  • Analyze threat intelligence for Litter Drifter attribution and information warfare objectives

Communicator Crisis Management:

  • Coordinate press freedom notification and investigative publication implications
  • Manage digital security reporting and journalist safety investigation cooperation
  • Address newsroom staff source trust concerns and morale during investigation
  • Facilitate press freedom organization coordination for journalist safety assessment

NPC Evolution (Escalating Conflicts)

Alexandra Kuznetsova (Under Editorial Pressure):

  • New Development: Editorial board questions whether publication can proceed given nation-state compromise
  • Escalated Concern: Press freedom at risk - public information mission depends on investigative report publication
  • Increased Conflict: Demands clear timeline for security verification to salvage Thursday publication or minimize delay
  • Critical Information: News organizations considering whether Independent Media can maintain source trust if security inadequate

Mark Thompson (Source Protection Crisis):

  • New Development: Press freedom organizations initiate formal source protection compromise investigation
  • Escalated Concern: Journalist safety at stake with confidential source communications in adversary hands
  • Increased Conflict: Press freedom reporting requires disclosure of full source data exposure
  • Critical Information: Similar incidents at other news organizations resulted in source trust damage and journalist intimidation

Sofia Petrov (Newsroom Staff Under Pressure):

  • New Development: Journalists facing concerns about USB device usage and source communication handling
  • Escalated Concern: Team morale collapsing - fear of source betrayal and career damage affecting productivity
  • Increased Conflict: Defensive about standard journalism practices - “this is how investigative reporting works” mentality
  • Critical Information: Multiple journalists received suspicious USB devices from “trusted” media contacts

Dr. Rodriguez (Information Warfare Intelligence):

  • New Development: Intelligence confirms confidential source communications found on nation-state networks
  • Escalated Concern: Ukrainian conflict coverage systematically targeted - information warfare implications for press freedom
  • Increased Conflict: Press freedom investigation taking priority over editorial continuity - evidence preservation critical
  • Critical Information: Nation-state adversaries now have intelligence on journalist sources and investigative operations

Round 2 Pressure Events

Minute 45: Intelligence investigation discovers source communications on foreign intelligence networks - confirmed confidential information transfer

Minute 55: Press freedom organization officials arrive for journalist safety damage assessment and security posture review

Minute 65: Digital security assessment indicates potential compromise of multiple Ukrainian conflict coverage operations across media sector

Minute 70: Media reports about nation-state targeting of press operations - public relations concerns about Independent Media security practices

Round 2 Facilitation Questions

  • “Now that source communications are confirmed in adversary hands, how does this change your editorial response strategy?”
  • “What journalist safety implications exist for confidential sources compromised by nation-state espionage?”
  • “How do you balance newsroom staff morale and source trust concerns with comprehensive intelligence investigation?”
  • “What long-term press freedom implications result from inadequate response to nation-state targeting of journalism?”

Round 3: Strategic Resolution & Press Freedom Coordination (40-50 min)

Final Investigation & Resolution

Detective Final Analysis:

  • Complete nation-state attribution and media organization targeting pattern analysis
  • Document comprehensive forensic evidence for press freedom investigation and journalist safety assessment
  • Assess long-term source protection implications of confidential communications in foreign hands
  • Develop lessons learned for newsroom USB security and editorial network protection

Protector Security Restoration:

  • Implement complete nation-state worm removal with press freedom organization verification
  • Rebuild newsroom environment with enhanced journalist safety controls
  • Establish ongoing monitoring for nation-state persistence and USB propagation
  • Verify source protection security for potential investigative publication resumption

Tracker Threat Intelligence:

  • Provide comprehensive foreign intelligence infrastructure analysis to press freedom organizations
  • Document information warfare targeting patterns affecting Ukrainian conflict coverage
  • Support attribution assessment for diplomatic and press freedom response coordination
  • Share media sector threat intelligence with journalism partners

Communicator Strategic Coordination:

  • Finalize press freedom notification and investigative publication status resolution
  • Complete digital security reporting and journalist safety investigation cooperation
  • Address source trust implications and newsroom staff recovery planning
  • Coordinate public relations response to media coverage of nation-state targeting

Final NPC Resolutions

Alexandra Kuznetsova (Strategic Decision):

Requires team to present recommendation on investigative publication status:

  • Can publication proceed with security verification?
  • What timeline is realistic for secure source protection restoration?
  • How does Independent Media demonstrate ongoing security commitment to sources and press freedom?
  • What press freedom impact results from nation-state compromise affecting investigative journalism?

Mark Thompson (Security Verification):

Demands comprehensive incident resolution documentation:

  • Complete source protection exposure assessment for press freedom reporting
  • Journalist safety status for confidential source protection restoration
  • Editorial security controls improvement plan for ongoing newsroom operations
  • Press freedom investigation cooperation and evidence delivery to digital security organizations

Sofia Petrov (Team Recovery):

Seeks clarity on newsroom staff future:

  • What source trust implications exist for journalists who used compromised USB devices?
  • How does Independent Media support team recovery from investigation stress?
  • What new source communication handling procedures prevent future nation-state targeting?
  • Can journalist credibility be restored with confidential sources and press freedom organizations?

Dr. Rodriguez (Press Freedom Assessment):

Provides final information warfare context:

  • Nation-state campaign confirmed targeting 15+ news organizations covering Ukrainian conflicts
  • Source communication compromise provides adversaries intelligence for journalist intimidation during information warfare
  • Press freedom response requires coordination between media sector, intelligence community, and journalism organizations
  • Independent Media response quality affects broader press sector security posture and source trust

Round 3 Pressure Events

Minute 85: Editorial board makes final decision on publication - requires team recommendation with security justification

Minute 95: Press freedom organizations complete assessment - journalist safety and source trust depend on incident response quality

Minute 105: Digital security organizations coordinate with journalism partners - press freedom implications of source compromise

Minute 110: Media sector briefing scheduled - Independent Media experience becomes case study for nation-state threat awareness

Victory Condition Assessment

Technical Victory Indicators:

Business Victory Indicators:

Learning Victory Indicators:

Debrief Topics (20-25 min)

  1. Nation-State APT Sophistication:
    • How did Litter Drifter’s USB propagation enable months of undetected newsroom surveillance?
    • What media organization targeting patterns indicate coordinated information warfare campaign?
    • Why is attribution important for press freedom and diplomatic response?
  2. Journalism Security Obligations:
    • What press freedom coordination and journalist safety requirements apply?
    • How do source protection processes protect confidential communications?
    • What digital security oversight ensures media security during information warfare?
  3. Information Warfare Context:
    • Why do nation-state adversaries target journalists covering Ukrainian conflicts?
    • What strategic advantage do adversaries gain from source communication compromise?
    • How do hybrid warfare operations integrate cyber espionage targeting press freedom?
  4. Editorial-Security Balance:
    • How do you weigh investigative publication urgency against comprehensive security investigation?
    • What long-term source trust implications result from incident response quality?
    • When is it appropriate to accept publication delays for source protection?
  5. USB Security in Newsroom Environments:
    • What makes USB devices particularly dangerous in media organization settings?
    • How should source communication systems handle removable media given espionage risks?
    • What technical controls and journalist training prevent nation-state USB propagation?
  6. Lessons for Real-World IR:
    • How do nation-state incidents differ from criminal malware in journalism investigation requirements?
    • What makes media organization incidents unique compared to other sectors?
    • When should cybersecurity teams escalate to intelligence agencies and press freedom organizations?

Advanced Challenge Materials (150-170 min, 3+ rounds)

Advanced Challenge Modifications

Remove Reference Materials:

  • No access to Malmon compendium for Litter Drifter technical details
  • Must recall nation-state behavior patterns and media targeting from training
  • Test knowledge of press freedom principles and journalist safety protocols
  • Challenge players to remember USB propagation mechanisms and APT persistence techniques

Add Red Herrings:

  • Legitimate investigative journalism causing false positive USB activity alerts
  • Routine source communication transfers appearing as suspicious exfiltration in editorial logs
  • Authorized digital security audit traffic resembling nation-state command and control
  • Standard journalism collaboration emails flagged as potential intelligence collection

Ambiguous Containment Scenarios:

  • Forensic evidence suggests possible nation-state removal but residual indicators persist
  • Conflicting intelligence about whether source communications were fully exfiltrated
  • Uncertain timeline of initial compromise - may predate current newsroom logging
  • Multiple potential nation-state adversaries with similar targeting - attribution uncertain

Incomplete Information Challenges:

  • Newsroom system logs missing critical periods due to editorial operation constraints
  • Some journalist systems lack adequate monitoring - compromise scope uncertain
  • Press freedom investigation ongoing - source protection impact intelligence not yet available
  • Editorial board security assessment delayed - must make critical decisions without full journalist safety analysis

Deep Coordination Requirements:

  • Must justify all press freedom decisions with incomplete source communication exposure information
  • Navigate conflicting stakeholder priorities without clear editorial guidance
  • Coordinate with digital security while evidence collection continues
  • Balance press freedom reporting requirements with ongoing forensic investigation needs

Advanced Challenge Scenario Variants

Variant A: Multi-Actor Attribution Challenge

  • Evidence suggests both Russian and other nation-state activity in newsroom environment
  • Must distinguish between Litter Drifter (Russian) and other APT operations
  • Press freedom response depends on accurate attribution - diplomatic implications significant
  • Some USB devices may be from hostile actors testing media organization security

Variant B: Editorial Coordination Compromise Complexity

  • USB devices traced to “trusted” journalism partner communications - potential coordination compromise
  • Must assess whether compromise affects multiple news organizations beyond Independent Media
  • Press freedom partners considering alternative coordination - decision depends on investigation findings
  • Media sector coordination required for journalism-wide threat mitigation

Variant C: Insider Threat Dimension:

  • Some newsroom staff have connections to conflict zone - background investigation concerns
  • Intelligence cannot rule out insider facilitation of nation-state access
  • Journalist trust adjudication depends on incident response team’s assessment
  • Must balance investigation of potential insider threats with newsroom team morale

Variant D: Active Editorial Operations:

  • Source communications already being used in ongoing investigative coordination - operational security critical
  • Compromise may affect active journalism operations - urgent source protection assessment required
  • Press freedom partners considering emergency coordination changes - editorial implications
  • Journalism organizations demand immediate clarity on source communication compromise scope

Advanced NPC Complications

Alexandra Kuznetsova (Competing Pressures):

  • Receiving conflicting guidance from editorial board and press freedom organizations
  • Personal reputation at stake - career journalism project now under intelligence investigation
  • Professional legacy affected by incident resolution - credibility concerns in media sector
  • May pressure team for conclusions that support editorial continuity over security thoroughness

Mark Thompson (Source Protection Stress):

  • Under intense press freedom scrutiny - Independent Media security posture under journalism review
  • Responsible for newsroom security that enabled months of undetected nation-state surveillance
  • Career implications if organization loses source trust or journalist safety authorization
  • May become overly risk-averse and demand excessive security measures disrupting editorial operations

Sofia Petrov (Under Investigation):

  • Personal journalism role questioned pending press freedom investigation completion
  • Defensive about investigative practices - fears source betrayal and career damage
  • May withhold information about USB usage that could compromise colleagues
  • Potential insider threat concern adds complexity to stakeholder coordination

Dr. Rodriguez (Conflicting Missions):

  • Press freedom investigation priorities may conflict with team’s incident response needs
  • Cannot share all intelligence about information warfare context and nation-state operations
  • Pressure from multiple digital security organizations with different investigation objectives
  • May request team actions that serve intelligence collection but complicate editorial resolution

Advanced Pressure Events

Minute 25: Forensic analysis reveals possible second nation-state actor - attribution becomes complex

Minute 50: Newsroom staff representatives demand evidence of insider threat accusations before questioning

Minute 75: Media leaked information about source protection targeting - public pressure for rapid resolution

Minute 100: Press freedom partners request intelligence sharing about source compromise affecting journalism operations

Minute 125: Digital security preliminary findings question Independent Media source trust eligibility

Minute 140: Investigation discovers source communications on dark web - wider exposure than expected

Advanced Facilitation Challenges

If Team Oversimplifies Attribution:

“Dr. Rodriguez shows you traffic analysis suggesting multiple nation-state actors with different objectives. How do you distinguish between Russian Litter Drifter operations and other APT activity when press freedom response depends on accurate attribution?”

If Team Ignores Insider Threat Indicators:

“Mark Thompson must report to press freedom organizations about newsroom staff with conflict zone connections who had access to compromised systems. How do you investigate potential insider facilitation without destroying team morale or assuming guilt?”

If Team Rushes to Conclusions:

“Alexandra is pushing for quick resolution to salvage publication timeline, but forensic evidence remains incomplete with critical log gaps. How do you justify press freedom decisions when source communication compromise scope is uncertain?”

If Team Neglects Press Freedom Context:

“Press freedom organizations are requesting intelligence about what confidential source data has been compromised, but investigation hasn’t completed attribution. How does your incident response affect journalist safety and source trust?”

Advanced Debrief Topics (30-35 min)

  1. Attribution Complexity in Nation-State Incidents:
    • How do you distinguish between multiple APT actors with similar techniques during information warfare?
    • Why is attribution critical for press freedom, diplomatic, and media sector response?
    • What forensic evidence supports or contradicts attribution conclusions?
    • When is “we’re not sure” an acceptable answer vs. avoiding responsibility?
  2. Insider Threat in Journalism Environments:
    • How do you investigate potential insider involvement without assuming guilt?
    • What intelligence indicators suggest deliberate facilitation vs. exploitation?
    • How do source protection processes balance security concerns with press freedom mission?
    • What organizational culture factors enable or prevent insider threats in journalism?
  3. Decision-Making Under Uncertainty:
    • How do you make critical security decisions with incomplete forensic evidence?
    • What level of confidence is required before press freedom notification or reporting?
    • How do you communicate uncertainty to stakeholders demanding definitive answers?
    • When should investigation continue vs. implementing response with imperfect information?
  4. Media Sector Interdependencies:
    • How do individual organization incidents affect sector-wide security posture?
    • What information sharing obligations exist between news organizations for threat intelligence?
    • How do editorial coordination compromises complicate attribution and remediation?
    • What role does press freedom coordination play in orchestrating media response?
  5. Balancing Speed vs. Thoroughness:
    • When is rapid incident resolution appropriate vs. comprehensive investigation?
    • How do publication pressures affect incident response quality and long-term security?
    • What are the consequences of premature “all clear” declarations in APT incidents affecting sources?
    • How do you manage stakeholder expectations when thoroughness requires time?
  6. Real-World Nation-State Response Lessons:
    • What actual media organization nation-state incidents inform this scenario?
    • How have real incidents balanced editorial operational needs with security response?
    • What journalism sector changes resulted from high-profile nation-state compromises?
    • How do newsroom environments create unique challenges compared to other sectors?