Poison Ivy Scenario: Supply Chain Software Infiltration

SecureFlow Systems: Software development company, 320 employees, providing supply chain management software to Fortune 500 companies
APT • Poison Ivy
STAKES
Customer trust + Supply chain integrity + Intellectual property + Software integrity
HOOK
SecureFlow develops critical supply chain management software used by major manufacturers, retailers, and logistics companies. Sophisticated attackers have compromised their development environment through advanced remote access techniques, injecting malicious code into software updates that will be deployed to hundreds of customer organizations. The attack uses modern cloud-based command and control and fileless execution to maintain persistent access while poisoning the software supply chain.
PRESSURE
Customer panic about supply chain security - any compromise could affect global commerce and manufacturing
FRONT • 90 minutes • Intermediate
SecureFlow Systems: Software development company, 320 employees, providing supply chain management software to Fortune 500 companies
APT • Poison Ivy
NPCs
  • Development Manager Sarah Kim (DevSecOps): Discovering that software build pipeline has been compromised with malicious code injection affecting customer deployments
  • Chief Technology Officer Marcus Rodriguez (Cloud Architecture): Investigating sophisticated command and control infrastructure using legitimate cloud services and CDN networks
  • Customer Success Director Jennifer Chen (Fortune 500 Relations): Managing customer communications as major clients discover potential compromise in their supply chain management systems
  • Security Architect Alex Thompson (Threat Response): Finding evidence of advanced persistent access using PowerShell, WMI, and legitimate system administration tools
SECRETS
  • Development environment compromise through vendor email account takeover and social engineering
  • Malicious code injection into software updates using legitimate development tools and processes
  • Command and control infrastructure disguised as legitimate cloud storage and content delivery networks

Scenario Details for IMs

Opening Presentation

“You’re at SecureFlow Systems, a software company that provides supply chain management solutions to hundreds of Fortune 500 companies. Your development team has discovered unusual activity in the software build environment - code repositories show unauthorized changes, and your automated deployment systems have been modified. Security analysis reveals sophisticated remote access tools that have compromised your development pipeline. Worse, malicious code may have already been deployed to customer organizations through recent software updates.”

Initial Symptoms to Present:

  • “Software build systems showing unauthorized modifications and suspicious automated processes”
  • “Remote access tools using legitimate cloud services and system administration utilities”
  • “Code repositories containing unauthorized changes that bypass normal development approval processes”
  • “Customer reports of unusual behavior in recently deployed software updates”

Key Discovery Paths:

Detective Investigation Leads:

  • Software forensics reveal malicious code injection into legitimate development processes
  • Build pipeline analysis shows compromise of automated deployment and code signing systems
  • Attack vector analysis discovers initial compromise through targeted social engineering of development staff

Protector System Analysis:

  • Development environment security assessment reveals persistent adversary access using legitimate tools
  • Code integrity analysis shows sophisticated supply chain poisoning techniques
  • Customer deployment security assessment reveals scope of potentially compromised software updates

Tracker Command and Control Analysis:

  • Network monitoring reveals use of legitimate cloud services for covert command and control
  • Software supply chain analysis discovers coordinated attack targeting multiple software vendors
  • Threat intelligence reveals broader campaign against software development companies

Communicator Customer Relations:

  • Fortune 500 customer notification about potential supply chain compromise in their production systems
  • Software integrity verification and emergency patch deployment coordination
  • Legal analysis for liability and regulatory compliance during supply chain security incident

Crisis Manager Business Continuity:

  • Software development process security review and emergency response procedures
  • Customer relationship management during active supply chain security investigation
  • Business impact assessment for potential loss of customer trust and market position

Evolution Triggers:

  • Intermediate → Advanced: Customer organizations report active malware infections from compromised software updates
  • Advanced → Critical: Multiple software vendors report similar supply chain compromises indicating coordinated campaign

Success Metrics:

  • Rapid identification and containment of development environment compromise
  • Effective customer communication and software integrity verification
  • Successful supply chain security incident response
  • Business continuity maintenance during supply chain investigation

Learning Objectives:

  • Software supply chain security and development environment protection
  • Advanced remote access techniques using legitimate cloud services
  • Supply chain incident response and customer communication
  • DevSecOps security integration and threat detection

Historical Context for IMs:

This scenario modernizes the 2005 Poison Ivy RAT, which was a basic remote access trojan used in targeted attacks. The contemporary version adapts this to modern software supply chain attacks, where sophisticated adversaries compromise development environments to inject malicious code into software updates, reflecting the evolution from simple remote access to complex supply chain infiltration techniques.