IM Inject Deck: Winnti Biotech R&D Espionage

Print this deck before the session. One inject per page. IM notes are hidden when printed.

Inject 1 – T+0: Calibration Software Alert and Authentication Anomalies

Trigger: Overnight SOC alert batch escalated by on-call analyst at shift change.

β€œYour SOC analyst reports that 3 bioreactor calibration workstations started spawning unexpected child processes last night after the CaliSyncPro update. The same analyst flags that HANSEN-SAP-01 – which should be offline – is authenticating into your Azure cloud R&D environment right now.”

Artifact: Distribute Handout A: Supply Chain Evidence

Discussion Questions:

  • What is the first containment priority – the calibration workstations or the Azure authentication anomaly?
  • Who owns the decision to isolate HANSEN-SAP-01 given its Collaborative Bridge dependency?
  • What evidence must be preserved from the calibration workstations before isolation?

Conditional Branches:

  • Team isolates HANSEN-SAP-01 first: Collaborative Bridge connectivity drops temporarily but R&D cloud access is stabilized.
  • Team delays HANSEN-SAP-01 isolation: Additional Azure R&D resources are accessed by attacker credentials during the delay window.

IM Notes (hidden when printed):

  • Hint if stuck: β€œWhich system provides the attacker their current active access – the calibration workstations or HANSEN-SAP-01? Where do you need to act first?”
  • Red flag: No owner is assigned for HANSEN-SAP-01 isolation within 10 minutes of discovery.
  • Success indicator: Incident command is established, isolation sequence is prioritized, and evidence preservation owner is assigned.

Inject 2 – T+20: Kernel Rootkit Discovered on HANSEN-SAP-01

Trigger: Security team completes hardware-assisted memory enumeration requested after Inject 1.

β€œYour forensics specialist reports: HANSEN-SAP-01 has a hidden kernel driver masking 5 processes. The driver is signed – but the certificate was revoked four months ago. Standard antivirus never saw it because the rootkit intercepted the file system queries. One of those hidden processes has an active connection to an external IP right now.”

Artifact: Distribute Handout B: Rootkit Forensic Artifacts

Discussion Questions:

  • Why did standard disk scans return clean while memory forensics reveals an active rootkit?
  • What must be preserved from this server before any isolation or decommission action?
  • Who needs to be notified now that nation-state kernel-level persistence is confirmed?

Conditional Branches:

  • Team preserves forensic artifacts before isolation: CFCS confirms the kernel driver matches indicators from a known supply chain campaign. Counterintelligence handoff is viable.
  • Team reimages without preservation: CFCS requests artifacts that no longer exist. Attribution and counterintelligence value is lost.

IM Notes (hidden when printed):

  • Hint if stuck: β€œThe rootkit is active and network-connected right now. What do you need to preserve, and what do you need to do to cut the connection without destroying the evidence?”
  • Red flag: Team reimages HANSEN-SAP-01 without capturing memory image and kernel driver artifact.
  • Success indicator: Memory image and kernel driver artifact are preserved. CFCS notification decision is made. Certificate revocation investigation is initiated.

Inject 3 – T+45: Pass-the-Hash Confirmed via Collaborative Bridge

Trigger: VPN and Azure AD log correlation completed by network security team.

β€œNetwork forensics confirms it: the attacker used credentials harvested from HANSEN-SAP-01 to walk straight into your Azure R&D environment through the Collaborative Bridge. No interactive login. No MFA. A legacy exception in your Conditional Access policy let them straight through. They have had cloud R&D access for 3 months.”

Artifact: Distribute Handout C: Lateral Movement Log

Discussion Questions:

  • What does the absence of a preceding interactive logon tell you about how these credentials were obtained?
  • Which Azure R&D resources accessed by this account need immediate integrity review?
  • What policy gap allowed NTLM authentication to bypass Conditional Access?

Conditional Branches:

  • Team revokes credentials and closes policy gap quickly: Active attacker access to cloud R&D is terminated. Remaining investigation focuses on historical exfiltration scope.
  • Team delays credential revocation: Attacker maintains cloud R&D access during the delay. Additional GenixLibrary data is potentially accessed before cutoff.

IM Notes (hidden when printed):

  • Hint if stuck: β€œThree months of cloud R&D access through a legacy policy exception. Which resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
  • Red flag: Team does not revoke svc-rdbridge-admin credentials and close the legacy auth exception immediately.
  • Success indicator: Credentials revoked, legacy auth exception closed, and scope of Azure resources accessed is documented.

Inject 4 – T+70: Drip Exfiltration Detected – 847 GB Over 3 Months

Trigger: Network team completes 90-day traffic retrospective following credential revocation.

β€œNetwork analysis is in: 847 gigabytes out the door over 3 months, all disguised as Microsoft telemetry. Your DLP trusted the SNI header and never flagged it. GenixLibrary logs confirm 44 overnight sessions reading sequence files sequentially. This is methodical collection of your entire R&D portfolio.”

Artifact: Distribute Handout D: Exfiltration Traffic Analysis

Discussion Questions:

  • How does confirmed 3-month exfiltration change your merger data room posture?
  • What must your GDPR notification to Datatilsynet say – and what must it not say?
  • How do you communicate exfiltration scope to the acquisition counterparty without exposing ongoing counterintelligence work?

Conditional Branches:

  • Team establishes defensible scope statement with confidence qualifiers: Merger counterparty and Datatilsynet receive calibrated, credible updates that preserve trust.
  • Team overstates certainty in scope: Later scope revisions undermine credibility with regulators and the acquisition counterparty.

IM Notes (hidden when printed):

  • Hint if stuck: β€œ3 years of R&D potentially exfiltrated. Your merger counterparty calls in 2 hours. What can you tell them with confidence, and what do you still not know?”
  • Red flag: Team provides merger counterparty with either unconfirmed scope or no explanation of uncertainty.
  • Success indicator: Exfiltration scope is documented with confidence level. GDPR notification draft is initiated. Merger briefing position is agreed.

Inject 5 – T+95: Regulatory and Intelligence Authorities Request Status

Trigger: Datatilsynet, CFCS, and PET contacts arrive in rapid succession.

β€œThree calls at once: Datatilsynet wants your GDPR notification status. CFCS says they have seen this exact supply chain pattern at 3 other Danish biotech firms and wants your indicators. PET wants a counterintelligence call. Your merger advisor calls next. You have 30 minutes before the first of these conversations.”

Discussion Questions:

  • What can you confirm to Datatilsynet now – and what must you qualify as under investigation?
  • How do you coordinate with CFCS and PET without compromising your merger timeline or regulatory obligations?
  • What does the coordinated campaign at peer firms mean for your remediation and disclosure strategy?

Conditional Branches:

  • Team separates regulatory, counterintelligence, and commercial workstreams: All three stakeholder groups receive calibrated, appropriate communication. Trust is maintained across all channels.
  • Team conflates workstreams or allows one to block another: Either GDPR deadline pressure spikes, counterintelligence value is compromised, or merger trust erodes.

IM Notes (hidden when printed):

  • Reference numbers to share if asked: Datatilsynet reference DT-2026-0847; CFCS bulletin CB-2026-0312 cites the identical kernel driver certificate revocation date.
  • Hint if stuck: β€œWho speaks to Datatilsynet, who speaks to CFCS and PET, and who speaks to the merger advisor – and what is each of them authorized to say?”
  • Red flag: No single owner is assigned for Datatilsynet notification. Team allows CFCS coordination to delay GDPR notification.
  • Success indicator: GDPR notification owner assigned. CFCS coordination scope agreed. Merger advisor briefing position confirmed.

Inject 6 – T+115: Decision and Debrief Pivot

Trigger: Scenario timebox ends and facilitator transitions to hot wash.

β€œImmediate containment is in place. You have stopped the bleeding. But 847 gigabytes of genomic R&D may already be in the hands of a foreign intelligence service. The next decisions you make determine whether this becomes a repeat event or a turning point for BioGenix.”

Discussion Questions:

  • Which control improvement would have most changed this outcome?
  • What governance decisions were delayed too long under pressure?
  • What does this incident mean for your organization’s supply chain security posture?

Conditional Branches:

  • Team defines concrete remediation owners: Post-incident momentum remains high and measurable.
  • Team ends without ownership: Known weaknesses persist. A second wave of the campaign could reach BioGenix again.

IM Notes (hidden when printed):

  • Hint if stuck: β€œName the 3 highest-value changes BioGenix can own in the next quarter to prevent the next stage of this campaign.”
  • Red flag: Debrief focuses on individual fault rather than systemic supply chain and governance gaps.
  • Success indicator: Team leaves with prioritized owners, deadlines, and measurable remediation outcomes across supply chain, legacy systems, and DLP coverage.