IM Inject Deck: Winnti Biotech R&D Espionage

Print this deck before the session. One inject per page. IM notes are hidden when printed.

Inject 1 – T+0: CFCS Tip-Off and Indicator Validation

Trigger: CFCS has contacted BioGenix with campaign indicators. Initial validation is underway.

β€œCFCS contacted your CISO a couple of hours ago with indicators from a European campaign targeting life sciences organizations. Your team has been validating those indicators since. HANSEN-SAP-01 – a legacy server that should have been decommissioned 18 months ago – has outbound traffic matching the CFCS campaign indicators. Its authentication patterns also match the campaign profile.”

Artifact: Distribute R1 artifact cards

Large group equivalent: Round 1 artifact release

Discussion Questions:

  • What is the first containment priority – HANSEN-SAP-01 isolation or the Azure authentication anomaly?
  • Who owns the decision to isolate HANSEN-SAP-01 given its Collaborative Bridge dependency?
  • What evidence must be preserved from HANSEN-SAP-01 before isolation?

Conditional Branches:

  • Team isolates HANSEN-SAP-01 first: Collaborative Bridge connectivity drops temporarily but R&D cloud access is stabilized.
  • Team delays HANSEN-SAP-01 isolation: Additional Azure R&D resources are accessed by attacker credentials during the delay window.

IM Notes (hidden when printed):

  • Hint if stuck: β€œCFCS flagged these indicators for a reason. HANSEN-SAP-01’s traffic matches the campaign profile. What does its system profile tell you about why it was vulnerable – and what needs to happen first?”
  • Red flag: No owner is assigned for HANSEN-SAP-01 isolation within 10 minutes of CFCS indicator validation.
  • Success indicator: Incident command is established, isolation sequence is prioritized, and evidence preservation owner is assigned.

Inject 2 – T+20: Kernel Rootkit Discovered on HANSEN-SAP-01

Trigger: Security team completes hardware-assisted memory enumeration requested after Inject 1.

β€œYour forensics specialist reports: HANSEN-SAP-01 has a hidden kernel driver masking 5 processes. The driver is signed with a valid vendor certificate – the vendor appears to be compromised. Standard antivirus never saw it because the rootkit intercepted the file system queries. One of those hidden processes has an active connection to an external IP right now.”

Artifact: Distribute Handout B: Rootkit Forensic Artifacts

Large group equivalent: Round 2 artifact release, after initial containment decisions

Discussion Questions:

  • Why did standard disk scans return clean while memory forensics reveals an active rootkit?
  • What must be preserved from this server before any isolation or decommission action?
  • What does this tell you about the vendor’s security posture – and what must CFCS know?

Conditional Branches:

  • Team preserves forensic artifacts before isolation: CFCS confirms the kernel driver matches indicators from the campaign they flagged. Campaign intelligence coordination is viable.
  • Team reimages without preservation: CFCS requests artifacts that no longer exist. Campaign attribution value is lost.

IM Notes (hidden when printed):

  • Hint if stuck: β€œThe rootkit is active and network-connected right now. What do you need to preserve, and what do you need to do to cut the connection without destroying the evidence?”
  • Red flag: Team reimages HANSEN-SAP-01 without capturing memory image and kernel driver artifact.
  • Success indicator: Memory image and kernel driver artifact are preserved. CFCS coordination is updated. Vendor compromise investigation is initiated.

Inject 3 – T+45: Pass-the-Hash Confirmed via Collaborative Bridge

Trigger: VPN and Azure AD log correlation completed by network security team.

β€œNetwork forensics confirms it: the attacker used credentials harvested from HANSEN-SAP-01 to walk straight into your Azure R&D environment through the Collaborative Bridge. No interactive login. No MFA. A legacy exception in your Conditional Access policy let them straight through. They have had cloud R&D access for 3-4 weeks.”

Artifact: Distribute Handout C: Lateral Movement Log

Large group equivalent: Round 2–3 artifact release, lateral movement evidence

Discussion Questions:

  • What does the absence of a preceding interactive logon tell you about how these credentials were obtained?
  • Which Azure R&D resources accessed by this account need immediate integrity review?
  • What policy gap allowed NTLM authentication to bypass Conditional Access?

Conditional Branches:

  • Team revokes credentials and closes policy gap quickly: Active attacker access to cloud R&D is terminated. Remaining investigation focuses on historical exfiltration scope.
  • Team delays credential revocation: Attacker maintains cloud R&D access during the delay. Additional GenixLibrary data is potentially accessed before cutoff.

IM Notes (hidden when printed):

  • Hint if stuck: β€œ3-4 weeks of cloud R&D access through a legacy policy exception. Which resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
  • Red flag: Team does not revoke svc-rdbridge-admin credentials and close the legacy auth exception immediately.
  • Success indicator: Credentials revoked, legacy auth exception closed, and scope of Azure resources accessed is documented.

Inject 4 – T+70: Drip Exfiltration Detected – ~7 GB Historical, Active Transfers Ongoing

Trigger: Network team completes traffic retrospective following credential revocation.

β€œNetwork analysis is in: approximately 25 gigabytes of R&D sequence data has left the building over the past 3-4 weeks. And it is not over – active transfers targeting your core IP collections are still running right now. The core IP was just starting to be targeted. Your DLP trusted the SNI header and never flagged any of it.”

Artifact: Distribute Handout D: Exfiltration Traffic Analysis

Large group equivalent: Round 4 start, after IC handover

Discussion Questions:

  • How does confirmed 3-4 week exfiltration change your data protection posture?
  • What can you confirm to CFCS for campaign coordination – and what must you qualify as still under investigation?
  • How do you communicate exfiltration scope to leadership without undermining the ongoing campaign response?

Conditional Branches:

  • Team establishes defensible scope statement with confidence qualifiers: Leadership and CFCS receive calibrated, credible updates that preserve trust.
  • Team overstates certainty in scope: Later scope revisions undermine credibility with regulators and leadership.

IM Notes (hidden when printed):

  • Hint if stuck: β€œR&D data has been leaving for weeks and the core IP is being targeted right now. What can you tell CFCS and leadership with confidence, and what do you still not know?”
  • Red flag: Team provides leadership with either unconfirmed scope or no explanation of uncertainty.
  • Success indicator: Exfiltration scope is documented with confidence level. CFCS coordination is updated. Stakeholder communication position is agreed.

Inject 5 – T+95: CFCS Campaign Coordination and Sector Advisory

Trigger: CFCS follows up with campaign-level intelligence and coordination requests.

Note: Only deliver this inject if teams have been coordinating with CFCS in earlier rounds. If they have not engaged CFCS, the silence is the finding.

β€œCFCS confirms that BioGenix’s validated indicators match a coordinated supply chain campaign targeting European life sciences organizations. At least three other firms have been confirmed as victims in the past six months. CFCS is requesting your full forensic package – kernel driver artifact, C2 infrastructure details, and exfiltration patterns – to support their sector threat advisory. They need your indicators to protect remaining targets.”

Large group equivalent: Round 5 start, CFCS coordination

Discussion Questions:

  • What can you confirm to CFCS for campaign coordination – and what must you qualify as still under investigation?
  • How do you balance CFCS campaign coordination with operational recovery without letting one block the other?
  • What does the coordinated campaign at peer firms mean for your remediation and recovery strategy?

Conditional Branches:

  • Team separates CFCS coordination and recovery workstreams with clear ownership: Both workstreams receive appropriately scoped attention. Trust with CFCS is maintained.
  • Team delays CFCS coordination or allows recovery to block campaign response: CFCS sector advisory is delayed. Other campaign targets remain exposed. BioGenix’s relationship with CFCS is strained.

IM Notes (hidden when printed):

  • Reference numbers to share if asked: CFCS bulletin CB-2026-0412 references the campaign indicators BioGenix validated.
  • Hint if stuck: β€œWho owns the CFCS coordination, who owns the recovery track, and what is each of them authorized to commit to?”
  • Red flag: No single owner is assigned for CFCS coordination. Team defers the recovery vs. coordination decision without resolution.
  • Success indicator: CFCS coordination owner assigned. Recovery vs. coordination decision made with documented rationale. Indicator sharing scope agreed.

Inject 6 – T+115: Decision and Debrief Pivot

Trigger: Scenario timebox ends and facilitator transitions to hot wash.

β€œImmediate containment is in place. You have stopped the active transfers. But approximately 25 gigabytes of genomic R&D data has already been exfiltrated to infrastructure likely controlled by a foreign intelligence service – and the core IP collections were just starting to be targeted. The decisions you make now determine your organization’s recovery and whether this becomes a repeat event.”

Large group equivalent: Round 6 debrief pivot

Discussion Questions:

  • Which control improvement would have most changed this outcome?
  • What governance decisions were delayed too long under pressure?
  • What does this incident mean for your organization’s supply chain security posture?

Conditional Branches:

  • Team defines concrete remediation owners: Post-incident momentum remains high and measurable.
  • Team ends without ownership: Known weaknesses persist. A second wave of the campaign could reach BioGenix again.

IM Notes (hidden when printed):

  • Hint if stuck: β€œName the 3 highest-value changes BioGenix can own in the next quarter to prevent the next stage of this campaign.”
  • Red flag: Debrief focuses on individual fault rather than systemic supply chain and governance gaps.
  • Success indicator: Team leaves with prioritized owners, deadlines, and measurable remediation outcomes across supply chain, legacy systems, and DLP coverage.