Winnti Scenario: Biotech R&D Espionage

Winnti Scenario: Operation Silk Harvest

BioGenix Solutions: Danish biosolutions company, 1,800 employees, precision fermentation and industrial enzyme engineering

APT Espionage • Winnti

STAKES

Genomic IP protection + Post-merger infrastructure integrity + CFCS coordination + Competitive advantage

HOOK

CFCS has contacted BioGenix Solutions with indicators from a European campaign targeting life sciences organizations. The indicators match patterns in BioGenix’s network infrastructure — specifically, outbound connections to recently registered domains, legacy system authentication anomalies, and unusual R&D data access patterns. Investigation has been authorized.

PRESSURE

• CFCS campaign coordination timeline
• Intellectual property exposure: 3+ years of proprietary genomic IP
• Genomic research at risk: GenixLibrary sequence database

FRONT • 150 minutes • Expert

BioGenix Solutions: Danish biosolutions company, 1,800 employees, precision fermentation and industrial enzyme engineering

APT Espionage • Winnti

NPCs

• Phillip Christensen (CEO): Owns executive decisions on R&D protection and stakeholder accountability
• Katrine Fønsmark (CTO): Leads technical incident response and cloud environment assessment
• Dr. Ida Woetmann (VP R&D): Represents research continuity risk and GenixLibrary sequence integrity
• Bent Sejrø (CISO): Coordinates evidence preservation and authority engagement with CFCS

SECRETS

• Third-party calibration software updates are deployed to R&D infrastructure without independent code-signing validation — the vendor certificate is valid but OCSP checks were skipped under the trusted vendor exception
• The Hansen-Core SAP NetWeaver instance remained network-connected despite being scheduled for decommissioning 18 months ago, due to Collaborative Bridge migration dependencies
• DLP monitoring classifies outbound HTTPS traffic matching Microsoft Graph API signatures as low-priority telemetry, creating a monitoring gap for port 443 exfiltration

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Winnti Biotech R&D Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Winnti Biotech R&D Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Note👥 Large Group Format (12-15+ Players)

Team-specific evidence cards for Multi-Team Coordination format. Three parallel teams (Alpha/Forensics, Bravo/Network, Charlie/Threat Intel & Recovery) receive separate tiered artifacts across five investigation rounds. Two ICs with mid-session handover at T+70.

Large Group Artifacts – Organizational Context

Includes 21 tiered evidence cards, IM distribution guide, and cross-team coordination notes. For experienced IMs only – see Large Group Prep Worksheet before running this format.

Winnti Scenario Facilitator Guide (this scenario)

Round-by-round facilitation notes, IC handover checklist, central dilemma, information asymmetry map, NPC reference, session timeline, and debrief focus specific to Winnti. Reference this during the session.

Large Group Format Guide (all scenarios)

IC management tactics, room setup, distribution system, and the facilitator’s cheat sheet concept. Applies to any Multi-Team Coordination session regardless of scenario. Read once before your first large group session.

Session Intro Slides | Debrief Slides

Scenario-specific slides: intro covers M&M format, rules, BioGenix company context, and the CFCS situation. Debrief slides guide the post-session discussion.

Scenario Details for IMs

Hook

“It is Thursday at 13:00 at BioGenix Solutions. CISO Bent Sejrø received a call from CFCS a couple of hours ago. CFCS has identified a supply chain compromise campaign targeting European life sciences organisations. Based on network telemetry they have shared, indicators match BioGenix infrastructure. The security team has been validating indicators since and confirmed matches. CEO Phillip Christensen has authorized immediate incident response activation to determine scope.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “CFCS has shared indicators matching outbound connections from our network to a recently registered domain”
• “HANSEN-SAP-01 – a server due for decommissioning 18 months ago – has outbound traffic matching the CFCS campaign indicators”
• “Authentication anomalies from HANSEN-SAP-01 match CFCS campaign patterns – svc-rdbridge-admin is authenticating into Azure AD”
• “HANSEN-SAP-01 system profile shows CaliSyncPro v4.2.0 installed – the same vendor-signed calibration software described in the CFCS advisory”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• HANSEN-SAP-01 system profile shows a neglected legacy server with CaliSyncPro v4.2.0 installed – 3 years unpatched, no EDR, no monitoring, decommission 18 months overdue
• Code-signing certificate for CaliSyncPro is legitimately valid (OCSP VALID, CRL NOT REVOKED) – supply chain compromise puzzle
• Memory forensics on HANSEN-SAP-01 reveals 5 hidden PIDs via DKOM including live C2 beacon, credential harvester, and file enumerator targeting GenixLibrary
• Historical access reconstruction shows HANSEN-SAP-01 has been active on the network for 18 months past its scheduled decommission date
• CFCS has already identified this campaign across European life sciences with identical delivery vector and matching C2 infrastructure patterns

Protector System Analysis:

Note🛡️ Protector System Analysis

• Memory scan of HANSEN-SAP-01 reveals a hidden kernel module (147.5 KB) masking its process list via DKOM – signed with valid CaliSync certificate
• Conditional Access exception COLLBRIDGE-EXCL-003 permits NTLM auth from HANSEN-SAP-01 subnet without MFA – never reviewed, no expiry, no owner
• ITSM-29847 shows 18-month governance failure chain: decommission blocked, patching paused, monitoring excluded, owner departed without handover

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• ~10 GB exfiltrated via graph-api-sync.bioanalytics.net (203.0.113.44) using TLS SNI spoofing (graph.microsoft.com) – 18 sessions vs 14,822 for legitimate Microsoft Graph traffic
• 6 weekly NTLM VPN sessions from external IP 198.51.100.201 using svc-rdbridge-admin – all off-hours, all bypassing Conditional Access via COLLBRIDGE-EXCL-003
• 3 independent DLP gaps exploited: service account exclusions, SNI allowlist exception (*.microsoft.com), batch read threshold not configured

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• CEO Phillip Christensen needs a clear scope statement for stakeholder communication
• VP R&D Dr. Ida Woetmann requires confirmation of which GenixLibrary sequence datasets were accessed before research teams can resume
• CFCS coordination requires a defensible scope statement aligned to what is confirmed versus suspected

Crisis Manager Coordination:

Note🚨 Crisis Manager Coordination

• CFCS is coordinating across multiple victims – BioGenix must provide timely, accurate indicators to support the broader campaign response
• Research continuity for 3 active fermentation projects depends on safe access to GenixLibrary – containment scope must be defined promptly
• Leadership needs a clear scope statement for stakeholder communication and recovery planning

Mid-Scenario Pressure Points:

• Round 1: CFCS tip-off confirmed – indicators match. HANSEN-SAP-01 traffic matches C2 beacon pattern. CaliSync update is the delivery vector.
• Round 2: Memory forensics reveals live rootkit on HANSEN-SAP-01. GenixLibrary access logs show escalating data reads over 4 weeks (~7 GB). Exception COLLBRIDGE-EXCL-003 enabled the entire attack path. Three gating decisions: revoke credential, close exception, preserve memory.
• Round 3: IC #2 takes command. Evidence integrity gap, detection difficulty, and C2 infrastructure rotation deepen the analysis.
• Round 4: Rootkit is a purpose-built espionage toolkit targeting life sciences file types with hardcoded GenixLibrary paths – collection escalated from archives to active projects to core IP. Lateral movement to HANSEN-SAP-02. DLP audit reveals 3 independent gaps. CFCS needs kernel driver artifact.

Evolution Triggers:

• If svc-rdbridge-admin credential is not revoked, attacker accelerates exfiltration of staged data via C2 channel
• If systems are reimaged before forensic preservation, kernel rootkit evidence and the signed driver artifact are permanently lost
• If CFCS coordination is delayed, campaign-level intelligence sharing is compromised and other victims remain exposed

Resolution Pathways:

Technical Success Indicators:

• Memory image preserved and kernel driver artifact shared with CFCS before isolation
• Both credential revoked AND exception COLLBRIDGE-EXCL-003 closed (two-step containment)
• GenixLibrary isolated, competitive exposure assessment initiated for accessed R&D projects
• DLP gaps identified and remediation plan in place (service account monitoring, SNI validation, batch read thresholds)

Business Success Indicators:

• Leadership receives a defensible scope statement with documented rationale for stakeholder communication timing
• CFCS coordination is timely, accurate, and scoped to confirmed indicators – supporting the broader campaign response
• R&D continuity plan is in place for active fermentation projects with clear GenixLibrary access controls

Learning Success Indicators:

• Team recognizes supply chain and persistence patterns that evade signature-based detection
• Participants practice balancing evidence preservation with operational urgency under stakeholder pressure
• Group coordinates technical and executive decisions under CFCS coordination and operational recovery constraints

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which forensic artifacts are critical before any reset actions? Who owns that decision, and what does the CFCS coordination request require you to preserve?”

If Stakeholder Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting R&D integrity to leadership and CFCS? What liability does BioGenix carry if operations resume and the compromise scope later expands?”

If Regulatory Coordination Is Delayed:

“CFCS confirms that the indicators BioGenix validated match a coordinated supply chain campaign targeting European biotech and pharmaceutical firms, with at least three other confirmed victims in the past six months.”

Success Metrics for Session:

• Team identifies supply chain delivery and persistence patterns
• Containment and evidence handling remain defensible under commercial and stakeholder pressure
• CFCS coordination timing and indicator sharing are established with appropriate scope
• Leadership risk decisions are aligned to technical confidence levels
• Long-term genomic IP security improvements are clearly defined

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Core supply chain detection and immediate containment decisions
Key Actions: Scope GenixLibrary exposure, preserve kernel forensics, issue first stakeholder scope statement

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, CFCS coordination, and stakeholder governance Key Actions: Build timeline confidence, contain Collaborative Bridge lateral movement, align CFCS indicator sharing

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end supply chain espionage response under commercial, regulatory, and stakeholder pressure Key Actions: Coordinate leadership and technical teams, define recovery prioritization, define durable remediation

Advanced Challenge (150+ minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: C2 infrastructure enrichment, supply chain delivery analysis, and campaign scope consolidation through CFCS coordination Additional Challenges: Ambiguous exfiltration scope, competing recovery and coordination timelines, escalating CFCS campaign intelligence requirements

🌍 Localizing to Other EU Countries

This Danish variation can be adapted to other EU countries during facilitation. EU biosolutions and pharmaceutical contexts share common foundations, but cyber and intelligence institutions differ by country.

When adapting this scenario, substitute these elements:

Country	Data Protection Authority	Cyber Agency	Intelligence / Counterintel	Biotech Context
Germany	BfDI + state DPAs	BSI	BfV	Strong pharmaceutical and industrial biotech sector
Netherlands	Autoriteit Persoonsgegevens	NCSC-NL	AIVD	Life sciences hub -- Wageningen and Leiden clusters
Sweden	IMY	CERT-SE	SAPO	Pharmaceutical and biotech R&D export base
France	CNIL	ANSSI	DGSI	Strategic biotech and national pharma programs
Belgium	APD/GBA	CCB	VSSE/SGRS	Brussels biotech corridor and pharma density

Notes:

• Trade secrets nuance: IP protection frameworks differ across EU members and affect disclosure and law enforcement coordination sequences.
• Post-merger sensitivity: Integration contexts may trigger additional national security review in some EU jurisdictions.
• Coordination model: Cyber and intelligence agencies may require parallel reporting tracks in some countries.

Organization names and NPC names can be localized by the IM for the selected EU country.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at BioGenix Solutions confirms that HANSEN-SAP-01 – a legacy server 18 months overdue for decommissioning – has outbound traffic matching CFCS campaign indicators and is authenticating into the Azure cloud environment via the Collaborative Bridge. CaliSyncPro v4.2.0 is installed on this server.

• Clue 2 (Minute 10): Investigators identify HANSEN-SAP-01 as harboring a hidden kernel module – the server was scheduled for decommissioning 18 months ago but remained connected due to Collaborative Bridge dependencies.

  IM branch: If the team went to GenixLibrary before HANSEN-SAP-01, deliver Clue 2 as a forensics team finding triggered by the Azure containment action – “While revoking the Azure credentials, your forensics team ran a memory scan on HANSEN-SAP-01 and found something.”

• Clue 3 (Minute 15): Round 2 reveals: GenixLibrary access logs show 6 off-hours svc-rdbridge-admin sessions over 4 weeks, escalating from archives to active projects to core IP collections (v1, v2). Volumes of 1-2 GB per session. This is discovered by Charlie in C-R2-1, not in Round 1.

Pre-Defined Response Options

• Option A: Evidence-Preserved Containment

  • Action: Isolate HANSEN-SAP-01, perform memory forensics before any reimaging, preserve the signed kernel driver artifact, and coordinate with CFCS before decommissioning compromised systems.
  • Pros: Enables supply chain delivery analysis and CFCS coordination; supports defensible scope statement.
  • Cons: Slower GenixLibrary restoration and continued operational recovery pressure.
  • Type Effectiveness: Super effective for sustained strategic resilience and regulatory defensibility.

• Option B: Rapid Containment and Restore

  • Action: Isolate affected systems immediately and restore from pre-update snapshots to minimize operational disruption.
  • Pros: Faster GenixLibrary restoration and lower perceived risk to stakeholders.
  • Cons: Loss of forensic evidence; inability to confirm exfiltration scope; CFCS coordination compromised.
  • Type Effectiveness: Partially effective – removes immediate threat but leaves exfiltration scope unresolved.

• Option C: Phased Confidence Restoration

  • Action: Prioritize GenixLibrary containment first, then work outward to HANSEN-SAP-01 and cloud environment, sequencing forensics alongside operational recovery.
  • Pros: Balances research continuity with evidence discipline; supports staged regulatory notification.
  • Cons: Extended ambiguity on full exfiltration scope; stakeholder communication timing remains uncertain.
  • Type Effectiveness: Moderately effective when CFCS coordination and recovery governance remain aligned.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Supply Chain Discovery and Lateral Movement (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): HANSEN-SAP-01 outbound traffic matches CFCS campaign indicators – C2 beacon pattern to 203.0.113.44 with SNI spoofing. The server has CaliSyncPro v4.2.0 installed and is 18 months overdue for decommissioning.
• Clue 2 (Minute 10): HANSEN-SAP-01 kernel scan reveals a hidden driver masking processes – prior disk scans returned clean because the rootkit intercepted file system queries.

• Clue 3 (Minute 15): Round 2 reveals: GenixLibrary access logs show 6 off-hours svc-rdbridge-admin sessions over 4 weeks, escalating from archives to active projects to core IP collections (v1, v2). Volumes of 1-2 GB per session. This is discovered by Charlie in C-R2-1, not in Round 1.

• Clue 4 (Minute 20): Leadership requests immediate scope statement for CFCS coordination and stakeholder communication.

Round 2: CFCS Coordination and Recovery Governance (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): Traffic analysis confirms ~7 GB exfiltrated over 3-4 weeks via port 443 to attacker-controlled infrastructure disguised as Microsoft Graph API telemetry – covering 6 off-hours GenixLibrary batch reads over 4 weeks. Active transfers of core IP collections are still ongoing (~3 GB active transfer).

• Clue 6 (Minute 40): CFCS confirms that the indicators BioGenix validated match a coordinated supply chain campaign targeting European biotech and pharmaceutical firms, with at least three other confirmed victims in the past six months.

• Clue 7 (Minute 50): Leadership requests a clear go/no-go decision on R&D environment access by end of day.
• Clue 8 (Minute 55): Security team requires documented rationale for CFCS indicator sharing scope and recovery prioritization decisions.

Round Transition Narrative

After Round 1 – Round 2:

“CFCS confirms that the indicators validated by BioGenix match a coordinated supply chain campaign targeting European life sciences organisations, with at least three other confirmed victims. Dwell times at other victims: 3-5 months, exfiltration volumes: 40-120 GB. BioGenix’s ~7 GB and 3-4 week dwell is partial – the early CFCS tip-off interrupted the campaign before full exfiltration.”

Facilitation questions:

• “What minimum evidence supports a defensible GenixLibrary integrity statement for leadership and CFCS?”
• “Which decisions cannot wait for complete forensic certainty – and what governance gaps does that reveal?”
• “How do you communicate residual uncertainty to CFCS while supporting the broader campaign response?”

Debrief Focus:

• Integrating supply chain forensics with genomic IP governance decisions
• Balancing stakeholder pressure with CFCS coordination obligations and evidence quality
• Preserving campaign intelligence value when operational urgency competes with evidence discipline

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery, supply chain governance redesign, and CFCS counterintelligence handoff.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

CISO Bent Sejrø briefs the teams. CFCS contacted us with indicators from a European campaign – they match our infrastructure. We do not yet know if we are compromised. GenixLibrary contains our most commercially valuable research data. Legacy infrastructure from the merger is still connected and flagged as relevant. Your task: investigate, determine scope, contain.

Players investigate openly using role capabilities. Early findings include unauthorized GenixLibrary access, uncertain exfiltration scope, rising stakeholder pressure, and a decommissioned server that should not be active.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to Phillip Christensen and to CFCS – and supports the broader campaign response?”

Round 2: CFCS Coordination and Recovery Planning (35-40 min)

• Technical teams complete kernel forensics and present containment and recovery options.
• Leadership requests a clear recommendation on R&D environment access and CFCS indicator sharing scope.

• Coordination with CFCS spans campaign intelligence sharing, indicator validation, and recovery prioritization.

Facilitation questions:

• “What controls must be confirmed before asserting GenixLibrary baseline integrity to leadership and CFCS?”
• “How will you document the rationale for indicator sharing scope in a way that supports the broader campaign response?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete. Leadership requests a 90-day remediation roadmap addressing supply chain governance, legacy system decommissioning, and genomic IP monitoring.

Pressure events:

• Leadership requests evidence of lasting control improvements before resuming normal operations
• CFCS requests post-incident indicators and root cause analysis for campaign-level intelligence coordination
• CFCS requests anonymized indicators of compromise for national threat intelligence sharing

Victory conditions for full 3-round arc:

• Verified clean baseline for GenixLibrary and cloud R&D environment with preserved forensic record
• Defensible reporting package for CFCS and leadership governance teams
• Durable supply chain governance controls and legacy system decommissioning policy

Debrief Questions

1. “Which early indicator most clearly signaled nation-state supply chain espionage rather than a routine software defect?”
2. “How did stakeholder pressure alter risk tolerance across the leadership and security teams?”
3. “What evidence was essential for credibility with CFCS and leadership simultaneously?”
4. “How can life sciences organizations raise supply chain security readiness without disrupting vendor-dependent R&D operations?”

Learning Objectives

By the end of this scenario, participants will be able to:

• Identify supply chain compromise indicators in vendor software update chains, including compromised vendor certificate patterns
• Distinguish kernel-level rootkit persistence from standard malware and explain why disk-based detection fails against DKOM techniques
• Trace Pass-the-Hash lateral movement through legacy authentication exceptions and articulate the policy gaps that enable it
• Recognize DLP evasion via TLS SNI spoofing and assess the monitoring blind spots it exploits
• Apply evidence preservation discipline under simultaneous commercial, regulatory, and operational recovery pressure
• Sequence CFCS coordination, recovery prioritization, and commercial governance decisions when their timelines conflict
• Define durable supply chain governance controls and exception lifecycle management practices that prevent recurrence

Atomics

Winnti TTPs mapped to this scenario:

Technique	ID	Phase
Supply Chain Compromise: Compromise Software Supply Chain	T1195.002	Initial Access
Command and Scripting Interpreter: PowerShell	T1059.001	Execution
Rootkit	T1014	Defense Evasion
Obfuscated Files or Information	T1027	Defense Evasion
Impair Defenses: Disable or Modify Tools	T1562.001	Defense Evasion
Valid Accounts: Domain Accounts	T1078.002	Privilege Escalation / Lateral Movement
Use Alternate Authentication Material: Pass-the-Hash	T1550.002	Lateral Movement
Application Layer Protocol: Web Protocols	T1071.001	Command and Control
Exfiltration Over C2 Channel	T1041	Exfiltration
Automated Collection	T1119	Collection

Detection gap focus: T1014 (rootkit) and T1550.002 (Pass-the-Hash via legacy auth exception) are the two techniques most likely to remain undetected in environments without hardware-assisted memory scanning and modern Conditional Access enforcement.

Facilitator Notes

Reading the Room

• If the stakeholder pressure dominates all decisions: Redirect with “What happens to organizational credibility if the exfiltration scope expands after you’ve already asserted a clean R&D environment?” The goal is for teams to see that security discipline and commercial credibility are aligned, not opposed.
• If the team moves too fast on containment without evidence preservation: Ask who owns the forensic handoff to CFCS before any reimaging proceeds. Nation-state incidents have an intelligence dimension – that chain of custody matters.
• If the CFCS coordination scope (Inject 5) stalls the group: Don’t resolve it for them. The tension is intentional. Let the group negotiate – the debrief value comes from the decision they make, not the “right” answer.
• If the Tracker role dominates the early investigation: Introduce a red herring early – the legitimate Azure BI project in the Advanced materials works well even in full game format. It slows the Tracker and creates space for other roles.

Pacing Guidance

• Quick Demo (35-40 min): Run only Injects 1-2 and the containment decision. Skip exfiltration scope entirely.
• Lunch and Learn (75-90 min): Run Injects 1-4. Use the round transition narrative between rounds. End before Inject 5.
• Full Game (120+ min): Run all 6 injects. Deliver Inject 5 CFCS coordination at the peak of exfiltration confirmation – when the team is most stretched.

Common Mistakes to Prevent

• Teams reimaging HANSEN-SAP-01 before memory capture – the kernel driver artifact is the only evidence that links the rootkit to Winnti TTPs and enables CFCS counterintelligence coordination.
• Teams conflating what they can say to CFCS vs. leadership – these are separate conversations with separate evidentiary standards.
• Assigning no one to the CFCS coordination – the campaign response continues whether or not BioGenix participates.

Branching Guide

Key decision points and their downstream consequences:

Branch 1: HANSEN-SAP-01 Isolation Sequence

Decision: Isolate HANSEN-SAP-01 immediately vs. forensic memory capture first.

• Isolate first: Active attacker credential use stops. Memory image lost. Kernel driver artifact may be unrecoverable. CFCS attribution evidence degraded.
• Forensic first: Memory image and kernel driver preserved. 5-20 minute window where attacker credentials remain active in Azure. Risk: additional GenixLibrary reads during delay.
• Recommended path to surface: Parallel teams – one isolates network, one captures memory. Requires explicit IC coordination to pull off.

Branch 2: CFCS Indicator Sharing Scope (Inject 5)

Decision: Share full forensic detail with CFCS for campaign coordination vs. limit sharing to protect operational recovery.

• Full sharing: CFCS campaign response is maximally effective. BioGenix recovery timeline may be extended by forensic handoff requirements.
• Limited sharing: BioGenix recovery proceeds faster. CFCS campaign response is degraded and other victims may remain exposed.
• Phased approach: Share validated indicators immediately, defer detailed forensic handoff until recovery milestones are met. Balances both priorities but extends coordination timeline.

Branch 4: Recovery Prioritization Decision

Decision: Prioritize immediate R&D restoration vs. comprehensive forensic scope vs. CFCS coordination.

• Immediate restoration: R&D operations resume quickly but exfiltration scope may be incomplete. Stakeholders may learn of expanded scope later.
• Comprehensive scope first: Full exfiltration picture established. R&D operations delayed. Stakeholder communication is evidence-grounded.
• CFCS coordination first: Campaign intelligence value maximized. Recovery delayed. BioGenix demonstrates sector responsibility.

Debrief Focus

• Winnti supply chain espionage combines passive persistence with high-value genomic IP targeting
• Defensible response requires synchronized technical, legal, and governance decisions under competing timelines
• Long-term resilience depends on supply chain certificate validation, legacy system hygiene, and DLP coverage on trusted protocols

Advanced Challenge Materials (150+ min)

Red Herrings and Misdirection

1. A legitimate Azure BI project ran during the same period and generated a spike in outbound HTTPS traffic – initial DLP review attributes most of the volume to the BI workload.
2. The SAP NetWeaver maintenance window in the ITSM system overlaps with the incident timeline, creating apparent authorization for HANSEN-SAP-01 network activity.
3. Bioreactor calibration anomaly alerts were raised during the same period as part of a routine hardware qualification cycle, providing process-level cover for IoCs.

Removed Resources and Constraints

• No existing incident response playbook for supply chain compromise affecting R&D infrastructure
• Kernel forensics capability requires engagement of an external specialist – lead time is 48 hours
• GenixLibrary audit logging was not configured for real-time alerting, only batch log review

Enhanced Pressure

• Leadership demands a same-day scope statement on GenixLibrary integrity
• Leadership requests written rationale for every high-impact containment decision that could affect the recovery timeline
• CFCS requests an urgent campaign coordination briefing that requires C-suite availability at the height of the incident response

Ethical Dilemmas

1. Delay stakeholder communication for stronger forensic confidence, or proceed under caveat with incomplete scope assessment.
2. Disclose full CFCS campaign context to leadership and stakeholders, or limit disclosure to confirmed technical facts.
3. Preserve complete kernel forensic evidence for CFCS campaign coordination, or accelerate restoration to meet operational recovery demands.

Advanced Debrief Topics

• Building life sciences doctrine for supply chain espionage incidents affecting both IP and regulated personal data
• Structuring governance when commercial, CFCS coordination, and operational recovery timelines diverge simultaneously
• Sustaining long-term R&D security investment in environments where vendor-dependent operations constrain isolation options

Session Materials

Download or print before the session. Handout files open as standalone pages.

IM Inject Deck Handout A Handout B Handout C Handout D Handout E

Inject Sequence

The following injects are delivered by the IM at the trigger points described. Read aloud text verbatim. Adjust timing to group pace – a fast-moving group may skip injects; a stuck group may need them early.

Inject 1: CFCS Tip-Off and Indicator Validation

Trigger: CFCS has contacted BioGenix with campaign indicators. Initial validation is underway.

Read Aloud:

“CFCS contacted your CISO a couple of hours ago with indicators from a European campaign targeting life sciences organizations. Your team has been validating those indicators for the past few hours. HANSEN-SAP-01 – a legacy server that should have been decommissioned 18 months ago – has outbound traffic matching the CFCS campaign indicators. Its authentication patterns also match the campaign profile.”

Artifact: Handout A: Supply Chain Evidence

Discussion Questions:

• What is the first containment priority – HANSEN-SAP-01 isolation or the Azure authentication anomaly?
• Who owns the decision to isolate HANSEN-SAP-01 given its Collaborative Bridge dependency?
• What evidence must be preserved from HANSEN-SAP-01 before isolation?

Conditional Branches:

• If the team isolates HANSEN-SAP-01 first: Collaborative Bridge connectivity drops temporarily but R&D cloud access is stabilized.
• If the team delays HANSEN-SAP-01 isolation: Additional Azure R&D resources are accessed by attacker credentials during the delay window.

IM Notes:

• Hint if stuck: “CFCS flagged these indicators for a reason. HANSEN-SAP-01’s traffic matches the campaign profile. What does its system profile tell you about why it was vulnerable – and what needs to happen first?”
• Red flag: No owner is assigned for HANSEN-SAP-01 isolation within 10 minutes of discovery.
• Success indicator: Incident command is established, isolation sequence is prioritized, and evidence preservation owner is assigned.

Inject 2: Kernel Rootkit Discovered on HANSEN-SAP-01

Trigger: Security team completes hardware-assisted memory enumeration requested after INJ-001.

Read Aloud:

“Your forensics specialist reports: HANSEN-SAP-01 has a hidden kernel driver masking 5 processes. The driver is signed with a valid vendor certificate – the vendor appears to be compromised. Standard antivirus never saw it because the rootkit intercepted the file system queries. One of those hidden processes has an active connection to an external IP right now.”

Artifact: Handout B: Rootkit Forensic Artifacts

Discussion Questions:

• Why did standard disk scans return clean while memory forensics reveals an active rootkit?
• What must be preserved from this server before any isolation or decommission action?
• What does this tell you about the vendor’s security posture – and what must CFCS know?

Conditional Branches:

• If the team preserves forensic artifacts before isolation: CFCS confirms the kernel driver matches indicators from the campaign they flagged. Campaign intelligence coordination is viable.
• If the team reimages without preservation: CFCS requests artifacts that no longer exist. Campaign attribution value is lost.

IM Notes:

• Hint if stuck: “The rootkit is active and network-connected right now. What do you need to preserve, and what do you need to do to cut the connection without destroying the evidence?”
• Red flag: Team reimages HANSEN-SAP-01 without capturing memory image and kernel driver artifact.
• Success indicator: Memory image and kernel driver artifact are preserved. CFCS coordination is updated. Vendor compromise investigation is initiated.

Inject 3: Pass-the-Hash Confirmed via Collaborative Bridge

Trigger: VPN and Azure AD log correlation completed by network security team.

Read Aloud:

“Network forensics confirms it: the attacker used credentials harvested from HANSEN-SAP-01 to walk straight into your Azure R&D environment through the Collaborative Bridge. No interactive login. No MFA. A legacy exception in your Conditional Access policy let them straight through. They have had cloud R&D access for 3-4 weeks.”

Artifact: Handout C: Lateral Movement Log

Supplementary Artifact (release if team asks how the exception was created or why HANSEN-SAP-01 was never decommissioned): Handout E: Collaborative Bridge Policy Exception

Discussion Questions:

• What does the absence of a preceding interactive logon tell you about how these credentials were used?
• Which Azure R&D resources accessed by this account need immediate integrity review?
• What policy gap allowed NTLM authentication to bypass Conditional Access – and how long had it been active with no review date set?
• Why was HANSEN-SAP-01 still network-connected 18 months after its scheduled decommission?

Conditional Branches:

• If the team revokes credentials and closes policy gap quickly: Active attacker access to cloud R&D is terminated. Remaining investigation focuses on historical exfiltration scope.
• If the team delays credential revocation: Attacker maintains cloud R&D access during the delay. Additional GenixLibrary data is potentially accessed before cutoff.

IM Notes:

• Hint if stuck: “3-4 weeks of cloud R&D access through a legacy policy exception. Which resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
• Red flag: Team does not revoke svc-rdbridge-admin credentials and close the legacy auth exception immediately.
• Success indicator: Credentials revoked, legacy auth exception closed, and scope of Azure resources accessed is documented.

Inject 4: Traffic Retrospective Ready

Trigger: Network team completes traffic retrospective following credential revocation.

Read Aloud:

“Network analysis is in: 3-4 weeks of outbound HTTPS traffic from your R&D environment, all routing to a destination your DLP classified as Microsoft telemetry. Not a single alert fired. GenixLibrary off-hours access logs are ready. Get your Tracker team across both datasets.”

Artifact: Handout D: Exfiltration Traffic Analysis

Discussion Questions:

• What does the traffic destination table tell you about how the DLP classification decision was made?
• How much data left the environment – and across how many GenixLibrary sessions? What does that pattern suggest about attacker intent?
• How does the confirmed exfiltration scope change your stakeholder communication posture?
• What can you confirm to CFCS for campaign coordination – and what must you qualify as still under investigation?

Conditional Branches:

• If the team works through Handout D before the stakeholder call: Scope statement is evidence-grounded and carries confidence qualifiers. Leadership and CFCS receive calibrated updates.
• If the team presents scope without reviewing Handout D: Prompt – “Your Tracker hasn’t finished the traffic analysis. Do you want to hold the stakeholder call, or proceed with what you have?”
• If the team overstates certainty in scope: Later scope revisions undermine credibility with regulators and stakeholders.

IM Notes:

• The ~7 GB historical figure and the active core IP transfers are in Handout D – let the team find and state those numbers themselves. Do not read them aloud.
• Hint if stuck: “Which column in that traffic table changes everything – and what does the DLP alert log at the bottom tell you about why no one saw this coming?”
• Red flag: Team states exfiltration scope figures without having worked through Handout D.
• Success indicator: Team derives scope from evidence, documents confidence level, updates CFCS coordination, agrees stakeholder communication position.

Inject 5: CFCS Campaign Coordination and Sector Advisory

Trigger: CFCS follows up with campaign-level intelligence and coordination requests.

Read Aloud:

“CFCS confirms that BioGenix’s validated indicators match a coordinated supply chain campaign targeting European life sciences organizations. At least three other firms have been confirmed as victims in the past six months. CFCS is requesting your full forensic package – kernel driver artifact, C2 infrastructure details, and exfiltration patterns – to support their sector threat advisory. They need your indicators to protect remaining targets.”

Forced Decision – Recovery vs. Campaign Coordination:

After the CFCS request, deliver this leadership pressure:

“CEO Phillip Christensen wants to know how long the forensic handoff to CFCS will take and whether it delays R&D recovery. VP R&D Dr. Ida Woetmann reports that three active fermentation projects are blocked until GenixLibrary access is restored. The team must decide how to balance CFCS campaign coordination with operational recovery.”

The team must decide:

• Option A: Prioritize CFCS coordination. Full forensic handoff to CFCS. Campaign intelligence value maximized. R&D recovery delayed by forensic preservation requirements.
• Option B: Prioritize R&D recovery. Minimal CFCS handoff – share validated indicators only. R&D operations resume faster. CFCS campaign response is degraded and other victims may remain exposed.
• Option C: Phased approach. Share validated indicators immediately, defer detailed forensic handoff until recovery milestones are met. Balances both priorities but extends the coordination timeline.

Discussion Questions:

• Who has authority to make this call – CISO, CEO, or both?
• What does CFCS actually need to support the sector advisory – and can you satisfy that without delaying recovery?
• How do you balance BioGenix’s operational needs with the sector-level responsibility to help protect other targets?
• What does the coordinated campaign at peer firms mean for your remediation and disclosure strategy?

Conditional Branches:

• If the team assigns clear ownership to CFCS coordination and recovery separately: Both workstreams receive appropriately scoped attention. Trust with CFCS is maintained.
• If the team delays CFCS coordination for recovery: CFCS sector advisory is delayed. Other campaign targets remain exposed. BioGenix’s relationship with CFCS is strained.
• If the team over-commits to CFCS at the expense of recovery: R&D operations remain blocked. Leadership confidence in the incident response team erodes.
• If the team takes the phased approach: Requires explicit milestones and owners. The team must define what “validated indicators” includes and what waits for phase two.

IM Notes:

• Reference numbers to share if asked: CFCS bulletin CB-2026-0412 references the campaign indicators BioGenix validated.
• There is no clean answer to the recovery vs. coordination tension – that is the point. Push the team to make the call and own it, rather than deferring indefinitely.
• Hint if stuck: “Who owns the CFCS coordination, who owns the recovery track, and what is each of them authorized to commit to? And who makes the call when those two timelines conflict?”
• Red flag: No single owner is assigned for CFCS coordination. Team defers the recovery vs. coordination decision without resolution.
• Success indicator: CFCS coordination owner assigned. Recovery vs. coordination decision made with documented rationale. Indicator sharing scope agreed. Stakeholder communication position confirmed.

Inject 6: Decision and Debrief Pivot

Trigger: Scenario timebox ends and facilitator transitions to hot wash.

Read Aloud:

“Immediate containment is in place. You have stopped the active transfers. But approximately 25 gigabytes of genomic R&D data has already been exfiltrated to infrastructure likely controlled by a foreign intelligence service – and the core IP collections were just starting to be targeted. The next decisions you make determine whether this becomes a repeat event or a turning point for BioGenix.”

Discussion Questions:

• Which control improvement would have most changed this outcome?
• What governance decisions were delayed too long under pressure?
• What does this incident mean for your organization’s supply chain security posture?

Conditional Branches:

• If the team defines concrete remediation owners: Post-incident momentum remains high and measurable.
• If the team ends without ownership: Known weaknesses persist. A second wave of the campaign could reach BioGenix again.

IM Notes:

• Hint if stuck: “Name the 3 highest-value changes BioGenix can own in the next quarter to prevent the next stage of this campaign.”
• Red flag: Debrief focuses on individual fault rather than systemic supply chain and governance gaps.
• Success indicator: Team leaves with prioritized owners, deadlines, and measurable remediation outcomes across supply chain, legacy systems, and DLP coverage.

NPC Dialogue Scripts

Verbatim lines for key NPCs at critical decision moments. Deliver in character when players interact with the NPC or when the scene naturally calls for it. Adapt phrasing naturally but preserve the core message.

Chief Executive Officer: Phillip Christensen

Stakeholder accountability and executive decision-making under R&D uncertainty

What do stakeholders need to know?: “I need a defensible scope statement – not certainty. If we can document what we know and what we do not know, I can have that conversation with stakeholders. What I cannot do is communicate without a position.”

What is your biggest concern right now?: “Three years of R&D is the core of our organizational credibility. If that data is in someone else’s hands, we need to know the full scope before we resume normal operations – not after.”

Chief Technology Officer: Katrine Fønsmark

Technical containment decisions and cloud R&D integrity

Can we certify the Azure R&D environment is clean?:
“Not until we complete a full access log review of every resource svc-rdbridge-admin touched. That will take at least 24 hours with current tooling.”

What do you need from leadership right now?:
“Approval to close the Collaborative Bridge legacy auth exception immediately – and a decision on whether we halt all GenixLibrary access until we confirm the clean baseline.”

Chief Information Security Officer: Bent Sejrø

Evidence preservation, regulatory coordination, and counterintelligence scope

Should we preserve the rootkit or reimage the server?: “Preserve first. The kernel driver artifact is the only thing that lets CFCS attribute this to the broader campaign. If we reimage now, we lose our campaign intelligence value and our ability to demonstrate the full attack chain.”

How do we handle CFCS coordination alongside recovery?: “They are parallel workstreams – not competing ones. Recovery proceeds on its own track. CFCS gets the validated indicators and forensic artifacts on a separate track. We do not let one block the other.”

VP Research and Development: Dr. Ida Woetmann

GenixLibrary integrity, research continuity, and sequence data scope

Which GenixLibrary datasets were accessed?:
“The batch read pattern matches our fermentation and enzyme engineering sequences – the core IP behind our precision fermentation platform. These represent 3 years of proprietary work that no competitor has access to.”

Can the active fermentation projects continue?: “I need to know exactly which research projects were accessed before we can assess competitive exposure.”

Red Herrings

These false leads are built into the scenario. Do not shut down player investigation – let them work through the evidence to the correct conclusion. The goal is productive confusion, not frustration.

Red Herring 1: Legitimate Azure BI Project Traffic Spike

What points to it:

• The Azure BI project ran a major quarterly data refresh during the same period.
• Initial DLP review attributes most outbound HTTPS volume to the BI workload.
• BI project owner confirms large data movements were expected and approved.

Why it’s wrong: The BI project generated 38 GB to documented Microsoft Azure endpoints with valid certificates. The ~7 GB to graph-api-sync.bioanalytics.net uses a self-signed certificate and resolves to a non-Microsoft IP registered recently.

IM resolution script: “The BI project traffic is legitimate and documented. The ~7 GB you are looking at goes to a different destination entirely – recently registered, resolving to an IP that is not part of any Microsoft infrastructure. Separate these two datasets and look at the destination certificates, not just the SNI headers.”

Red Herring 2: SAP NetWeaver Maintenance Window in ITSM System

What points to it:

• The ITSM system shows an open maintenance ticket for HANSEN-SAP-01 (ITSM-29847).
• Change calendar entries show SAP NetWeaver in an active work window.
• Initial IT response assumes HANSEN-SAP-01 authentication activity is related to the maintenance work.

Why it’s wrong: ITSM-29847 is a decommissioning blocker ticket, not a maintenance authorization. The ticket was last updated in November 2024 and authorizes no network authentication activity.

IM resolution script: “ITSM-29847 is not a maintenance authorization – it is a decommissioning blocker. No change record authorizes HANSEN-SAP-01 to authenticate into Azure. The authentication activity you are seeing is outside any approved window.”

Red Herring 3: Bioreactor Calibration Hardware Qualification Cycle

What points to it:

• Bioreactor calibration anomaly alerts were raised during the same period as the HANSEN-SAP-01 investigation.
• R&D operations confirms a routine hardware qualification cycle was running on the calibration workstations.
• Calibration performance alerts are a normal part of the qualification workflow.

Why it’s wrong: Hardware qualification cycles generate calibration performance alerts, not C2 traffic or authentication anomalies. The alerts from the workstations are routine – the threat is on HANSEN-SAP-01, not the calibration workstations. Focus investigation on HANSEN-SAP-01.

IM resolution script: “The hardware qualification cycle generates calibration performance alerts – that is normal workstation activity. The threat indicators you are investigating are on HANSEN-SAP-01, not the workstations. Focus your investigation there.”

Post-Session Gap Analysis

Use this section during the debrief. Each gap is a real security control weakness this scenario is designed to surface. Help participants connect scenario events to their own organization’s readiness.

Gap 1: No Independent Code-Signing Validation for Third-Party R&D Software Updates (Priority: critical)

What the scenario revealed: The trusted vendor exception policy bypassed OCSP validation entirely, allowing a compromised vendor’s valid certificate to sign a malicious update that deployed without any independent verification.

Why it matters: Supply chain attacks via signed software are the highest-sophistication initial access vector available to nation-state actors. Certificate hygiene and independent validation are the primary controls – a valid certificate from a compromised vendor is indistinguishable from a legitimate update without additional checks.

Suggested remediation:

• Mandate live OCSP checks for all code-signing certificates at deployment time regardless of vendor trust status.
• Publish an approved certificate authority list and block unsigned or off-list signers.
• Sunset all trusted vendor exceptions and replace with certificate-pinning or hash validation.

Debrief question: “What does this mean for your organization’s confidence in third-party R&D software when a compromised vendor’s valid certificate was used to sign a malicious update – and your deployment process skipped all independent validation?”

Gap 2: Legacy System Decommissioning Backlog Creates Persistent Attack Surface (Priority: high)

What the scenario revealed: An unresolved ITSM ticket kept a decommissioning-backlog server connected to both on-premise and cloud environments indefinitely.

Why it matters: Decommissioning backlogs create orphaned assets that receive no security updates, monitoring, or patch management.

Suggested remediation:

• Implement automated network isolation for systems 30 days past their decommission date.
• Require CISO sign-off for any decommissioning extension beyond 90 days.
• Publish quarterly decommissioning backlog report to IT leadership.

Debrief question: “What does this mean for your organization’s readiness when systems scheduled for decommissioning remain fully network-connected due to unresolved dependency tickets?”

Gap 3: Integration Bridge Network Segmentation Gap Between Legacy and Cloud R&D (Priority: high)

What the scenario revealed: A 14-month-old legacy auth exception was never reviewed after the SAP migration window closed, enabling NTLM authentication to bypass Conditional Access.

Why it matters: Post-merger integration infrastructure creates temporary policy exceptions that become permanent attack paths when not actively retired.

Suggested remediation:

• Audit all legacy authentication exceptions and assign expiry dates.
• Require CTO and CISO sign-off for any exception older than 90 days.
• Implement Conditional Access enforcement for all on-premise-to-cloud authentication paths.

Debrief question: “What does this mean for your organization’s readiness when migration-era policy exceptions remain active long after the migration closes?”

Gap 4: DLP Monitoring Blindspot on Port 443 Telemetry via TLS SNI Spoofing (Priority: medium)

What the scenario revealed: Attacker-controlled infrastructure used SNI headers matching graph.microsoft.com to bypass DLP classification.

Why it matters: TLS SNI spoofing is a well-documented DLP bypass. Trusting SNI headers without certificate validation leaves a wide exfiltration channel open on port 443.

Suggested remediation:

• Enable certificate validation in DLP for all HTTPS traffic classified as Microsoft telemetry.
• Establish behavioral volume baselines for legitimate Microsoft Graph API traffic.
• Alert on outbound HTTPS volume anomalies exceeding 10 GB per week to any single external destination.

Debrief question: “What does this mean for your organization’s readiness when ~7 GB of R&D data can leave via port 443 over 3-4 weeks without a single DLP alert – and the core IP collections were just starting to be targeted when CFCS tipped you off?”