Winnti Scenario: Biotech R&D Espionage

Winnti Scenario: Operation Silk Harvest

BioGenix Solutions: Danish biosolutions company, 1,800 employees, precision fermentation and industrial enzyme engineering

APT Espionage • Winnti

STAKES

Genomic IP protection + Merger infrastructure integrity + Regulatory compliance + Competitive advantage

HOOK

Anomalous HTTPS traffic from BioGenix cloud R&D environments is flagged as Microsoft Graph API telemetry but originates from unexpected on-premise hosts. Legacy admin credentials are authenticating into Azure from a server pending decommissioning. Three bioreactor calibration workstations are generating unexpected child process activity following a recent calibration software update. GenixLibrary audit logs reveal 44 sequential off-hours reads of DNA sequence files with no corresponding authenticated user sessions.

PRESSURE

• Merger data room deadline: Friday
• Intellectual property exposure: 3+ years of proprietary R&D
• Genomic research at risk: GenixLibrary sequence database

FRONT • 150 minutes • Expert

BioGenix Solutions: Danish biosolutions company, 1,800 employees, precision fermentation and industrial enzyme engineering

APT Espionage • Winnti

NPCs

• Phillip Christensen (CEO): Owns executive decisions on R&D protection and merger deal implications
• Katrine Fønsmark (CTO): Leads technical incident response and cloud environment assessment
• Dr. Ida Woetmann (VP R&D): Represents research continuity risk and GenixLibrary sequence integrity
• Bent Sejrø (CISO): Coordinates evidence preservation and authority engagement with CFCS and PET

SECRETS

• Third-party calibration software updates are deployed to R&D infrastructure without independent code-signing validation
• The Hansen-Core SAP NetWeaver instance remained network-connected despite being scheduled for decommissioning 18 months ago, due to Collaborative Bridge migration dependencies
• DLP monitoring classifies outbound HTTPS traffic matching Microsoft Graph API signatures as low-priority telemetry, creating a monitoring gap for port 443 exfiltration

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Winnti Biotech R&D Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Winnti Biotech R&D Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Monday at 07:45 at BioGenix Solutions. CISO Bent Sejrø escalates to CEO Phillip Christensen after overnight monitoring flags a cluster of anomalies across the R&D environment. Three bioreactor calibration workstations began generating unexpected process activity after last week’s CaliSyncPro software update – activity that the vendor update manifest does not account for. GenixLibrary, the company’s proprietary genomic sequence database, shows 44 off-hours batch read operations with no corresponding authenticated sessions. Most alarming: legacy admin credentials associated with HANSEN-SAP-01, a decommissioning SAP NetWeaver server, are authenticating into the Azure cloud R&D environment via the Collaborative Bridge. Leadership must decide how to protect years of proprietary fermentation and enzyme research while preserving evidence and meeting regulatory obligations under GDPR.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Three bioreactor calibration workstations started spawning unexpected processes after the CaliSyncPro update”
• “GenixLibrary access logs show off-hours bulk reads with no matching authenticated sessions”
• “HANSEN-SAP-01 – a server due for decommissioning – is authenticating into our Azure cloud environment”
• “Outbound HTTPS to graph.microsoft.com is higher than expected with no corresponding BI activity flagged”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Code-signing certificate chain for CaliSyncPro_v4.2.1.exe traces to a vendor certificate issued under unusual conditions
• Timeline forensics reveal calibsvc.exe spawning svchost.exe then powershell.exe -encodedCommand sequences across 3 bioreactor workstations
• Historical access reconstruction shows HANSEN-SAP-01 has been active on the network for 18 months past its scheduled decommission date
• Kernel rootkit on HANSEN-SAP-01 uses a signed driver with a revoked certificate – matching documented Winnti supply chain TTPs
• CFCS intelligence suggests a coordinated campaign across Danish life sciences with identical delivery vector and matching C2 infrastructure patterns

Protector System Analysis:

Note🛡️ Protector System Analysis

• Memory scan of HANSEN-SAP-01 reveals a hidden kernel module masking its process list – disk scans previously returned clean
• Certificate validation gap: the calibration software signing chain was not cross-checked against revocation lists before deployment
• Recovery confidence on the cloud R&D environment depends on establishing a clean baseline before the merger data room review

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• 90-day outbound traffic summary shows 847 GB leaving via port 443 to a domain closely resembling graph.microsoft.com but resolving to attacker infrastructure
• NTLM authentication from HANSEN-SAP-01 into Azure AD with no preceding interactive logon confirms Pass-the-Hash lateral movement through the Collaborative Bridge
• Traffic classification gap: DLP categorized attacker exfiltration as Microsoft telemetry due to TLS SNI matching

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• CEO Phillip Christensen needs a clear scope statement before a scheduled call with the acquisition counterparty
• VP R&D Dr. Ida Woetmann requires confirmation of which GenixLibrary sequence datasets were accessed before research teams can resume
• Regulatory teams need a defensible GDPR notification draft aligned to what is confirmed versus suspected

Crisis Manager Coordination:

Note🚨 Crisis Manager Coordination

• Merger data room access is expected by Friday – leadership needs a clear decision on whether to delay or proceed under caveat
• Datatilsynet has a 72-hour notification window from discovery; the clock starts from the moment a personal data breach is reasonably suspected
• Research continuity for 3 active fermentation projects depends on safe access to GenixLibrary – containment scope must be defined before Friday

Mid-Scenario Pressure Points:

• Hour 1: CISO cannot confirm scope of GenixLibrary access – merger advisors are requesting a clean R&D data room status by Friday
• Hour 2: VP R&D confirms 3 months of off-hours bulk reads – potential 847 GB exfiltration scope identified across genomic sequence files
• Hour 3: Datatilsynet requests formal incident status under the GDPR 72-hour notification window
• Hour 4: CFCS reports matching supply chain campaign at 3 peer Danish biotech firms; PET requests a counterintelligence coordination call

Evolution Triggers:

• If HANSEN-SAP-01 is not isolated promptly, Pass-the-Hash lateral movement continues expanding access into the Azure cloud R&D environment
• If systems are reimaged before forensic preservation, kernel rootkit evidence and the signed driver artifact are permanently lost
• If GDPR notification is delayed past the 72-hour window, regulatory exposure compounds alongside the merger risk

Resolution Pathways:

Technical Success Indicators:

• Verified removal of kernel persistence from HANSEN-SAP-01 and cloud R&D environment, with evidence package preserved
• Calibration workstation process chain documented and vendor certificate revocation initiated
• Monitoring strategy upgraded to detect LotL behavior and DLP bypass via TLS SNI matching

Business Success Indicators:

• Merger leadership receives a defensible scope statement with documented rationale for data room timing decision
• Datatilsynet notification is timely, accurate, and scoped to confirmed evidence – not speculative
• R&D continuity plan is in place for active fermentation projects with clear GenixLibrary access controls

Learning Success Indicators:

• Team recognizes supply chain and dormant persistence patterns that evade signature-based detection
• Participants practice balancing evidence preservation with operational urgency under merger pressure
• Group coordinates technical, legal, and executive decisions under GDPR and counterintelligence constraints

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which forensic artifacts are critical before any reset actions? Who owns that decision, and what does the CFCS coordination request require you to preserve?”

If Merger Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting data room integrity to the acquisition counterparty? What liability does BioGenix carry if the merger proceeds and the compromise scope later expands?”

If Regulatory Coordination Is Delayed:

“Datatilsynet requests formal incident status under the GDPR 72-hour notification window, asking whether personal data associated with R&D collaborators or employees has been accessed. CFCS separately reports identifying identical supply chain delivery patterns at 3 other Danish biotech and pharmaceutical firms in the past 6 months, indicating a coordinated campaign targeting Danish life sciences intellectual property.”

Success Metrics for Session:

• Team identifies supply chain delivery and dormant persistence patterns
• Containment and evidence handling remain defensible under merger and regulatory pressure
• Datatilsynet notification timing and ownership are established with appropriate scope
• Merger risk decisions are aligned to technical confidence levels
• Long-term genomic IP security improvements are clearly defined

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round Focus: Core supply chain detection and immediate containment decisions Key Actions: Scope GenixLibrary exposure, preserve kernel forensics, issue first merger data room posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds Focus: Parallel forensic triage, GDPR notification sequencing, and merger governance Key Actions: Build timeline confidence, contain Collaborative Bridge lateral movement, align Datatilsynet messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds Focus: End-to-end supply chain espionage response under merger and regulatory pressure Key Actions: Coordinate leadership and technical teams, decide merger data room posture, define durable remediation

Advanced Challenge (150+ minutes)

Structure: 7-8 investigation rounds, 4 decision rounds Expert Elements: Counterintelligence tension with PET, merger governance conflict, and certificate revocation supply chain complexity Additional Challenges: Ambiguous exfiltration scope, competing regulatory and commercial timelines, escalating CFCS coordination requirements

🌍 Localizing to Other EU Countries

This Danish variation can be adapted to other EU countries during facilitation. EU biosolutions and pharmaceutical contexts share GDPR foundations, but data protection, cyber, and intelligence institutions differ by country.

When adapting this scenario, substitute these elements:

Country	Data Protection Authority	Cyber Agency	Intelligence / Counterintel	Biotech Context
Germany	BfDI + state DPAs	BSI	BfV	Strong pharmaceutical and industrial biotech sector
Netherlands	Autoriteit Persoonsgegevens	NCSC-NL	AIVD	Life sciences hub -- Wageningen and Leiden clusters
Sweden	IMY	CERT-SE	SAPO	Pharmaceutical and biotech R&D export base
France	CNIL	ANSSI	DGSI	Strategic biotech and national pharma programs
Belgium	APD/GBA	CCB	VSSE/SGRS	Brussels biotech corridor and pharma density

Notes:

• Trade secrets nuance: IP protection frameworks differ across EU members and affect disclosure and law enforcement coordination sequences.
• Merger sensitivity: Acquisition contexts may trigger additional national security review in some EU jurisdictions.
• Coordination model: Cyber and intelligence agencies may require parallel reporting tracks in some countries.

Organization names and NPC names can be localized by the IM for the selected EU country.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at BioGenix Solutions confirms 3 bioreactor calibration workstations are generating unauthorized child process chains following the CaliSyncPro update, and HANSEN-SAP-01 is authenticating into the Azure cloud environment via the Collaborative Bridge.
• Clue 2 (Minute 10): Investigators identify HANSEN-SAP-01 as harboring a hidden kernel module – the server was scheduled for decommissioning 18 months ago but remained connected due to Collaborative Bridge dependencies.
• Clue 3 (Minute 15): VP R&D Dr. Ida Woetmann confirms that GenixLibrary audit logs show 44 sequential off-hours reads of proprietary DNA sequence files over the past 3 months, with no corresponding authenticated user sessions – indicating unauthorized automated bulk access to BioGenix’s core genomic research assets.

Pre-Defined Response Options

• Option A: Evidence-Preserved Containment

  • Action: Isolate HANSEN-SAP-01 and calibration workstations, perform memory forensics before any reimaging, preserve the signed kernel driver artifact, and coordinate with CFCS before decommissioning compromised systems.
  • Pros: Enables certificate revocation coordination and counterintelligence handoff; supports defensible GDPR notification.
  • Cons: Slower GenixLibrary restoration and continued merger timeline pressure.
  • Type Effectiveness: Super effective for sustained strategic resilience and regulatory defensibility.

• Option B: Rapid Containment and Restore

  • Action: Isolate affected systems immediately and restore from pre-update snapshots to minimize operational disruption.
  • Pros: Faster GenixLibrary restoration and lower merger risk perception.
  • Cons: Loss of forensic evidence; inability to confirm exfiltration scope; CFCS coordination compromised.
  • Type Effectiveness: Partially effective – removes immediate threat but leaves exfiltration scope unresolved.

• Option C: Phased Confidence Restoration

  • Action: Prioritize GenixLibrary containment first, then work outward to calibration workstations and cloud environment, sequencing forensics alongside operational recovery.
  • Pros: Balances research continuity with evidence discipline; supports staged regulatory notification.
  • Cons: Extended ambiguity on full exfiltration scope; merger data room timing remains uncertain.
  • Type Effectiveness: Moderately effective when GDPR and merger governance remain coordinated.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Supply Chain Discovery and Lateral Movement (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Calibration workstations show unauthorized process chains with no disk-based malware – encoded PowerShell commands spawned from the calibration service process.
• Clue 2 (Minute 10): HANSEN-SAP-01 kernel scan reveals a hidden driver masking processes – prior disk scans returned clean because the rootkit intercepted file system queries.

• Clue 3 (Minute 15): VP R&D Dr. Ida Woetmann confirms that GenixLibrary audit logs show 44 sequential off-hours reads of proprietary DNA sequence files over the past 3 months, with no corresponding authenticated user sessions – indicating unauthorized automated bulk access to BioGenix’s core genomic research assets.

• Clue 4 (Minute 20): Leadership requests immediate scope statement for the merger data room with delivery impact estimate.

Round 2: Regulatory Coordination and Merger Decision (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): 90-day traffic analysis confirms 847 GB exfiltrated via port 443 to attacker-controlled infrastructure disguised as Microsoft Graph API telemetry – covering 44 sequential GenixLibrary batch reads.

• Clue 6 (Minute 40): Datatilsynet requests formal incident status under the GDPR 72-hour notification window, asking whether personal data associated with R&D collaborators or employees has been accessed. CFCS separately reports identifying identical supply chain delivery patterns at 3 other Danish biotech and pharmaceutical firms in the past 6 months, indicating a coordinated campaign targeting Danish life sciences intellectual property.

• Clue 7 (Minute 50): Acquisition advisors request a clear go/no-go decision on data room access by end of day.
• Clue 8 (Minute 55): Legal and security teams require documented rationale for GDPR notification scope and timing decisions.

Round Transition Narrative

After Round 1 – Round 2:

“CFCS reports that identical supply chain delivery patterns – vendor-signed calibration software updates distributing kernel-level payloads – have been detected at 3 other Danish biotech and pharma organizations in the past 6 months, indicating a coordinated campaign targeting Danish life sciences intellectual property.”

Facilitation questions:

• “What minimum evidence supports a defensible GenixLibrary integrity statement for the merger counterparty?”
• “Which decisions cannot wait for complete forensic certainty – and what governance gaps does that reveal?”
• “How do you communicate residual uncertainty to Datatilsynet without triggering premature enforcement response?”

Debrief Focus:

• Integrating supply chain forensics with genomic IP governance decisions
• Balancing merger pressure with GDPR notification obligations and evidence quality
• Preserving counterintelligence value when operational urgency competes with evidence discipline

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery, supply chain governance redesign, and CFCS counterintelligence handoff.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

CEO Phillip Christensen convenes an emergency briefing and confirms that BioGenix is in advanced acquisition discussions – any uncertainty about R&D integrity could materially affect valuation and the deal timeline. CTO Katrine Fønsmark reports anomalous process behavior on three calibration workstations and confirms HANSEN-SAP-01 is generating unexpected authentication events into the Azure R&D environment via the Collaborative Bridge. VP R&D Dr. Ida Woetmann requests an immediate GenixLibrary access audit and reports that sequence data access patterns are inconsistent with any active research project. CISO Bent Sejrø requests incident response activation with evidence preservation priority and coordination with CFCS and PET.

Players investigate openly using role capabilities. Early findings include unauthorized GenixLibrary access, uncertain exfiltration scope, rising merger pressure, and a decommissioned server that should not be active.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to Phillip Christensen and the acquisition counterparty by end of day – and defensible to Datatilsynet by the 72-hour window?”

Round 2: Regulatory Coordination and Merger Decision (35-40 min)

• Technical teams complete kernel forensics and present containment and recovery options.
• Leadership requests a clear recommendation on merger data room access and GDPR notification timing.

• Coordination now spans GDPR and Danish Trade Secrets Act, Datatilsynet, CFCS, and PET stakeholders.

Facilitation questions:

• “What controls must be confirmed before asserting GenixLibrary baseline integrity to the acquisition counterparty?”
• “How will you document the rationale for GDPR notification timing in a way that holds up under Datatilsynet review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete. Leadership requests a 90-day remediation roadmap addressing supply chain governance, legacy system decommissioning, and genomic IP monitoring.

Pressure events:

• Acquisition counterparty requests evidence of lasting control improvements before closing
• Datatilsynet requests post-incident report with root cause analysis and remediation milestones
• CFCS requests anonymized indicators of compromise for national threat intelligence sharing

Victory conditions for full 3-round arc:

• Verified clean baseline for GenixLibrary and cloud R&D environment with preserved forensic record
• Defensible reporting package for Datatilsynet, CFCS, and acquisition governance teams
• Durable supply chain governance controls and legacy system decommissioning policy

Debrief Questions

1. “Which early indicator most clearly signaled nation-state supply chain espionage rather than a routine software defect?”
2. “How did merger pressure alter risk tolerance across the leadership and security teams?”
3. “What evidence was essential for credibility with Datatilsynet, CFCS, and the acquisition counterparty simultaneously?”
4. “How can life sciences organizations raise supply chain security readiness without disrupting vendor-dependent R&D operations?”

Debrief Focus

• Winnti supply chain espionage combines passive persistence with high-value genomic IP targeting
• Defensible response requires synchronized technical, legal, and governance decisions under competing timelines
• Long-term resilience depends on supply chain certificate validation, legacy system hygiene, and DLP coverage on trusted protocols

Advanced Challenge Materials (150+ min)

Red Herrings and Misdirection

1. A legitimate Azure BI project ran during the same 90-day window and generated a spike in outbound HTTPS traffic – initial DLP review attributes most of the volume to the BI workload.
2. The SAP NetWeaver maintenance window in the ITSM system overlaps with the incident timeline, creating apparent authorization for HANSEN-SAP-01 network activity.
3. Bioreactor calibration anomaly alerts were raised during the same period as part of a routine hardware qualification cycle, providing process-level cover for IoCs.

Removed Resources and Constraints

• No existing incident response playbook for supply chain compromise affecting R&D infrastructure
• Kernel forensics capability requires engagement of an external specialist – lead time is 48 hours
• GenixLibrary audit logging was not configured for real-time alerting, only batch log review

Enhanced Pressure

• Acquisition counterparty demands a same-day scope statement on GenixLibrary integrity
• Board requests written rationale for every high-impact containment decision that could affect the merger timeline
• PET requests an urgent counterintelligence briefing that requires C-suite availability at the height of the incident response

Ethical Dilemmas

1. Delay merger data room access for stronger forensic confidence, or proceed under caveat with incomplete scope assessment.
2. Disclose full CFCS intelligence context to the acquisition counterparty, or limit disclosure to confirmed technical facts.
3. Preserve complete kernel forensic evidence for PET and CFCS, or accelerate restoration to meet the GDPR notification timeline.

Advanced Debrief Topics

• Building life sciences doctrine for supply chain espionage incidents affecting both IP and regulated personal data
• Structuring governance when commercial, regulatory, and counterintelligence timelines diverge simultaneously
• Sustaining long-term R&D security investment in environments where vendor-dependent operations constrain isolation options

Session Materials

Download or print before the session. Handout files open as standalone pages.

IM Inject Deck Handout A Handout B Handout C Handout D

Inject Sequence

The following injects are delivered by the IM at the trigger points described. Read aloud text verbatim. Adjust timing to group pace – a fast-moving group may skip injects; a stuck group may need them early.

Inject 1: Calibration Software Alert and Authentication Anomalies

Trigger: Overnight SOC alert batch escalated by on-call analyst at shift change.

Read Aloud:

“Your SOC analyst reports that 3 bioreactor calibration workstations started spawning unexpected child processes last night after the CaliSyncPro update. The same analyst flags that HANSEN-SAP-01 – which should be offline – is authenticating into your Azure cloud R&D environment right now.”

Artifact: Handout A: Supply Chain Evidence

Discussion Questions:

• What is the first containment priority – the calibration workstations or the Azure authentication anomaly?
• Who owns the decision to isolate HANSEN-SAP-01 given its Collaborative Bridge dependency?
• What evidence must be preserved from the calibration workstations before isolation?

Conditional Branches:

• If the team isolates HANSEN-SAP-01 first: Collaborative Bridge connectivity drops temporarily but R&D cloud access is stabilized.
• If the team delays HANSEN-SAP-01 isolation: Additional Azure R&D resources are accessed by attacker credentials during the delay window.

IM Notes:

• Hint if stuck: “Which system provides the attacker their current active access – the calibration workstations or HANSEN-SAP-01? Where do you need to act first?”
• Red flag: No owner is assigned for HANSEN-SAP-01 isolation within 10 minutes of discovery.
• Success indicator: Incident command is established, isolation sequence is prioritized, and evidence preservation owner is assigned.

Inject 2: Kernel Rootkit Discovered on HANSEN-SAP-01

Trigger: Security team completes hardware-assisted memory enumeration requested after INJ-001.

Read Aloud:

“Your forensics specialist reports: HANSEN-SAP-01 has a hidden kernel driver masking 5 processes. The driver is signed – but the certificate was revoked four months ago. Standard antivirus never saw it because the rootkit intercepted the file system queries. One of those hidden processes has an active connection to an external IP right now.”

Artifact: Handout B: Rootkit Forensic Artifacts

Discussion Questions:

• Why did standard disk scans return clean while memory forensics reveals an active rootkit?
• What must be preserved from this server before any isolation or decommission action?
• Who needs to be notified now that nation-state kernel-level persistence is confirmed?

Conditional Branches:

• If the team preserves forensic artifacts before isolation: CFCS confirms the kernel driver matches indicators from a known supply chain campaign. Counterintelligence handoff is viable.
• If the team reimages without preservation: CFCS requests artifacts that no longer exist. Attribution and counterintelligence value is lost.

IM Notes:

• Hint if stuck: “The rootkit is active and network-connected right now. What do you need to preserve, and what do you need to do to cut the connection without destroying the evidence?”
• Red flag: Team reimages HANSEN-SAP-01 without capturing memory image and kernel driver artifact.
• Success indicator: Memory image and kernel driver artifact are preserved. CFCS notification decision is made. Certificate revocation investigation is initiated.

Inject 3: Pass-the-Hash Confirmed via Collaborative Bridge

Trigger: VPN and Azure AD log correlation completed by network security team.

Read Aloud:

“Network forensics confirms it: the attacker used credentials harvested from HANSEN-SAP-01 to walk straight into your Azure R&D environment through the Collaborative Bridge. No interactive login. No MFA. A legacy exception in your Conditional Access policy let them straight through. They have had cloud R&D access for 3 months.”

Artifact: Handout C: Lateral Movement Log

Discussion Questions:

• What does the absence of a preceding interactive logon tell you about how these credentials were used?
• Which Azure R&D resources accessed by this account need immediate integrity review?
• What policy gap allowed NTLM authentication to bypass Conditional Access?

Conditional Branches:

• If the team revokes credentials and closes policy gap quickly: Active attacker access to cloud R&D is terminated. Remaining investigation focuses on historical exfiltration scope.
• If the team delays credential revocation: Attacker maintains cloud R&D access during the delay. Additional GenixLibrary data is potentially accessed before cutoff.

IM Notes:

• Hint if stuck: “Three months of cloud R&D access through a legacy policy exception. Which resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
• Red flag: Team does not revoke svc-rdbridge-admin credentials and close the legacy auth exception immediately.
• Success indicator: Credentials revoked, legacy auth exception closed, and scope of Azure resources accessed is documented.

Inject 4: Drip Exfiltration Detected – 847 GB Over 3 Months

Trigger: Network team completes 90-day traffic retrospective following credential revocation.

Read Aloud:

“Network analysis is in: 847 gigabytes out the door over 3 months, all disguised as Microsoft telemetry. Your DLP trusted the SNI header and never flagged it. GenixLibrary logs confirm 44 overnight sessions reading sequence files sequentially. This is methodical collection of your entire R&D portfolio.”

Artifact: Handout D: Exfiltration Traffic Analysis

Discussion Questions:

• How does confirmed 3-month exfiltration change your merger data room posture?
• What must your GDPR notification to Datatilsynet say – and what must it not say?
• How do you communicate exfiltration scope to the acquisition counterparty without exposing ongoing counterintelligence work?

Conditional Branches:

• If the team establishes defensible scope statement with confidence qualifiers: Merger counterparty and Datatilsynet receive calibrated, credible updates that preserve trust.
• If the team overstates certainty in scope: Later scope revisions undermine credibility with regulators and the acquisition counterparty.

IM Notes:

• Hint if stuck: “3 years of R&D potentially exfiltrated. Your merger counterparty calls in 2 hours. What can you tell them with confidence, and what do you still not know?”
• Red flag: Team provides merger counterparty with either unconfirmed scope or no explanation of uncertainty.
• Success indicator: Exfiltration scope is documented with confidence level. GDPR notification draft is initiated. Merger briefing position is agreed.

Inject 5: Regulatory and Intelligence Authorities Request Status

Trigger: Datatilsynet, CFCS, and PET contacts arrive in rapid succession.

Read Aloud:

“Three calls at once: Datatilsynet wants your GDPR notification status. CFCS says they have seen this exact supply chain pattern at 3 other Danish biotech firms and wants your indicators. PET wants a counterintelligence call. Your merger advisor calls next. You have 30 minutes before the first of these conversations.”

Discussion Questions:

• What can you confirm to Datatilsynet now – and what must you qualify as under investigation?
• How do you coordinate with CFCS and PET without compromising your merger timeline or regulatory obligations?
• What does the coordinated campaign at peer firms mean for your remediation and disclosure strategy?

Conditional Branches:

• If the team separates regulatory, counterintelligence, and commercial workstreams: All three stakeholder groups receive calibrated, appropriate communication. Trust is maintained across all channels.
• If the team conflates workstreams or allows one to block another: Either GDPR deadline pressure spikes, counterintelligence value is compromised, or merger trust erodes.

IM Notes:

• Reference numbers to share if asked: Datatilsynet reference DT-2026-0847; CFCS bulletin CB-2026-0312 cites the identical kernel driver certificate revocation date.
• Hint if stuck: “Who speaks to Datatilsynet, who speaks to CFCS and PET, and who speaks to the merger advisor – and what is each of them authorized to say?”
• Red flag: No single owner is assigned for Datatilsynet notification. Team allows CFCS coordination to delay GDPR notification.
• Success indicator: GDPR notification owner assigned. CFCS coordination scope agreed. Merger advisor briefing position confirmed.

Inject 6: Decision and Debrief Pivot

Trigger: Scenario timebox ends and facilitator transitions to hot wash.

Read Aloud:

“Immediate containment is in place. You have stopped the bleeding. But 847 gigabytes of genomic R&D may already be in the hands of a foreign intelligence service. The next decisions you make determine whether this becomes a repeat event or a turning point for BioGenix.”

Discussion Questions:

• Which control improvement would have most changed this outcome?
• What governance decisions were delayed too long under pressure?
• What does this incident mean for your organization’s supply chain security posture?

Conditional Branches:

• If the team defines concrete remediation owners: Post-incident momentum remains high and measurable.
• If the team ends without ownership: Known weaknesses persist. A second wave of the campaign could reach BioGenix again.

IM Notes:

• Hint if stuck: “Name the 3 highest-value changes BioGenix can own in the next quarter to prevent the next stage of this campaign.”
• Red flag: Debrief focuses on individual fault rather than systemic supply chain and governance gaps.
• Success indicator: Team leaves with prioritized owners, deadlines, and measurable remediation outcomes across supply chain, legacy systems, and DLP coverage.

NPC Dialogue Scripts

Verbatim lines for key NPCs at critical decision moments. Deliver in character when players interact with the NPC or when the scene naturally calls for it. Adapt phrasing naturally but preserve the core message.

Chief Executive Officer: Phillip Christensen

Merger timeline and executive decision-making under R&D uncertainty

Should we proceed with the merger data room by Friday?:
“I need a defensible scope statement – not certainty. If we can document what we know and what we do not know, I can have that conversation with the counterparty. What I cannot do is walk in without a position.”

What is your biggest concern right now?:
“Three years of R&D is the core of our valuation. If that data is in someone else’s hands, we need to know before the deal closes – not after.”

Chief Technology Officer: Katrine Fønsmark

Technical containment decisions and cloud R&D integrity

Can we certify the Azure R&D environment is clean?:
“Not until we complete a full access log review of every resource svc-rdbridge-admin touched. That will take at least 24 hours with current tooling.”

What do you need from leadership right now?:
“Approval to close the Collaborative Bridge legacy auth exception immediately – and a decision on whether we halt all GenixLibrary access until we confirm the clean baseline.”

Chief Information Security Officer: Bent Sejrø

Evidence preservation, regulatory coordination, and counterintelligence scope

Should we preserve the rootkit or reimage the server?:
“Preserve first. The kernel driver artifact is the only thing that lets CFCS attribute this to the broader campaign. If we reimage now, we lose our counterintelligence value and our ability to demonstrate the full attack chain to Datatilsynet.”

How do we handle the CFCS and PET coordination alongside the GDPR clock?:
“They are parallel workstreams – not competing ones. GDPR notification goes to Datatilsynet on its own track. CFCS and PET get the technical artifacts on a separate track. We do not let one block the other.”

VP Research and Development: Dr. Ida Woetmann

GenixLibrary integrity, research continuity, and sequence data scope

Which GenixLibrary datasets were accessed?:
“The batch read pattern matches our fermentation and enzyme engineering sequences – the core IP behind our precision fermentation platform. These represent 3 years of proprietary work that no competitor has access to.”

Can the active fermentation projects continue?:
“Not until I know GenixLibrary access is clean. If svc-rdbridge-admin had write access as well as read access, we cannot trust the integrity of any sequence data currently in active use.”

Red Herrings

These false leads are built into the scenario. Do not shut down player investigation – let them work through the evidence to the correct conclusion. The goal is productive confusion, not frustration.

Red Herring 1: Legitimate Azure BI Project Traffic Spike

What points to it:

• The Azure BI project ran a major quarterly data refresh during the same 90-day window.
• Initial DLP review attributes most outbound HTTPS volume to the BI workload.
• BI project owner confirms large data movements were expected and approved.

Why it’s wrong: The BI project generated 38 GB to documented Microsoft Azure endpoints with valid certificates. The 847 GB to graph-api-sync.bioanalytics.net uses a self-signed certificate and resolves to a non-Microsoft IP registered 4 months after the BI project was approved.

IM resolution script: “The BI project traffic is legitimate and documented. The 847 GB you are looking at goes to a different destination entirely – registered 4 months ago, resolving to an IP that is not part of any Microsoft infrastructure. Separate these two datasets and look at the destination certificates, not just the SNI headers.”

Red Herring 2: SAP NetWeaver Maintenance Window in ITSM System

What points to it:

• The ITSM system shows an open maintenance ticket for HANSEN-SAP-01 (ITSM-29847).
• Change calendar entries show SAP NetWeaver in an active work window.
• Initial IT response assumes HANSEN-SAP-01 authentication activity is related to the maintenance work.

Why it’s wrong: ITSM-29847 is a decommissioning blocker ticket, not a maintenance authorization. The ticket was last updated in November 2024 and authorizes no network authentication activity.

IM resolution script: “ITSM-29847 is not a maintenance authorization – it is a decommissioning blocker. No change record authorizes HANSEN-SAP-01 to authenticate into Azure. The authentication activity you are seeing is outside any approved window.”

Red Herring 3: Bioreactor Calibration Hardware Qualification Cycle

What points to it:

• Bioreactor calibration anomaly alerts were raised during the same period as the process-level IoCs.
• R&D operations confirms a routine hardware qualification cycle was running on the affected workstations.
• Calibration performance alerts are a normal part of the qualification workflow.

Why it’s wrong: Hardware qualification cycles generate calibration performance alerts, not unauthorized child process chains. The process tree showing calibsvc.exe spawning PowerShell is not part of any qualification workflow.

IM resolution script: “The hardware qualification cycle generates calibration performance alerts – not PowerShell process chains. These are two separate events on the same workstations. Do not let the normal qualification noise obscure the unauthorized process execution you are investigating.”

Post-Session Gap Analysis

Use this section during the debrief. Each gap is a real security control weakness this scenario is designed to surface. Help participants connect scenario events to their own organization’s readiness.

Gap 1: No Independent Code-Signing Validation for Third-Party R&D Software Updates (Priority: critical)

What the scenario revealed: The trusted vendor exception policy bypassed OCSP validation, allowing a revoked certificate to sign a malicious update that deployed without challenge.

Why it matters: Supply chain attacks via signed software are the highest-sophistication initial access vector available to nation-state actors. Certificate validation is the primary control.

Suggested remediation:

• Mandate live OCSP checks for all code-signing certificates at deployment time.
• Publish an approved certificate authority list and block unsigned or off-list signers.
• Sunset all trusted vendor exceptions and replace with certificate-pinning or hash validation.

Debrief question: “What does this mean for your organization’s confidence in third-party R&D software when the signing certificate was revoked 4 months before deployment?”

Gap 2: Legacy System Decommissioning Backlog Creates Persistent Attack Surface (Priority: high)

What the scenario revealed: An unresolved ITSM ticket kept a decommissioning-backlog server connected to both on-premise and cloud environments indefinitely.

Why it matters: Decommissioning backlogs create orphaned assets that receive no security updates, monitoring, or patch management.

Suggested remediation:

• Implement automated network isolation for systems 30 days past their decommission date.
• Require CISO sign-off for any decommissioning extension beyond 90 days.
• Publish quarterly decommissioning backlog report to IT leadership.

Debrief question: “What does this mean for your organization’s readiness when systems scheduled for decommissioning remain fully network-connected due to unresolved dependency tickets?”

Gap 3: Merger Bridge Network Segmentation Gap Between Legacy and Cloud R&D (Priority: high)

What the scenario revealed: A 14-month-old legacy auth exception was never reviewed after the SAP migration window closed, enabling NTLM authentication to bypass Conditional Access.

Why it matters: Merger and migration infrastructure creates temporary policy exceptions that become permanent attack paths when not actively retired.

Suggested remediation:

• Audit all legacy authentication exceptions and assign expiry dates.
• Require CTO and CISO sign-off for any exception older than 90 days.
• Implement Conditional Access enforcement for all on-premise-to-cloud authentication paths.

Debrief question: “What does this mean for your organization’s readiness when migration-era policy exceptions remain active long after the migration closes?”

Gap 4: DLP Monitoring Blindspot on Port 443 Telemetry via TLS SNI Spoofing (Priority: medium)

What the scenario revealed: Attacker-controlled infrastructure used SNI headers matching graph.microsoft.com to bypass DLP classification.

Why it matters: TLS SNI spoofing is a well-documented DLP bypass. Trusting SNI headers without certificate validation leaves a wide exfiltration channel open on port 443.

Suggested remediation:

• Enable certificate validation in DLP for all HTTPS traffic classified as Microsoft telemetry.
• Establish behavioral volume baselines for legitimate Microsoft Graph API traffic.
• Alert on outbound HTTPS volume anomalies exceeding 10 GB per week to any single external destination.

Debrief question: “What does this mean for your organization’s readiness when 847 GB of R&D data can leave via port 443 over 3 months without a single DLP alert?”