Threat Clock Cards โ€“ Winnti: Operation Silk Harvest

5 pre-scripted attacker progression cards. Print, cut, and stack face-down in order. Flip and check the โ€œskip ifโ€ condition against the ICโ€™s whiteboard before reading aloud. If the condition is met, skip the card silently.

T1 โ€“ Cloud Access Persists After Isolation

Trigger: ~T+45 (mid Round 2), if svc-rdbridge-admin credential has NOT been revoked.

Read aloud: โ€œAzure AD alert: svc-rdbridge-admin has pre-authorized standing delegated access to the GenixLibrary SharePoint repository and Azure Blob storage โ€“ access rights granted through the Collaborative Bridge onboarding process in 2024. These cloud-side permissions are tied to the credential, not the server. HANSEN-SAP-01 being offline does not remove them. If the attacker retained the credential hash, they can authenticate directly to Azure AD from any system โ€“ or through cloud-to-cloud access โ€“ without touching the isolated server.โ€

Game effect: Isolating HANSEN-SAP-01 closed the on-premise attack path but not the cloud-side access. The credential must be revoked in Azure AD to close the cloud permissions independently of the serverโ€™s network status. Teams should also audit what delegated access was granted during the Collaborative Bridge onboarding.

SKIP IF: svc-rdbridge-admin is on the IC whiteboard under CONTAINED. Credential revocation removed the cloud-side access rights and closed this path regardless of server status.

This card should fire even if HANSEN-SAP-01 is already isolated โ€“ isolation closed the serverโ€™s network path but not the credentialโ€™s cloud-side rights. Use it to reinforce that server isolation and credential revocation are two separate containment actions, each closing a different attack surface. If skipped, note for debrief: the team understood that isolation alone was insufficient.

T2 โ€“ Exception Exposes the Entire Subnet

Trigger: ~T+60 (late Round 2), if Collaborative Bridge exception COLLBRIDGE-EXCL-003 has NOT been closed.

Read aloud: โ€œNetwork scan of the HANSEN-SAP-01 legacy subnet has identified a second unmonitored server โ€“ LEGACY-INT-07 โ€“ showing outbound NTLM authentication attempts through the Collaborative Bridge. COLLBRIDGE-EXCL-003 was written to permit NTLM authentication from the entire 10.14.22.0/24 subnet, not just from HANSEN-SAP-01. Any system in that subnet โ€“ including LEGACY-INT-07 and any others not yet inventoried โ€“ can authenticate to the cloud R&D environment without MFA as long as the exception remains open. Isolating HANSEN-SAP-01 closed one door. The exception keeps the others open.โ€

Game effect: The CA exception is subnet-wide, not host-specific. Teams must close COLLBRIDGE-EXCL-003 to block all NTLM authentication from the legacy subnet, regardless of which systems are isolated. LEGACY-INT-07 should be investigated as a potential second foothold.

SKIP IF: COLLBRIDGE-EXCL-003 is on the IC whiteboard under CONTAINED. Closing the exception blocked all NTLM authentication from the subnet, removing the path regardless of how many hosts are present.

This card should fire even if HANSEN-SAP-01 is already isolated โ€“ the exception covers the entire subnet. Use it to reinforce that isolating a single host and closing a subnet-wide policy exception are two separate containment actions. The LEGACY-INT-07 detail can be followed up by teams or left as a loose end for the debrief. If skipped, note for debrief: the team understood that host isolation does not substitute for policy remediation.

T3 โ€“ Anti-Forensics: Rootkit Self-Destruct

Trigger: Start of Round 4, if memory image has NOT been preserved from HANSEN-SAP-01.

Read aloud: โ€œAlpha forensics lead reports: the kernel driver on HANSEN-SAP-01 has begun a self-destruct sequence. The DKOM hooks are being removed and the hidden processes are terminating. If the memory image is not captured within the next few minutes, the rootkit artifact โ€“ the evidence CFCS needs for attribution โ€“ will be lost permanently.โ€

Game effect: 5-minute countdown. If teams donโ€™t have the memory image already, they must act NOW or lose the kernel driver artifact. CFCS attribution depends on this.

SKIP IF: Memory image is on the IC whiteboard under CONTAINED. The forensic team already captured the evidence before the attacker could destroy it.

If skipped, the teamโ€™s early preservation work paid off. If NOT skipped, play the CISO NPC immediately: โ€œWe will lose the kernel driver artifact if we donโ€™t capture it now. CFCS has already requested it.โ€

T4 โ€“ Exfiltration Spike: Core Collections at Risk

Trigger: During Round 4, if GenixLibrary has NOT been taken offline or isolated.

Read aloud: โ€œSIEM alert: Anomalous outbound traffic spike detected. Transfer volume to external infrastructure has doubled in the last hour. GenixLib-Core-Collection-v1 transfer is now at ~35% complete. GenixLib-Core-Collection-v2 transfer has accelerated to ~20% complete. The attacker is racing to complete the exfiltration before containment.โ€

Game effect: The window to save the core IP collections is closing. If teams donโ€™t isolate GenixLibrary in this round, transfer volumes will continue to climb.

SKIP IF: GenixLibrary is on the IC whiteboard under CONTAINED โ€” taking it offline stopped all transfers. ALSO SKIP IF: both svc-rdbridge-admin AND COLLBRIDGE-EXCL-003 are CONTAINED โ€” the access path to GenixLibrary is already dead even without formal isolation, since the attackerโ€™s VPN route is fully closed.

If skipped, the teamโ€™s containment work already cut the exfiltration path. If NOT skipped, this is high pressure โ€“ play VP R&D NPC if teams hesitate: โ€œI need to know exactly which research projects were accessed before we can assess competitive exposure.โ€

T5 โ€“ Full Exfiltration Complete

Trigger: End of session, if the attacker has NOT been fully contained (all attack paths closed).

Read aloud: โ€œPost-incident analysis confirms: the attacker transferred approximately 50% of GenixLib-Core-Collection-v1 and 30% of GenixLib-Core-Collection-v2 before infrastructure was burned. Total confirmed data loss: ~7 GB of historical R&D sequences plus ~13 GB of core IP collections. The attackerโ€™s C2 infrastructure went dark at 18:00 UTC โ€“ they withdrew with a significant portion of BioGenixโ€™s curated IP portfolio.โ€

Game effect: Session ends. This is the worst-case outcome for the debrief.

SKIP IF: All attack paths are marked CONTAINED on the IC whiteboard (svc-rdbridge-admin revoked, COLLBRIDGE-EXCL-003 closed, GenixLibrary isolated, C2 blocked, HANSEN-SAP-01 isolated). If fully contained, read the success version below instead.

Success version (read if fully contained): โ€œPost-incident analysis confirms: containment was achieved before core IP collection transfers completed. Confirmed historical loss: ~7 GB of older R&D sequence data. Core collection exposure limited by containment timing โ€“ GenixLib-Core-Collection-v1 at [check whiteboard for timing] and v2 at [check whiteboard]. The kernel driver artifact has been preserved and shared with CFCS. The attackerโ€™s infrastructure remains active but has no path back into BioGenix.โ€