Threat Clock Cards – Winnti: Operation Silk Harvest

5 pre-scripted attacker progression cards. Print, cut, and stack face-down in order. Flip and check the “skip if” condition against the IC’s whiteboard before reading aloud. If the condition is met, skip the card silently.

---

T1 – Cloud Access Persists After Isolation

Trigger: ~T+45 (mid Round 2), if svc-rdbridge-admin credential has NOT been revoked.

Read aloud: “Azure AD alert: svc-rdbridge-admin has pre-authorized standing delegated access to the GenixLibrary SharePoint repository and Azure Blob storage – access rights granted through the Collaborative Bridge onboarding process in 2024. These cloud-side permissions are tied to the credential, not the server. HANSEN-SAP-01 being offline does not remove them. If the attacker retained the credential hash, they can authenticate directly to Azure AD from any system – or through cloud-to-cloud access – without touching the isolated server.”

Game effect: Isolating HANSEN-SAP-01 closed the on-premise attack path but not the cloud-side access. The credential must be revoked in Azure AD to close the cloud permissions independently of the server’s network status. Teams should also audit what delegated access was granted during the Collaborative Bridge onboarding.

SKIP IF: svc-rdbridge-admin is on the IC whiteboard under CONTAINED. Credential revocation removed the cloud-side access rights and closed this path regardless of server status.

This card should fire even if HANSEN-SAP-01 is already isolated – isolation closed the server’s network path but not the credential’s cloud-side rights. Use it to reinforce that server isolation and credential revocation are two separate containment actions, each closing a different attack surface. If skipped, note for debrief: the team understood that isolation alone was insufficient.

T2 – Exception Exposes the Entire Subnet

Trigger: ~T+60 (late Round 2), if Collaborative Bridge exception COLLBRIDGE-EXCL-003 has NOT been closed.

Read aloud: “Network scan of the HANSEN-SAP-01 legacy subnet has identified a second unmonitored server – LEGACY-INT-07 – showing outbound NTLM authentication attempts through the Collaborative Bridge. COLLBRIDGE-EXCL-003 was written to permit NTLM authentication from the entire 10.14.22.0/24 subnet, not just from HANSEN-SAP-01. Any system in that subnet – including LEGACY-INT-07 and any others not yet inventoried – can authenticate to the cloud R&D environment without MFA as long as the exception remains open. Isolating HANSEN-SAP-01 closed one door. The exception keeps the others open.”

Game effect: The CA exception is subnet-wide, not host-specific. Teams must close COLLBRIDGE-EXCL-003 to block all NTLM authentication from the legacy subnet, regardless of which systems are isolated. LEGACY-INT-07 should be investigated as a potential second foothold.

SKIP IF: COLLBRIDGE-EXCL-003 is on the IC whiteboard under CONTAINED. Closing the exception blocked all NTLM authentication from the subnet, removing the path regardless of how many hosts are present.

This card should fire even if HANSEN-SAP-01 is already isolated – the exception covers the entire subnet. Use it to reinforce that isolating a single host and closing a subnet-wide policy exception are two separate containment actions. The LEGACY-INT-07 detail can be followed up by teams or left as a loose end for the debrief. If skipped, note for debrief: the team understood that host isolation does not substitute for policy remediation.

T3 – Anti-Forensics: Rootkit Self-Destruct

Trigger: Start of Round 4, if memory image has NOT been preserved from HANSEN-SAP-01.

Read aloud: “Alpha forensics lead reports: the kernel driver on HANSEN-SAP-01 has begun a self-destruct sequence. The DKOM hooks are being removed and the hidden processes are terminating. If the memory image is not captured within the next few minutes, the rootkit artifact – the evidence CFCS needs for attribution – will be lost permanently.”

Game effect: 5-minute countdown. If teams don’t have the memory image already, they must act NOW or lose the kernel driver artifact. CFCS attribution depends on this.

SKIP IF: Memory image is on the IC whiteboard under CONTAINED. The forensic team already captured the evidence before the attacker could destroy it.

If skipped, the team’s early preservation work paid off. If NOT skipped, play the CISO NPC immediately: “We will lose the kernel driver artifact if we don’t capture it now. CFCS has already requested it.”

T4 – Exfiltration Spike: Core Collections at Risk

Trigger: During Round 4, if GenixLibrary has NOT been taken offline or isolated.

Read aloud: “SIEM alert: Anomalous outbound traffic spike detected. Transfer volume to external infrastructure has doubled in the last hour. GenixLib-Core-Collection-v1 transfer is now at ~35% complete. GenixLib-Core-Collection-v2 transfer has accelerated to ~20% complete. The attacker is racing to complete the exfiltration before containment.”

Game effect: The window to save the core IP collections is closing. If teams don’t isolate GenixLibrary in this round, transfer volumes will continue to climb.

SKIP IF: GenixLibrary is on the IC whiteboard under CONTAINED — taking it offline stopped all transfers. ALSO SKIP IF: both svc-rdbridge-admin AND COLLBRIDGE-EXCL-003 are CONTAINED — the access path to GenixLibrary is already dead even without formal isolation, since the attacker’s VPN route is fully closed.

If skipped, the team’s containment work already cut the exfiltration path. If NOT skipped, this is high pressure – play VP R&D NPC if teams hesitate: “I need to know exactly which research projects were accessed before we can assess competitive exposure.”

T5 – Full Exfiltration Complete

Trigger: End of session, if the attacker has NOT been fully contained (all attack paths closed).

Read aloud: “Post-incident analysis confirms: the attacker transferred approximately 50% of GenixLib-Core-Collection-v1 and 30% of GenixLib-Core-Collection-v2 before infrastructure was burned. Total confirmed data loss: ~7 GB of historical R&D sequences plus ~13 GB of core IP collections. The attacker’s C2 infrastructure went dark at 18:00 UTC – they withdrew with a significant portion of BioGenix’s curated IP portfolio.”

Game effect: Session ends. This is the worst-case outcome for the debrief.

SKIP IF: All attack paths are marked CONTAINED on the IC whiteboard (svc-rdbridge-admin revoked, COLLBRIDGE-EXCL-003 closed, GenixLibrary isolated, C2 blocked, HANSEN-SAP-01 isolated). If fully contained, read the success version below instead.

Success version (read if fully contained): “Post-incident analysis confirms: containment was achieved before core IP collection transfers completed. Confirmed historical loss: ~7 GB of older R&D sequence data. Core collection exposure limited by containment timing – GenixLib-Core-Collection-v1 at [check whiteboard for timing] and v2 at [check whiteboard]. The kernel driver artifact has been preserved and shared with CFCS. The attacker’s infrastructure remains active but has no path back into BioGenix.”