Large Group Artifacts: Winnti – Biotech R&D Espionage
Team-specific evidence cards for Multi-Team Coordination format (12-15+ players). Print all cards, sort by team and tier, and keep face-down until the release point for each round. One set per team – do not mix teams.
Organization: BioGenix Solutions (DK)
Tier 1 – Initial Indicators
Release at start of Round 1
Alpha x2 – Bravo x2 – Charlie x2
Type: Update manifest review + EDR process tree Source: Vendor portal record and EDR console, BIOGEN-RD-WS-01/02/03, 2026-03-09 22:14–22:20 UTC
CaliSyncPro Update Manifest -- v4.2.1
Vendor: CaliSync Instrumentation GmbH
Release Date: 2026-03-04
SHA256: a8f3b2c7d1e04f5a9b6c2d8e3f7a1b4c
Signed By: CaliSync Instrumentation GmbH
Certificate SN: 4A9F02B1
OCSP Status: NOT CHECKED (trusted vendor exception applied)
CRL Status: NOT CHECKED (trusted vendor exception applied)
---
Process Tree -- BIOGEN-RD-WS-01 (2026-03-09 22:14:07 UTC)
calibsvc.exe (PID 3241)
svchost.exe (PID 4892)
powershell.exe -encodedCommand JABjAD0AbgBlAHcALQBv... (PID 5107)
net.exe user svc-rdbridge-admin /domain (PID 5224)
Same pattern: BIOGEN-RD-WS-02 at 22:17:03 UTC, BIOGEN-RD-WS-03 at 22:19:41 UTCCertificate OCSP and CRL checks: SKIPPED (trusted vendor exception policy). calibsvc.exe spawning encoded PowerShell is not part of the documented update behavior. net.exe user svc-rdbridge-admin /domain runs outside the documented update process – no calibration function requires this command.
Analysis direction: Identical process chain across all 3 workstations = weaponized update, not a workstation anomaly. The domain account query (svc-rdbridge-admin) immediately after the encoded PowerShell stage indicates credential harvesting is the follow-on objective, not calibration activity.
Type: Azure AD sign-in log – anomalous authentication event Source: Azure AD Identity Protection, 2026-03-09 22:20:18 UTC
Azure AD Sign-In Log
Timestamp: 2026-03-09 22:20:18 UTC
Account: svc-rdbridge-admin
Source IP: 198.51.100.201
Source range: HANSEN-SAP-01 on-premise subnet (10.12.4.0/24)
Auth protocol: NTLM
Preceding logon: NONE (no interactive logon on source host)
Risk Level: HIGH
MFA: NOT REQUIRED
Conditional Access: BYPASSED (legacy auth exception COLLBRIDGE-EXCL-003)
Target resource: AZURE-RD-ENV-01svc-rdbridge-admin is a service account associated with legacy SAP integration. Source IP 198.51.100.201 maps to the HANSEN-SAP-01 on-premise range. No interactive logon on the source host preceded the NTLM authentication – the credential was used without a local login session. Azure AD Identity Protection flagged this as HIGH risk. Conditional Access policy bypassed via COLLBRIDGE-EXCL-003.
Analysis direction: No preceding interactive logon = Pass-the-Hash pattern. The attacker harvested svc-rdbridge-admin credentials from HANSEN-SAP-01’s memory (from the PowerShell process chain on the calibration workstations) and used the NTLM hash directly. The Conditional Access bypass means no MFA stood between the attacker and cloud R&D.
Type: VPN gateway authentication log – current session window Source: Collaborative Bridge VPN gateway, last 24 hours
Collaborative Bridge VPN Gateway -- Authentication Log
Period: 2026-03-09 20:00:00 UTC to 2026-03-10 06:00:00 UTC
Account: svc-rdbridge-admin
Timestamp (UTC) Source IP Auth Type Destination Status
2026-03-09 22:20:18 198.51.100.201 NTLM AZURE-RD-ENV-01 ALLOWED
[HANSEN-SAP-01] [LEGACY] [MFA: NONE]
Previous session: 2026-03-04 00:52:11 UTC (4 days prior)
Session pattern: Irregular intervals, off-hours only
MFA events: 0 (all sessions -- no MFA required for this account)
Interactive logon: 0 (no preceding session on source host)svc-rdbridge-admin has authenticated through the Collaborative Bridge VPN gateway using NTLM on the current night. No MFA event preceded any session. Authentication from HANSEN-SAP-01 (198.51.100.201) without any interactive logon session recorded on that host. Session occurs at 22:20 UTC – no calibration workflow is scheduled for this time.
Analysis direction: The Collaborative Bridge is the active attacker path right now. HANSEN-SAP-01 is providing live access to the cloud R&D environment. Revoking svc-rdbridge-admin credentials or isolating HANSEN-SAP-01 will cut this path. The question is which action is faster and what evidence must be preserved first.
Type: Perimeter firewall log – anomalous outbound connections Source: Next-generation firewall, BIOGEN-RD-WS-01/02/03 egress traffic, last 4 hours
Outbound Traffic Report -- BIOGEN-RD-WS-01 / -02 / -03
Period: 2026-03-09 21:00:00 UTC to 2026-03-10 01:00:00 UTC
Host Timestamp (UTC) Destination Port Protocol Volume
BIOGEN-RD-WS-01 22:14:32 203.0.113.44:443 443 HTTPS 1.4 KB
BIOGEN-RD-WS-01 22:19:07 203.0.113.44:443 443 HTTPS 0.8 KB
BIOGEN-RD-WS-02 22:17:18 203.0.113.44:443 443 HTTPS 1.4 KB
BIOGEN-RD-WS-02 22:21:54 203.0.113.44:443 443 HTTPS 0.8 KB
BIOGEN-RD-WS-03 22:19:55 203.0.113.44:443 443 HTTPS 1.4 KB
BIOGEN-RD-WS-03 22:23:41 203.0.113.44:443 443 HTTPS 0.8 KB
Known calibration destinations (expected): vendor-sync.calisync-gmbh.de (203.0.113.100)
Destination 203.0.113.44: NO PRIOR HISTORY (baseline: zero connections in 90 days)
Domain: graph-api-sync.bioanalytics.net (registered 2025-11-20)
TI hits: NONE at time of queryAll 3 calibration workstations initiated outbound HTTPS connections to 203.0.113.44 within minutes of the update process chain. 203.0.113.44 resolves to graph-api-sync.bioanalytics.net. This destination has zero prior connections in the 90-day baseline. The domain was registered 4 months ago. Standard calibration data sync uses 203.0.113.100 (CaliSync GmbH vendor server) – 203.0.113.44 is not a documented calibration destination.
Analysis direction: All 3 workstations calling the same new external IP within a 9-minute window immediately after the update execution chain = coordinated C2 callback. The 90-day baseline with zero prior hits rules out a misconfigured but legitimate sync. This is the attacker’s infrastructure, and calibration workstations may now be staging points.
Type: R&D asset registry + acquisition data room status Source: VP R&D situation report and M&A legal briefing, 2026-03-10 08:00 UTC
GenixLibrary R&D Asset Summary -- BioGenix Solutions
Compiled by: Dr. Ida Woetmann (VP R&D)
Date: 2026-03-10
Asset: GenixLibrary
Classification: Proprietary -- Core IP
Contents:
- Precision fermentation sequence archives (2022--2025)
- Industrial enzyme engineering datasets (7 active product lines)
- Acquisition data room packages (v1 and v2 -- prepared for current deal)
- Active project data: 3 fermentation programs in production phase
Access model: Role-based, authenticated sessions logged
Last audit: 2025-09-01 (6 months ago)
---
Acquisition Data Room Status
Counterparty: [Name under NDA]
Access granted: Yes (counterparty has reviewed v1 data room package)
NDA in place: Yes
Friday deadline: Data room review meeting with counterparty scheduled
Deal status: Advanced discussions -- valuation under reviewGenixLibrary holds the core proprietary sequence data underlying BioGenix’s product portfolio and its current acquisition valuation. The acquisition data room packages (GenixLib-Acquisition-Package-v1 and v2) were prepared specifically for the current deal. The counterparty has already reviewed the v1 package under NDA. Friday’s data room meeting is a scheduled checkpoint with the counterparty.
Analysis direction: GenixLibrary is the highest-value target in this environment – both commercially (acquisition valuation) and strategically (nation-state IP collection). The data room packages represent a curated extract of the most sensitive sequence data, prepared specifically for the deal. Charlie needs to establish early: what is the scope of data at risk, and does the Friday meeting proceed if integrity is in question?
Type: ITSM ticket + security exclusion log Source: IT Service Management System and SOC exclusion register
ITSM-29847 -- HANSEN-SAP-01 Decommission
Status: OPEN
Priority: LOW
Original date: 2024-09-01 (original decommission deadline)
Current date: 2026-03-10
Overdue: 18 months
Owner: UNASSIGNED (previous owner departed 2024-10)
Last updated: 2024-11-02
Blocker: CaliSyncPro calibration sync dependency unresolved.
Migration to cloud-native service not scoped or resourced.
Security status of HANSEN-SAP-01:
Security patching: PAUSED since 2024-08-15 (pending decommission)
SOC monitoring: EXCLUDED (decommission-backlog policy SECOPS-EXCL-2024-017)
Network connection: ACTIVE (on-premise + Collaborative Bridge VPN access)
Conditional Access: EXCEPTION active (COLLBRIDGE-EXCL-003)HANSEN-SAP-01 was scheduled for decommission on 2024-09-01. The decommission was blocked by an unresolved CaliSyncPro migration dependency tracked in ITSM-29847. The ticket has had no owner since October 2024 and has not been updated since November 2024. Security patching was paused at the original decommission date and never resumed. SOC monitoring was excluded under a decommission-backlog policy and never restored.
Analysis direction: The attacker did not create this attack path – BioGenix’s own governance left it open. An 18-month-old unpatched, unmonitored, internet-connected server with active cloud access is a nation-state’s ideal persistent foothold. The IC needs to connect this: the technical problem is containment, but the governance question is why a decommissioning backlog item can carry this much network access without a review trigger.
Tier 2 – Deep Analysis
Release at start of Rounds 2 and 3 (3 cards per team)
Alpha x3 – Bravo x3 – Charlie x3
Type: Hardware-assisted memory enumeration report Source: Security specialist memory scan, HANSEN-SAP-01, 2026-03-10 08:32:14 UTC
Memory Scan Report -- HANSEN-SAP-01
Scan Method: Hardware-Assisted Enumeration (Hypervisor DKOM check)
Timestamp: 2026-03-10 08:32:14 UTC
Finding: Hidden Kernel Module Detected
Load Address: 0xFFFFF80012A40000
Size: 147,456 bytes
Signing Certificate: CaliSync Instrumentation GmbH (SN 4A9F02B1)
Certificate Status: REVOKED 2025-11-14
Technique: Direct Kernel Object Manipulation (DKOM)
Hook: NtQuerySystemInformation -- filtering own entries from process list
---
Process List Comparison
Standard tasklist.exe: 87 processes
Hardware enumeration: 92 processes
Hidden PIDs: 4028, 4031, 4038, 4041, 4099
PID 4028: ESTABLISHED connection to 203.0.113.44:443 [ACTIVE]Hardware-assisted enumeration reveals 5 hidden processes (PIDs 4028, 4031, 4038, 4041, 4099) not visible to standard tools. PID 4028 has an active established connection to 203.0.113.44:443. The kernel hook intercepts NtQuerySystemInformation and filters the rootkit’s own entries before returning results to user-space tools – this is why all prior disk-based and standard process scans returned clean. Kernel driver signed by CaliSync Instrumentation GmbH certificate SN 4A9F02B1, which was revoked on 2025-11-14.
Analysis direction: PID 4028 has an active C2 connection right now. Isolating HANSEN-SAP-01 from the network will drop this connection but the kernel driver and its process tree will remain in memory. Memory image and driver artifact must be captured before any isolation or reimaging action – this is what CFCS needs for attribution and what legal needs for the chain of custody.
Type: Certificate chain analysis + revocation status Source: Alpha forensics team certificate investigation, 2026-03-10 09:45 UTC
Code-Signing Certificate -- Analysis Report
Certificate Subject: CN=CaliSync Instrumentation GmbH, O=CaliSync GmbH, C=DE
Certificate SN: 4A9F02B1
Issuer: CN=CaliSync Internal CA
Valid From: 2024-09-01T00:00:00Z
Valid To: 2026-09-01T00:00:00Z
Revocation Status: REVOKED
Revocation Date: 2025-11-14T00:00:00Z
Revocation Reason: Key compromise (reason code 1)
Revocation Source: CaliSync Instrumentation GmbH OCSP server
---
Timeline Reconstruction
2025-11-14 Certificate SN 4A9F02B1 revoked by CaliSync GmbH (key compromise)
2026-03-04 CaliSyncPro v4.2.1 update signed with revoked certificate distributed via vendor portal
2026-03-09 Update deployed to BIOGEN-RD-WS-01/02/03 -- OCSP check skipped (trusted vendor exception)
Time between revocation and deployment: 110 daysCertificate 4A9F02B1 was revoked by CaliSync Instrumentation GmbH on 2025-11-14 with reason code 1 (key compromise) – meaning the private key associated with this certificate was reported as compromised 4 months before the malicious update was deployed. A live OCSP check at deployment time would have returned REVOKED and blocked installation. The trusted vendor exception policy skipped this check entirely.
Analysis direction: The certificate was compromised before the attack was deployed. The attacker obtained the private key from CaliSync GmbH (or a compromised system in their environment), used it to sign the malicious update, and distributed it through the legitimate vendor portal. The 110-day gap between revocation and deployment suggests deliberate timing. This is the supply chain compromise evidence that links to CFCS’s broader campaign intelligence.
Type: Authentication event correlation – NTLM analysis Source: Windows Security Event Log correlation, HANSEN-SAP-01 and Azure AD, 2026-03-10 10:15 UTC
Pass-the-Hash Forensic Report
Subject account: svc-rdbridge-admin
Source host: HANSEN-SAP-01 (198.51.100.201)
Analysis period: 2025-12-10 to 2026-03-09
Authentication Pattern:
Interactive logon events on HANSEN-SAP-01: 0
Network logon events using svc-rdbridge-admin: 11
NTLM auth type on all 11 events: yes
Kerberos TGT requests preceding any event: 0
Credential origin (reconstructed):
BIOGEN-RD-WS-01/02/03 process tree shows:
powershell.exe -encodedCommand [...]
└── net.exe user svc-rdbridge-admin /domain
LSASS memory read: consistent with NTLM hash extraction via encoded PS stage
Hash reuse: HANSEN-SAP-01 NTLM sessions use harvested hash, not plaintext credential
Event 4624 (network logon) -- HANSEN-SAP-01 -- all 11 sessions:
LogonType: 3 (network)
AuthPackage: NTLM
No preceding Event 4648 (explicit credential use with interactive session)All 11 svc-rdbridge-admin sessions from HANSEN-SAP-01 used NTLM with no preceding interactive logon. No Kerberos TGT was requested on any of these sessions. The NTLM credential was presented without any corresponding local login session on the source host.
Analysis direction: Pass-the-Hash via the Collaborative Bridge is the lateral movement path from a compromised on-premise workstation to the cloud R&D environment. Revoking svc-rdbridge-admin closes the active path, but the auth exception (COLLBRIDGE-EXCL-003) must also be closed – credential revocation alone does not prevent re-exploitation if the exception policy persists.
Type: VPN authentication log – full 90-day history Source: Collaborative Bridge VPN gateway, 2025-12-10 to 2026-03-10
Collaborative Bridge VPN Authentication Log
Log period: 2025-12-10 to 2026-03-10
Account: svc-rdbridge-admin | Report: 2026-03-10 09:14:22 UTC
--- NTLM Authentication Events (No Preceding Interactive Logon) ---
Timestamp (UTC) Source Host Auth CA Result
2025-12-10 01:22:47 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2025-12-17 03:11:09 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2025-12-29 00:44:31 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-06 02:07:58 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-14 01:55:22 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-21 03:30:14 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-03 00:18:47 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-11 02:44:03 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-18 01:29:55 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-03-04 00:52:11 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
2026-03-09 22:20:18 HANSEN-SAP-01 NTLM BYPASSED (COLLBRIDGE-EXCL-003)
MFA events: 0 across all 11 sessions11 NTLM authentication sessions from HANSEN-SAP-01 through the Collaborative Bridge VPN over 90 days. Every session used the COLLBRIDGE-EXCL-003 exception to bypass Conditional Access. Every session was off-hours (between midnight and 05:00 UTC). No MFA was required or triggered on any session. The low-volume, irregular cadence kept total authentication events below any threshold-based alert.
Analysis direction: 90 days of off-hours cloud R&D access via a single service account and a single policy exception. The 10-week window covers all 44 GenixLibrary batch read sessions. Revoking svc-rdbridge-admin is the first action, but Bravo needs to confirm whether the exception policy (COLLBRIDGE-EXCL-003) can be exploited by another account or whether it is specifically bound to this service account.
Type: Conditional Access policy analysis + exception audit Source: Azure AD Conditional Access review and Identity Protection report, 2026-03-10
Conditional Access Exception -- COLLBRIDGE-EXCL-003
Created: 2024-11-14
Created by: IT Security Lead (M. Andersen)
Approved by: CTO (K. Fønsmark)
Last reviewed: NEVER
Expiry date: NOT SET
Review cadence: NOT CONFIGURED
Policies bypassed:
CA-POLICY-MFA-ALL MFA required for all cloud authentication
CA-POLICY-NTLM-BLOCK Block legacy authentication protocols
Scope:
Account: svc-rdbridge-admin
Source: HANSEN-SAP-01 on-premise subnet (10.12.4.0/24)
Permits: NTLM authentication without interactive logon or MFA
Justification (recorded 2024-11-14):
"Temporary -- required during Collaborative Bridge integration phase.
To be removed when HANSEN-SAP-01 decommission completes (ITSM-29847)."
Current status of ITSM-29847: OPEN (decommission never completed)COLLBRIDGE-EXCL-003 was created in November 2024 as a temporary exception during the Collaborative Bridge integration. It was intended to expire when HANSEN-SAP-01 was decommissioned. The decommission was never completed (ITSM-29847 remains open). The exception was never reviewed, never set with an expiry date, and remains active 16 months later. Both policies it bypasses – MFA-ALL and NTLM-BLOCK – are the controls that would have blocked NTLM access to cloud resources from this subnet.
Analysis direction: Two actions are required to close the lateral movement path: (1) revoke svc-rdbridge-admin credentials and (2) close or scope COLLBRIDGE-EXCL-003. Revoking credentials alone is insufficient – the exception policy could enable re-exploitation via another compromised account in the HANSEN-SAP-01 subnet. This is the two-step close that teams frequently miss.
Type: IT Security exception register + ITSM dependency audit Source: IT governance system, exception register entry and ITSM-29847
IT Service Management System -- ITSM-29847
Title: HANSEN-SAP-01 Decommission -- Blocked: Collaborative Bridge Dependency
Status: OPEN | Priority: LOW | Owner: UNASSIGNED
History:
2024-08-15 Ticket created. Decommission target: 2024-09-01.
2024-09-01 Decommission BLOCKED. CaliSyncPro sync dependency unresolved.
2024-10-? Previous owner departed. Ticket unassigned (no handover).
2024-11-02 Collaborative Bridge integration completed. CaliSyncPro migration
still pending. COLLBRIDGE-EXCL-003 created to maintain connectivity.
Priority set to LOW. No follow-up scheduled.
[No further updates]
Active blockers:
- CaliSyncPro cloud-native migration: not scoped, not resourced, no timeline
- Security patching: PAUSED since 2024-08-15 (pending decommission)
- SOC monitoring: EXCLUDED (SECOPS-EXCL-2024-017)
- Network access: ACTIVE (on-premise + Collaborative Bridge VPN)
- Conditional Access: EXCEPTION active (COLLBRIDGE-EXCL-003)Three compounding governance failures are visible in this record: (1) a temporary exception with no expiry became permanent by default when the owning ITSM ticket stalled; (2) the ticket lost its owner in October 2024 and was never reassigned; (3) security patching and SOC monitoring were suspended at the original decommission date and never restored, leaving HANSEN-SAP-01 unpatched, unmonitored, and network-connected for 18 months.
Analysis direction: The attacker found this attack path – they did not create it. The governance question for the debrief is not what the attacker did, but what BioGenix’s own processes made possible: a ticket with no owner, an exception with no expiry, and a server with no monitoring. Each of these had an existing process that was simply not followed through.
Type: M&A legal assessment – data room integrity Source: M&A legal counsel briefing, 2026-03-10 09:30 UTC
BioGenix Solutions -- Acquisition Data Room Integrity Assessment
Prepared by: M&A Legal Counsel | Date: 2026-03-10
Data Room Package Contents (v1 and v2):
GenixLib-Acquisition-Package-v1: delivered to counterparty (NDA)
GenixLib-Acquisition-Package-v2: prepared, not yet delivered
Datasets confirmed accessed by svc-rdbridge-admin (GenixLibrary audit log):
GenixLib-Acquisition-Package-v1 -- Session 4 (2026-01-06 UTC)
GenixLib-Acquisition-Package-v2 -- Session 8 (2026-02-11 UTC)
Current legal exposure:
NDA coverage: Yes -- counterparty bound to confidentiality
Valuation basis: GenixLibrary sequences are the primary IP asset
Friday meeting: Data room review meeting scheduled with counterparty
Options:
A. Proceed with disclosed caveat (brief counterparty; retain deal momentum)
B. Delay data room (investigate first; deal timeline at risk)
C. Disclose confirmed scope + uncertainty (calibrated position)Both data room packages (v1 and v2) were accessed by svc-rdbridge-admin during the 90-day exfiltration window. The v1 package has already been shared with the counterparty under NDA. If the exfiltrated data includes the same sequences disclosed to the counterparty, the due diligence process may have been compromised from both sides simultaneously. Friday’s meeting is the next scheduled milestone.
Analysis direction: The data room packages were curated specifically for the acquisition – they represent the highest-value, most organized extract of GenixLibrary IP. The counterparty has seen v1 under NDA. The IC needs to decide whether Friday’s meeting can proceed, and on what basis. This is a board-level commercial decision that requires a technical input: how confident is the team in the exfiltration scope statement?
Type: Regulatory obligation summary Source: Legal and compliance team briefing, 2026-03-10 09:45 UTC
GDPR Article 33 Notification -- BioGenix Solutions
Reference: Datatilsynet inquiry DT-2026-0847
Notification obligation:
Trigger: Awareness of personal data breach
Deadline: 72 hours from awareness (Article 33(1))
Partial: Accepted -- initial notification may be incomplete if
full investigation is still ongoing (Article 33(4))
Required notification content:
1. Nature of breach (categories of data affected)
2. Approximate number of data subjects
3. Likely consequences of the breach
4. Measures taken or proposed to address the breach
Personal data in scope (BioGenix R&D environment):
- R&D collaborator credentials (Azure AD)
- Employee identifiers in GenixLibrary access logs
- Potentially: partner or collaborator data in sequence metadata
Datatilsynet reference: DT-2026-0847
Status: Datatilsynet has made initial contact -- response window openGDPR Article 33 requires notification to Datatilsynet within 72 hours of becoming aware of a personal data breach. A partial notification is acceptable – BioGenix is not required to have full investigation results to submit. The clock starts from awareness, not from the breach event itself. Personal data in scope includes R&D collaborator credentials and employee identifiers in system logs.
Analysis direction: The 72-hour clock started when BioGenix became aware of the breach – not when the breach occurred. CFCS and counterintelligence coordination must not be allowed to block or delay the GDPR notification decision. These are parallel workstreams with separate owners. Charlie needs to establish: who is the Datatilsynet notification owner, and what can be confirmed vs. what must be qualified as under investigation?
Type: Executive decision paper Source: CTO Katrine Fønsmark, 2026-03-10 10:00 UTC
DECISION PAPER
To: Incident Command
From: CTO (K. Fønsmark)
Re: GenixLibrary Access -- Immediate Decision Required
Date: 2026-03-10 10:00 UTC
SITUATION
svc-rdbridge-admin held read access to GenixLibrary across 44 off-hours sessions.
Write access analysis is in progress -- not yet confirmed or ruled out.
Active fermentation project data is stored in GenixLibrary.
3 production fermentation programs depend on active GenixLibrary read access.
RECOMMENDATION
Suspend all GenixLibrary access until a clean baseline is established.
Basis: Sequence integrity cannot be confirmed until write access is ruled out.
OPERATIONAL IMPACT
Research continuity: 3 active fermentation programs halted
Recovery path: Access audit + clean baseline = est. 24--48 hours
Alternative: Read-only access for critical programs under manual review
DECISION REQUIRED FROM INCIDENT COMMAND
[ ] Approve full GenixLibrary suspension (est. 24--48 hrs)
[ ] Approve read-only access for critical programs under manual review
[ ] Defer -- defer pending write access scope confirmationCTO Katrine Fønsmark has escalated a formal decision request to incident command on GenixLibrary access. The CTO recommends full suspension pending write access analysis, but acknowledges the impact on 3 active production programs. The IC must make a decision with a documented rationale – deferring indefinitely is not a valid option given the Friday merger meeting and the GDPR notification window.
Analysis direction: The CTO has framed this correctly as an IC decision, not a technical one. The IC’s answer shapes two downstream decisions: (1) research continuity (how long can 3 fermentation programs tolerate a halt?) and (2) merger data room integrity (can the counterparty briefing proceed if sequence integrity is unconfirmed?). These two decisions are linked – the IC needs both Charlie’s input on the merger and Alpha’s input on the write access scope.
Tier 3 – Developments
Release at start of Rounds 4 and 5 (2 cards per team)
Alpha x2 – Bravo x2 – Charlie x2
Type: Chain of custody log + retention window alert Source: Alpha forensics lead, 2026-03-10 11:30 UTC
Forensic Evidence Preservation Report
Prepared by: Alpha forensics lead | 2026-03-10 11:30 UTC
Preserved artifacts (chain of custody confirmed):
HANSEN-SAP-01 memory image:
Captured: 2026-03-10 08:32:14 UTC
Method: Hardware-assisted enumeration
Chain of custody: Signed (forensics lead + CISO witness)
Status: COMPLETE -- includes hidden process table, PID 4028 connection state
Kernel driver artifact (SN 4A9F02B1):
Extracted: 2026-03-10 09:18:07 UTC
Chain of custody: Signed
Status: COMPLETE -- CFCS has requested this artifact
BIOGEN-RD-WS-01/02/03 process logs:
Captured: 2026-03-10 09:45 UTC
Status: COMPLETE -- encoded PowerShell chains and net.exe query preserved
Retention window alerts:
NetFlow logs (perimeter firewall): Retention window closes in 48 hours
Azure AD sign-in logs (90-day): Retention window closes in 12 days
Action required: Export NetFlow logs before 2026-03-12 08:30 UTCMemory image, kernel driver artifact, and calibration workstation process logs are all preserved with chain of custody. The critical remaining action is NetFlow export – the perimeter firewall rolls over in 48 hours, at which point the 90-day traffic baseline showing 203.0.113.44 connection history will be permanently lost. Azure AD sign-in logs are safer (12-day window) but should also be exported and preserved.
Analysis direction: The preservation work is in good shape. The 48-hour NetFlow window is the only active urgency item. Who on Alpha is responsible for that export, and has it been assigned? The kernel driver artifact is what CFCS needs for attribution to the broader campaign – confirm whether CFCS has received it or whether handoff is pending.
Type: National threat intelligence bulletin Source: CFCS (Center for Cybersikkerhed), bulletin CB-2026-0312, received 2026-03-10 11:45 UTC
CFCS Threat Intelligence Bulletin CB-2026-0312
Classification: TLP:AMBER -- share with incident response team only
Received by BioGenix: 2026-03-10 11:45 UTC
SUMMARY
CFCS has identified a coordinated supply chain espionage campaign targeting
Danish life sciences and pharmaceutical R&D organizations.
INDICATORS (matching BioGenix incident)
Certificate SN 4A9F02B1: Confirmed match -- identical revocation date
(2025-11-14) across all 4 known victims
C2 infrastructure: 203.0.113.44 -- confirmed attacker-controlled
DKOM technique: Consistent kernel driver load address pattern
Delivery vector: Vendor-signed calibration software update
KNOWN VICTIMS (anonymized)
Organization A: Danish biotech, identified 2025-12-18
Organization B: Danish pharmaceutical, identified 2026-01-29
Organization C: Danish biotech, identified 2026-02-14
BioGenix Solutions: identified 2026-03-10 (current)
CFCS REQUEST
Kernel driver artifact (SN 4A9F02B1): requested for national TI
Anonymized IoCs: requested for cross-victim correlation
Coordination call: CFCS and PET counterintelligence -- scheduling in progressCFCS has confirmed that the certificate 4A9F02B1 and the C2 infrastructure at 203.0.113.44 match 3 prior victims across the Danish life sciences sector. The campaign began at least 3 months before BioGenix was targeted. CFCS is requesting the kernel driver artifact and anonymized IoCs for national threat intelligence, and coordinating a separate counterintelligence call with PET.
Analysis direction: Attribution is confirmed – BioGenix is part of a coordinated nation-state campaign against Danish biotech. This changes the GDPR notification narrative (the attack is part of a broader campaign, not a BioGenix-specific failure) and creates a parallel counterintelligence workstream with CFCS and PET. The IC needs to confirm: has the kernel driver artifact been handed to CFCS? Who owns the CFCS coordination track vs. the Datatilsynet notification track?
Type: Network traffic retrospective + DLP classification audit Source: Network security team, 90-day outbound HTTPS analysis, 2026-03-10 11:00 UTC
Outbound HTTPS Traffic Report -- Port 443
Period: 2025-12-10 00:00:00 UTC to 2026-03-10 09:00:00 UTC
Source environment: GENIX-PROD-01 and AZURE-RD-ENV-01
--- Top Destinations by Volume ---
Destination Resolved IP Volume DLP Classification
graph.microsoft.com 203.0.113.1 43 GB Microsoft Telemetry [TRUSTED]
graph-api-sync.bioanalytics.net 203.0.113.44 847 GB Microsoft Telemetry [TRUSTED]
login.microsoftonline.com 203.0.113.2 12 GB Microsoft Auth [TRUSTED]
storage.azure.com 203.0.113.3 8 GB Azure Storage [TRUSTED]
--- DLP Classification Basis for graph-api-sync.bioanalytics.net ---
TLS SNI header presented: graph.microsoft.com
Actual destination: graph-api-sync.bioanalytics.net (203.0.113.44)
Certificate presented: Self-signed, CN=graph.microsoft.com
NOT issued by Microsoft CA
DLP action: CLASSIFIED AS TRUSTED (SNI match; no cert validation)
Domain registered: 2025-11-20 (4 months ago)graph-api-sync.bioanalytics.net sent 847 GB outbound in 90 days – 20x the legitimate graph.microsoft.com volume of 43 GB. DLP classified both destinations as trusted Microsoft telemetry because the attacker set the TLS SNI header to graph.microsoft.com while routing traffic to their own infrastructure. The presented certificate was self-signed and would have failed validation against Microsoft’s CA – but DLP did not validate certificates, only SNI headers.
Analysis direction: 847 GB is the confirmed exfiltration volume to the identified attacker infrastructure. The DLP failure has three components: (1) no certificate validation on HTTPS traffic; (2) per-day volume cap (50 GB/day) not triggered by distributed off-hours sessions; (3) service account excluded from off-hours policy. The 847 GB figure is defensible for the Datatilsynet notification and merger counterparty briefing – with the qualifier that other channels cannot be ruled out without complete log review.
Type: DLP rule gap analysis Source: Bravo network security team, DLP audit review, 2026-03-10 11:15 UTC
DLP Alert Audit -- svc-rdbridge-admin | 2025-12-10 to 2026-03-10
Alert rule Triggered Reason not triggered
----------------------------------------------------------
Volume > 50 GB/day 0 Sessions distributed across nights;
no single day exceeded 50 GB threshold.
Peak session: ~19 GB (2026-01-06)
Sensitive file 0 Files classified as internal sync between
outbound GENIX-PROD-01 and "Microsoft" destination.
SNI match bypassed content inspection.
Off-hours data 0 svc-rdbridge-admin excluded from off-hours
movement policy -- service accounts exempted to
avoid alert noise on scheduled tasks.
GenixLibrary batch 0 No rule configured for sequential batch
read pattern reads by service accounts outside business
hours.
--- Session Volume Breakdown (top 5 of 44) ---
Session 4 (2026-01-06): GenixLib-Acquisition-Package-v1 ~19 GB
Session 8 (2026-02-11): GenixLib-Acquisition-Package-v2 ~21 GB
Session 44 (2026-03-09): Precision-Fermentation-IP-Current ~18 GB
Sessions 1-3 avg: ~17 GB eachThree DLP rules failed independently: the volume cap was not triggered because sessions were distributed below the daily threshold; content inspection was bypassed by SNI matching; and svc-rdbridge-admin was excluded from off-hours movement policy as a service account. No rule existed for sequential batch reads of a research database by a service account during off-hours. The acquisition data room packages (GenixLib-Acquisition-Package-v1 and v2) were among the largest individual sessions.
Analysis direction: The DLP failure is a layered gap, not a single missed rule. Bravo needs to recommend at minimum: (1) certificate validation for all HTTPS traffic classified as trusted Microsoft infrastructure; (2) behavioral baseline alerts on per-session volume to any single external destination; (3) removal of service account blanket exemptions from off-hours anomaly detection. Each of these is independently implementable without changing the broader DLP architecture.
Type: Multi-authority coordination framework Source: Legal and compliance team, 2026-03-10 11:30 UTC
BioGenix Solutions -- Authority Coordination Map
Date: 2026-03-10 | Status: All three authorities have made initial contact
WORKSTREAM 1: DATATILSYNET (Regulatory -- GDPR Article 33)
Authority: Datatilsynet
Reference: DT-2026-0847
Obligation: GDPR notification within 72 hours of awareness
Status: Initial contact received -- response window open
Content scope: Nature of breach, data categories, measures taken
Owner needed: YES -- one named person with authority to submit
Blocks: Does NOT block CFCS or PET coordination
WORKSTREAM 2: CFCS (Technical -- Threat Intelligence)
Authority: Center for Cybersikkerhed (CFCS)
Obligation: Voluntary cooperation -- no mandatory deadline
Status: Bulletin CB-2026-0312 received; artifact request pending
Content scope: Kernel driver artifact + anonymized IoCs
Owner needed: YES -- technical lead for indicator handoff
Blocks: Does NOT block Datatilsynet notification
WORKSTREAM 3: PET (Counterintelligence)
Authority: Politiets Efterretningstjeneste (PET)
Obligation: Voluntary cooperation -- counterintelligence call
Status: Call requested -- not yet scheduled
Content scope: Attack attribution, campaign targeting pattern
Owner needed: YES -- CISO or designated counterintelligence liaison
Blocks: Does NOT block regulatory or technical workstreamsThree parallel authority workstreams have all activated simultaneously. They are non-blocking – Datatilsynet notification does not require CFCS or PET coordination to be complete first. Each workstream requires a separate named owner with defined authority to communicate on behalf of BioGenix. Merging these conversations or allowing one to delay another is the primary coordination failure mode.
Analysis direction: The IC’s job at this point is to assign three owners before any call is answered: one for Datatilsynet, one for CFCS, one for PET. These are separate conversations with separate scopes. The most common failure is allowing CFCS or PET coordination to block the GDPR notification because they feel connected – they are procedurally independent. Who in the room takes each track?
Type: Commercial decision paper – acquisition data room Source: M&A merger advisor, position paper submitted 2026-03-10 12:00 UTC
POSITION PAPER -- MERGER DATA ROOM POSTURE
From: M&A Merger Advisor
To: BioGenix Leadership and Incident Command
Date: 2026-03-10 12:00 UTC
Re: Friday data room meeting -- decision required before 2026-03-12 18:00 UTC
CONTEXT
Confirmed: 847 GB exfiltrated over 90 days including acquisition data room packages.
Uncertainty: Whether exfiltration scope extends beyond identified infrastructure.
Friday meeting: Counterparty expects data room access review and deal progression.
OPTION A -- Proceed with Disclosed Caveat
Brief counterparty on confirmed scope before meeting.
Frame: "We have identified and contained a breach. We can confirm what was accessed."
Risk: Counterparty may pause deal pending independent assessment.
Benefit: Maintains trust and legal defensibility; proactive disclosure.
OPTION B -- Delay Data Room Meeting
Request postponement pending full investigation.
Frame: "We are completing a security review that affects data room integrity."
Risk: Counterparty may withdraw or renegotiate valuation basis.
Benefit: No premature disclosure; time to scope fully.
OPTION C -- Proceed Without Disclosure
Continue Friday meeting without disclosing the breach.
Risk: HIGH -- Legal exposure if breach becomes known post-close; NDA implications.
Benefit: None that outweigh the legal and regulatory exposure.
ADVISOR NOTE
Option C is not a defensible commercial or legal posture. Option A or B requires
a confirmed scope statement with explicit uncertainty qualifiers before the meeting.
I board the plane in 2 hours. I need a position.The merger advisor has framed three options and explicitly ruled out Option C on legal grounds. The advisor needs a confirmed scope statement with uncertainty qualifiers before the Friday meeting – not certainty, but a defensible position. The 2-hour deadline before the advisor’s flight creates real urgency.
Analysis direction: This is the session’s hardest decision and a deliberate Expert-level learning moment. Option A requires the IC to commit to a scope statement that includes what is known (847 GB to identified infrastructure) and what is not (other channels not ruled out). Option B requires accepting deal risk. The IC cannot wait for certainty – the merger advisor’s deadline is real. If the session ends without a decision on A or B, that is a valid outcome for the debrief: name the governance gap that made this decision impossible under pressure.