Winnti Biotech R&D Espionage - Planning Guide

Winnti Biotech R&D Espionage

Complete preparation guide for Operation Silk Harvest

This planning document provides comprehensive facilitation guidance for running the Winnti Biotech R&D Espionage scenario (Operation Silk Harvest), featuring Chinese nation-state supply chain delivery via vendor-signed calibration software, kernel-level rootkit persistence on a decommissioning-backlog server, Pass-the-Hash lateral movement through merger infrastructure, and 3-month drip exfiltration of proprietary genomic sequence data disguised as Microsoft telemetry.

1. Quick Reference

Element Details
Malmon Winnti (Bug/Steel dual-type)
Difficulty Tier Tier 3 (Expert)
Scenario Variant Nation-State: Biotech Genomic IP Espionage
Organizational Context BioGenix Solutions: Danish biosolutions company, 1,800 employees, precision fermentation and industrial enzyme engineering
Primary Stakes Genomic IP protection + Merger infrastructure integrity + GDPR regulatory compliance + Competitive advantage
Recommended Formats Full Game / Advanced Challenge
Essential NPCs Phillip Christensen (CEO), Katrine Fønsmark (CTO), Bent Sejrø (CISO), Dr. Ida Woetmann (VP R&D)
Optional NPCs Datatilsynet contact, CFCS liaison, PET counterintelligence officer, Merger advisor

Scenario Hook

BioGenix Solutions is preparing for a Friday acquisition data room meeting when security operations flags anomalous HTTPS traffic and unexpected authentication from a server scheduled for decommissioning 18 months ago. Investigation reveals a Chinese nation-state APT has operated inside the network for 3 months, exfiltrating 847 GB of genomic sequence data while disguising traffic as Microsoft Graph API telemetry.

Victory Condition

Team identifies the full attack chain from supply chain delivery through drip exfiltration, contains the compromise while preserving forensic artifacts for CFCS and PET, meets GDPR notification obligations to Datatilsynet within the 72-hour window, and makes a defensible merger data room decision with documented rationale aligned to evidence confidence.

2. Game Configuration Templates

Quick Demo Configuration (35-40 min)

Pre-Configured Settings:

  • Number of Rounds: 2 rounds
  • Actions per Player: 1 action per round
  • Investigation Structure: Guided with pre-staged injects (INJ-001 and INJ-002)
  • Response Structure: Focused on supply chain detection and immediate containment
  • Team Size: 3-4 players or single-table
  • Success Mechanics: Narrative only – no dice or cards
  • Evidence Type: Handout A only (supply chain artifacts)
  • NPC Count: 2 (Phillip Christensen for pressure, Bent Sejrø for containment guidance)
  • Badge Tracking: Off

Time Breakdown:

  • Introduction: 5 min
  • Scenario Briefing: 5 min
  • Round 1 (Initial Alert and Calibration Software): 15 min
  • Round 2 (Rootkit Discovery): 10 min
  • Brief Debrief: 5 min

Focus: Certificate validation gap and supply chain detection. Keep the scope tight on HANSEN-SAP-01 and the CaliSyncPro update chain.

Lunch & Learn Configuration (75-90 min)

Pre-Configured Settings:

  • Number of Rounds: 4 rounds (investigation + regulatory decision)
  • Actions per Player: 2 actions per round
  • Investigation Structure: Semi-open with staged injects
  • Response Structure: Guided decision points at Round 3 (containment) and Round 4 (GDPR)
  • Team Size: 4-6 players
  • Success Mechanics: Light narrative scoring
  • Evidence Type: Handouts A and B
  • NPC Count: 3 (Phillip Christensen, Katrine Fønsmark, Bent Sejrø)
  • Badge Tracking: Optional

Time Breakdown:

  • Introduction and Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Supply Chain Alert + Anomalies): 15 min
  • Round 2 (Rootkit Forensics): 15 min
  • Round 3 (Lateral Movement – Pass-the-Hash): 15 min
  • Round 4 (GDPR Clock + Regulatory): 15 min
  • Debrief: 10 min

Focus: Forensic preservation discipline and the GDPR notification decision. Trim the exfiltration scoping to a brief reveal rather than a full investigation round.

Full Game Configuration (120-140 min)

Pre-Configured Settings:

  • Number of Rounds: 3 open-ended rounds
  • Actions per Player: 2-3 actions per round
  • Investigation Structure: Open with IM-guided discovery pathways
  • Response Structure: Player-driven with conditional NPC escalations
  • Team Size: 5-6 players (full role complement)
  • Success Mechanics: Narrative scoring or dice for forensic challenges
  • Evidence Type: Handouts A, B, and C
  • NPC Count: 4 (all essential)
  • Badge Tracking: On

Time Breakdown:

  • Introduction and Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Supply Chain Discovery and Rootkit): 40 min
  • Round 2 (Lateral Movement, Exfiltration Scope, and Regulatory): 40 min
  • Round 3 (Merger Decision, Counterintelligence, and Remediation): 25 min
  • Debrief: 15 min

Focus: End-to-end espionage response arc. All 4 NPCs active. Merger governance decision is the climax of Round 3.

Advanced Challenge Configuration (150+ min)

Pre-Configured Settings:

  • Number of Rounds: 4 rounds
  • Success Mechanics: Complex (GDPR Compliance Status + Merger Data Room Integrity + Forensic Chain of Custody tracking)
  • Attack Complexity: Full 6-inject chain with counterintelligence tension and competing authority demands
  • NPC Count: 6+ including CFCS liaison and PET counterintelligence officer as active escalation NPCs
  • Evidence Type: All 4 handouts

Time Breakdown:

  • Introduction and Roles: 15 min
  • Scenario Briefing: 15 min
  • Round 1 (Supply Chain and Rootkit): 30 min
  • Round 2 (Lateral Movement and Cloud R&D Scope): 30 min
  • Round 3 (Exfiltration Scope and Regulatory): 30 min
  • Round 4 (Counterintelligence, Merger, and Remediation Ownership): 20 min
  • Extended Debrief: 20 min

Focus: Three simultaneous stakeholder workstreams – Datatilsynet (regulatory), CFCS/PET (counterintelligence), merger advisor (commercial) – must be managed in parallel. Each workstream has different information needs and different disclosure constraints. The advanced challenge tests whether teams can maintain workstream separation under simultaneous pressure.

3. Scenario Overview

Opening Presentation

“It’s 07:45 on a Thursday morning at BioGenix Solutions – a Danish biosolutions company of 1,800 employees at the forefront of precision fermentation and industrial enzyme engineering. CEO Phillip Christensen is preparing for Friday’s acquisition data room meeting, which will formalize the most significant transaction in company history.

Then the overnight SOC alert batch hits the morning analyst’s queue. Three bioreactor calibration workstations in the cloud R&D environment are spawning unexpected child processes following a CaliSyncPro software update deployed last Friday. At the same time, a service account tied to HANSEN-SAP-01 – a server that should have been decommissioned 18 months ago – is authenticating into the Azure R&D environment through the Collaborative Bridge.

Your incident response leadership team has just been activated. Something is wrong in the R&D infrastructure. You do not yet know what. You do not yet know how long it has been there. And you have a merger to protect.”

Initial Symptoms

  • 3 bioreactor calibration workstations in cloud R&D are generating unexpected process chains (calibsvc.exe spawning powershell.exe with encoded commands) following the CaliSyncPro_v4.2.1.exe update deployed Friday
  • svc-rdbridge-admin credentials from HANSEN-SAP-01 – a server 18 months past its decommission date – are authenticating into the Azure R&D environment via the Collaborative Bridge
  • Anomalous HTTPS traffic to infrastructure presenting as graph.microsoft.com telemetry is flagged by an analyst who noticed outbound volume inconsistencies
  • GenixLibrary audit logs showing sequential off-hours file reads with no corresponding user sessions are surfaced during initial triage

Organizational Context

Organization Profile:

  • Name: BioGenix Solutions (Danish biosolutions company)
  • Type: Life sciences – precision fermentation and industrial enzyme engineering
  • Size: 1,800 employees across R&D, production, and commercial functions
  • Key Assets: GenixLibrary (proprietary genomic sequence database), precision fermentation IP, enzyme engineering pipeline, 3 years of active R&D
  • Regulatory Environment: GDPR (Datatilsynet), Danish Trade Secrets Act, EU DORA applicability, NIS2 framework
  • Intelligence Environment: CFCS (Center for Cybersecurity – national CERT), PET (Police Intelligence Service – domestic counterintelligence)
  • Merger Context: Active acquisition in progress; data room meeting scheduled Friday; GenixLibrary sequences are the core valuation asset

Cultural Factors:

  • R&D-first culture means scientists and engineers have high autonomy over their tooling and software update cadence
  • Merger pressure creates executive urgency that competes directly with security incident response timelines
  • Legacy system decommissioning is handled informally via ITSM tickets rather than enforced isolation
  • “Trusted vendor” exception policies are common in R&D environments where calibration software vendors are considered partners

Merger Infrastructure Details:

The Collaborative Bridge is a VPN integration layer established during the acquisition integration process to allow cloud R&D environment access from on-premise systems. HANSEN-SAP-01 was retained in the integration scope due to an unresolved dependency tracked in ITSM-29847. The legacy authentication exception COLLBRIDGE-EXCL-003 was created to maintain compatibility and was never reviewed after the SAP NetWeaver migration window closed.

4. Malmon Characteristics

Supply Chain Delivery (Primary Ability)

Winnti enters through a vendor-signed software update for CaliSyncPro_v4.2.1.exe distributed via the legitimate vendor portal. The installer binary is signed with a CaliSync Instrumentation GmbH certificate (SN 4A9F02B1) that was revoked on 2025-11-14 – four months before deployment. The trusted vendor exception policy at BioGenix bypassed OCSP and CRL checks at deployment time, allowing the revoked certificate to pass validation.

Facilitation note: The supply chain entry is always the hardest for experienced teams to accept – they want to believe the vendor update was clean. Use the certificate revocation date (4 months before deployment) to make the gap concrete: the control existed, the evidence existed, but the policy explicitly bypassed it.

Signed Kernel Rootkit (Special Ability)

After initial access via the calibration software, Winnti loads a kernel-mode driver onto HANSEN-SAP-01 using the same revoked certificate. The driver uses Direct Kernel Object Manipulation (DKOM) to hook NtQuerySystemInformation and filter its own process entries from all API-level enumeration tools. Standard antivirus, EDR, and tasklist.exe all return clean results. Only hardware-assisted memory enumeration bypasses the hooks.

Facilitation note: This is the “why did we miss it for 18 months” moment. The answer has two parts: the rootkit intercepted detection tools at the kernel level, and HANSEN-SAP-01 was excluded from active SOC monitoring as a decommission-backlog system. Both are genuine gaps, not excuses.

Passive Dormancy (Hidden Ability)

Winnti’s C2 communication is designed to appear dormant under normal monitoring conditions. The kernel driver only activates outbound connections during low-traffic windows (overnight, off-hours) and uses TLS SNI spoofing to disguise exfiltration traffic as graph.microsoft.com telemetry. The DLP system classified all traffic matching the SNI header as trusted Microsoft telemetry without validating the presented certificate.

Facilitation note: The 44-session pattern in Handout D (weekly to biweekly, off-hours only) is Winnti’s passive dormancy in action. The attacker was patient and low-volume. This is what distinguishes nation-state espionage from ransomware – the goal is invisibility, not speed.

Living-off-the-Land Techniques

Winnti’s lateral movement relies entirely on native Windows tools: NTLM credential hashes harvested via net.exe queries in the initial process chain, NTLM authentication via the Collaborative Bridge VPN, and Azure AD sign-in using legacy authentication exceptions. No custom tooling after initial kernel implant. This makes behavioral detection the only viable detection path after initial compromise.

5. NPC Reference

Phillip Christensen (CEO)

Personality: Calm, commercially focused, direct. Prioritizes the merger above all other concerns but is capable of making hard calls if given a defensible framework.

Agenda: Protect the acquisition. The merger data room meeting on Friday is the culmination of 18 months of work. He needs a position statement – not a blank hold.

Knowledge: Knows the merger timeline and counterparty expectations. Does not know the technical scope of the compromise. Becomes highly engaged when GenixLibrary exfiltration scope affects the data room.

Pressure Point: Asking him to delay the data room without providing a defensible scope statement will create friction. He will push back: “I cannot walk into that meeting without a position. What can I tell them?”

Portrayal Guidance: Christensen is not obstructive – he is commercially rational. If teams provide him with a calibrated scope statement (what is confirmed, what is under investigation, confidence level), he will work with it. The failure mode is vagueness: he will push harder if teams cannot give him facts.

Katrine Fønsmark (CTO)

Personality: Technically precise, risk-aware, protective of R&D infrastructure. Skeptical of shortcuts under pressure.

Agenda: Ensure the Azure R&D environment is certified clean before any merger data room access. She is not willing to sign off on R&D integrity until she has completed the access log review.

Knowledge: Deep knowledge of the Collaborative Bridge architecture and the COLLBRIDGE-EXCL-003 exception history. Knows exactly which resources svc-rdbridge-admin could reach.

Pressure Point: Teams that try to certify the Azure R&D environment as clean without completing the access log review will hit her resistance: “Not until I review every resource that account touched. That is 24 hours minimum.”

Portrayal Guidance: Fønsmark is the technical authority. Use her to set honest expectations on investigation timelines. She is not trying to be obstructive – she is protecting forensic integrity and her own professional credibility.

Bent Sejrø (CISO)

Personality: Methodical, evidence-driven, experienced with regulatory coordination. Stays calm under escalating authority demands.

Agenda: Preserve forensic artifacts for CFCS and PET counterintelligence value. File the GDPR notification to Datatilsynet on its own track. Keep the two workstreams from conflating.

Knowledge: Understands GDPR Article 33 obligations (72-hour window, notification even before full scope is known). Has CFCS and PET contacts. Knows the forensic value of the kernel driver artifact.

Pressure Point: Any team that plans to reimage HANSEN-SAP-01 before preserving the memory image and kernel driver will get direct pushback: “Preserve first. If we reimage now, we lose CFCS’s ability to attribute this to the broader campaign.”

Portrayal Guidance: Sejrø is the voice of procedural discipline. He will not escalate emotionally but he will be firm about the forensic preservation sequence and the regulatory notification track. Use him to model correct incident response governance for teams that are rushing.

Dr. Ida Woetmann (VP R&D)

Personality: Scientific, precise, protective of her team’s work. Deeply troubled by the implication that 3 years of R&D may have been exfiltrated.

Agenda: Understand exactly which GenixLibrary datasets were accessed and whether the integrity of the active fermentation projects is at risk.

Knowledge: Intimate knowledge of GenixLibrary dataset contents and what each dataset represents in terms of competitive value. Can identify which sequences correspond to the acquisition data room package.

Pressure Point: When GenixLib-Acquisition-Package-v1 and v2 appear in the exfiltration log (Handout D), she will immediately recognize their significance: “Those are the due diligence packages. The counterparty is reviewing the same data that was exfiltrated.”

Portrayal Guidance: Woetmann is the emotional grounding of the scenario. Her attachment to the R&D work makes the exfiltration real and specific rather than abstract. Use her to make the 847-file scope feel human: these are 3 years of her team’s work.

6. Investigation Timeline

Discovery Phase (T+0 to T+20): Supply Chain and Persistence

Detective / Tracker: EDR telemetry from 3 calibration workstations – calibsvc.exe spawning powershell.exe with encoded commands. Azure AD sign-in log showing svc-rdbridge-admin from HANSEN-SAP-01 IP range. Handout A reveals the update manifest with revoked certificate and bypassed OCSP check.

Protector: Network isolation decision for calibration workstations and HANSEN-SAP-01. The Collaborative Bridge dependency creates a real containment dilemma – isolating HANSEN-SAP-01 drops the bridge.

Threat Hunter: Memory forensics on HANSEN-SAP-01 using hardware-assisted enumeration. Handout B reveals the hidden kernel module, DKOM technique, and revoked certificate. The ITSM-29847 decommissioning blocker is the governance gap.

Forensic Phase (T+20 to T+70): Lateral Movement and Exfiltration Scope

Detective / Tracker: Collaborative Bridge VPN auth log (Handout C) shows 11 NTLM sessions from HANSEN-SAP-01 over 3 months with no preceding interactive logon. All 11 sessions bypassed Conditional Access via COLLBRIDGE-EXCL-003.

Protector: Credential revocation for svc-rdbridge-admin and closure of COLLBRIDGE-EXCL-003. Azure AD access log review scoping which resources were accessed on GENIX-PROD-01 and AZURE-RD-ENV-01.

Communicator: Merger advisory briefing preparation. CEO Christensen needs a defensible scope statement. The question is what can be confirmed versus what is under investigation.

Threat Hunter: 90-day traffic retrospective (Handout D) reveals 847 GB to graph-api-sync.bioanalytics.net (203.0.113.44) misclassified as Microsoft telemetry. GenixLibrary audit log shows 44 off-hours batch sessions by svc-rdbridge-admin.

Response Phase (T+70 to T+115): Regulatory and Counterintelligence

Crisis Manager: GDPR 72-hour notification decision. Datatilsynet contact (reference DT-2026-0847) requires an initial notification even before full scope is confirmed. The notification content must reflect confirmed facts and avoid speculative scope.

Communicator: CFCS and PET coordination scope. CFCS has matching indicators from 3 peer firms and wants the kernel driver artifact. PET wants a counterintelligence coordination call. Both must be handled without compromising the GDPR notification track.

All Roles: Merger data room decision. The acquisition data room packages (GenixLib-Acquisition-Package-v1 and v2) appear in the exfiltration scope. The Friday meeting cannot proceed without a position statement on R&D integrity.

7. Response Options

Highly Effective

  • Preserve memory image and kernel driver from HANSEN-SAP-01 before any isolation or reimaging – enables CFCS attribution and legal chain of custody
  • Revoke svc-rdbridge-admin credentials and close COLLBRIDGE-EXCL-003 immediately upon Pass-the-Hash confirmation – terminates active cloud R&D access
  • Assign a single GDPR notification owner and initiate the Datatilsynet notification on its own workstream – keeps regulatory clock separate from counterintelligence and commercial tracks
  • Provide the merger counterparty with a calibrated scope statement (confirmed facts + investigation caveats + confidence level) – preserves commercial trust without overstating certainty

Moderately Effective

  • Isolating calibration workstations before completing HANSEN-SAP-01 forensics – stops workstation lateral spread but leaves the primary foothold active
  • Delaying the Datatilsynet notification until exfiltration scope is fully confirmed – meets technical thoroughness goals but risks exceeding the 72-hour GDPR window
  • Briefing the merger counterparty with high-confidence estimates before completing the access log review – creates credibility risk if scope changes later

Ineffective (Common Mistakes)

  • Reimaging HANSEN-SAP-01 before capturing the memory image and kernel driver – destroys the only artifact that enables CFCS attribution and legal evidence chain
  • Conflating the GDPR notification workstream with the counterintelligence workstream – either delays notification past the 72-hour window or exposes ongoing intelligence work to Datatilsynet
  • Providing the merger counterparty with unqualified scope statements – “we have confirmed no impact” or “all R&D has been exfiltrated” without confidence levels undermines credibility when scope is revised

8. Learning Objectives

  • Recognize supply chain compromise indicators: unsigned or revoked-certificate software deployed via trusted vendor exception policies
  • Apply correct forensic sequencing: memory image and kernel driver artifact preservation before isolation, isolation before reimaging
  • Understand kernel-level persistence and why disk-based detection tools fail against DKOM rootkits
  • Identify Pass-the-Hash attack patterns: NTLM authentication without preceding interactive logon as the definitive indicator
  • Practice GDPR Article 33 notification decision-making: initial notification within 72 hours even before full scope is confirmed
  • Manage parallel stakeholder workstreams under simultaneous pressure: regulatory (Datatilsynet), counterintelligence (CFCS/PET), and commercial (merger advisor)
  • Apply merger governance discipline under security uncertainty: calibrated scope statements with documented confidence levels

9. MITRE ATT&CK Mapping

Technique ID Name Scenario Context
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain CaliSyncPro_v4.2.1.exe update with revoked certificate delivered via vendor portal
T1014 Rootkit Kernel-mode driver on HANSEN-SAP-01 using DKOM to mask 5 processes
T1550.002 Use Alternate Authentication Material: Pass the Hash svc-rdbridge-admin NTLM hash used via Collaborative Bridge without interactive logon
T1071.001 Application Layer Protocol: Web Protocols Drip exfiltration disguised as graph.microsoft.com telemetry via TLS SNI spoofing
T1078 Valid Accounts svc-rdbridge-admin service account used for lateral movement and cloud R&D access
T1562.001 Impair Defenses: Disable or Modify Tools DKOM hooks intercept NtQuerySystemInformation, bypassing all API-level detection tools

10. Notes for IM Customization

What worked well:

What to modify next time:

Creative player solutions:

Timing adjustments:

Merger governance decisions observed:

Regulatory decisions observed: