Skip to content

Add 2025 threat scenarios based on real-world incidents#2

Merged
joris-decombe merged 1 commit intomainfrom
feature/add-2025-threat-scenarios
Dec 23, 2025
Merged

Add 2025 threat scenarios based on real-world incidents#2
joris-decombe merged 1 commit intomainfrom
feature/add-2025-threat-scenarios

Conversation

@joris-decombe
Copy link
Owner

@joris-decombe joris-decombe commented Dec 23, 2025

Summary

This PR adds three new cybersecurity threat scenarios to the Rolls & Responders app, based on real-world incidents from 2024-2025:

  • The "Deepfake" CFO (Easy) - AI-driven Business Email Compromise using deepfake video calls

    • Based on the Arup case (Hong Kong, Feb 2024) where $25M was fraudulently transferred
    • Scenario code: 1461

  • The Poisoned Package (Medium) - Software supply chain attack via NPM/PyPI typosquatting

    • Based on XZ Utils backdoor (CVE-2024-3094) and Polyfill.io compromise
    • Scenario code: 3164

  • Hypervisor Ransomware (Hard) - VMware ESXi/Hyper-V ransomware with double extortion

    • Based on ESXiArgs and Akira ransomware campaigns (2024)
    • Scenario code: 5126

All scenarios include:

  • Full multi-language support (English and French)
  • 3 turns (Pre-incident, Response, Recovery)
  • Appropriate injects from the NCSC manual
  • Real-life references for facilitators
  • Difficulty ratings aligned with current threat landscape

Changes

  • Added new scenario definitions to src/scenarios.js
  • Added translations to src/locales/en.json and src/locales/fr.json
  • Updated scenario IDs list to include new scenarios

Test Plan

  • Verify all three new scenarios appear in the scenario selection screen
  • Test each scenario in facilitator view - confirm all turns display correctly
  • Test each scenario in player view - confirm public text displays, facilitator info hidden
  • Verify injects trigger correctly for each scenario
  • Test language switching (EN/FR) for all new scenarios
  • Confirm scenario codes display correctly

@joris-decombe
Add 2025 threat scenarios based on real-world incidents
5dc9ca3 
Add three new cybersecurity tabletop exercise scenarios reflecting
2024-2025 threat trends:

1. The "Deepfake" CFO (Code: 1461, Easy)
   - AI-driven Business Email Compromise scenario
   - Based on Arup case (Hong Kong, Feb 2024)
   - Includes injects for scammer calls and connectivity disruption

2. The Poisoned Package (Code: 3164, Medium)
   - Software supply chain attack scenario
   - Based on XZ Utils backdoor and Polyfill.io incidents
   - Features typosquatting and delayed malware execution

3. Hypervisor Ransomware (Code: 5126, Hard)
   - Virtualization layer ransomware with double extortion
   - Based on ESXiArgs and Akira ransomware campaigns
   - Demonstrates advanced persistent threat tactics

All scenarios include:
- Full English and French translations
- 3 turns (Pre-Incident, Response, Recovery)
- 2 scenario-specific injects
- Real-life incident references for facilitators
- NCSC NZ Rolls & Responders format compliance

Updated files:
- src/locales/en.json: English translations
- src/locales/fr.json: French translations
- src/scenarios.js: Scenario definitions and IDs

Tested with npm run lint and npm run build.
@joris-decombe joris-decombe merged commit 36ddf0d into main Dec 23, 2025
1 check passed
This was referenced Dec 23, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joris-decombe