I will add, I've undergone various security-focused corporate trainings over the years, once our trainer was a retired Airman, formerly attached to the NSA.
Had had one and exactly one story he was allowed to share with us, and that was incredibly vague like the article. "We infected the target's mother's PC, when the target was fixing the machine we had an asset fake a crisis prompting the target to (stupidly) access a target machine from the mother's infected PC." As he explained, this was all he was authorized to share. The reality is there is very little they can share without prior clearance from the agency, and this is a non-trivial process.
