The threat-modelling exercise stresses grounding each scenario in a real, documented incident. Using the 2015 German Bundestag hack as an example, what kind of incident illustrates a state-sponsored "espionage" cell?
The 2015 compromise of the German Federal Parliament's (Bundestag's) IT — an APT28-linked state-sponsored espionage operation that later drew EU sanctions — illustrates the state-sponsored / government / espionage cell.
APT28 (a Russian state-linked group) penetrated the Bundestag network and exfiltrated data; the EU eventually imposed sanctions on individuals and a body involved. WHY use real cases: anchoring each Threat Matrix cell to a verifiable, sourced incident keeps the modelling honest. It proves the threat is not hypothetical, gives the board a concrete reference, and lets you study the actual tactics used rather than inventing an unrealistic attack.
Go deeper:
Hackerangriffe auf den Deutschen Bundestag (Wikipedia DE) — Dokumentiert den APT28/Sofacy-Angriff 2015, die Datenexfiltration und die EU-Sanktionen.