Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material
https://thegreggjarrett.com/pentagon-forces-emergency-shutdown-of-computer-network-handling-classified-material/
I've yet to participate in a gov't exercise in which the SIPRNET was NOT compromised by the Red Team.
One popular method was sending out floppies or thumb drives to users asking them to take a look at something. The request was socially engineered by the hacker using the users' supervisor's name. "Hey, this is so-and-so with your Cybersecurity office. We spoke to <your boss> and they said you were the right person to review this file/document/app." Once the file is opened inside the network, a trojan virus finds vulnerabilities like weak passwords. The results are posted to an unsecured web server. Once they have that posted, They can often attach a WiFi router/access point to the network - usually in a conference room where no one is present. From that connection they can access the web server and break into an account in that data.
Before the proliferation of WiFi, the hackers would just splice the classified and unclass systems together with network cables running to the router. Then they could hack into the unclass PC and use it to access the SIPRNET PC.
As these vulnerabilities are discovered, they are added to a list of holes to plug. Using MAC addresses registered on switch ports in a facility can prevent some of this, but a persistent hacker can always find ways around security, like spoofing the IP address of a valid PC and using a DOS attack or virus to take that PC offline so they can spoof the MAC address.
In essence, we assumed in every exercise that the classified network was going to be penetrated. Detection and mitigation was the key, because prevention was a myth.