What is the most likely thing the attacker has done or will do, given the extent of penetration?

What is the most dangerous or destructive thing the attacker could do, given the extent of penetration

What will it take to disrupt the attackers, deny them the ability to operate in the IT environment, and regain cybersecurity control?