Blog
Recent
Cybersecurity

How the Hunt for Markus Hess Launched Today’s Data Exfiltration Defenses

Shireen StephensonPublishedOctober 07, 2025

Key takeaways: Data exfiltration

  • Long before cybercrime became a household word, Markus Hess performed data exfiltration on a scale so profound, it earned a spot in the Guinness Book of Records.
  • Clifford Stoll’s makeshift honeypot laid the foundation for every IDS (intrusion detection system) and firewall that followed.
  • The world’s most relentless data exfiltrators are RaaS gangs, APT groups, hacktivists, and insider threat actors.
  • Top-tier security teams are relying on SIEM, UEBA, XDR, and protocol monitoring to detect data exfiltration attempts.
  • A layered defense against data exfiltration includes strategies like Zero Trust, segmentation, DLP, and CSPM.
  • LastPass augments your security shield with Zero Knowledge architecture, FIDO2 MFA, SaaS Monitoring, and SaaS Protect.

 

It all started with a 75-cent billing error.  

And a West German spy, armed with nothing but a modem, phone line, and basic hacker skills, quietly slipping into the most powerful military network on Earth.  

This early, real-world example of data exfiltration (the illegal transfer of data) was a campaign executed with daring and calm. 

The year was 1986. Clifford Stoll, an astronomer turned reluctant sysadmin at Lawrence Berkeley Lab, was asked to chase down an accounting glitch.  

No one expected him to find anything. But what Stoll uncovered was far more dangerous than a misplaced decimal. It was a live wire from Berkeley Lab into ARPANET (the precursor to our modern internet) and MILNET, a packet-switched network for unclassified but sensitive military info. 

“Hunter,” as Markus Hess was known in Berkeley Lab’s billing records, was a 25-year-old German Unix programmer who chain-smoked Benson & Hedges cigarettes. His main targets were password files and documents detailing tactical warfare plans. Stoll noticed Hess was obsessed with keywords like nuclear bomb, stealth, ICBM, SDI, and Norad.  

What followed was a cat-and-mouse chase that later became The Cuckoo’s Egg, a New York Times bestseller detailing Stoll’s brilliant tactics in exposing a Cold War spy. 

What is data exfiltration? 

Before we get into the story of how a 75-cent error became a smoking gun, let’s define data exfiltration. This is the intentional, unauthorized transfer of data from a computer, network, or system to an external attacker-controlled server. 

Unlike accidental data leaks, exfiltration involves the deliberate removal of sensitive info without permission.  

In Stoll’s story, the term “cuckoo’s egg” is a metaphor describing the habit of cuckoo birds laying their eggs in the nests of other avian species. This was how they tricked other birds into raising their chicks. 

Hess was the cuckoo who planted his “egg” program in Berkeley’s network, letting the system “hatch” it and “feed it privileges.” This allowed him to make lateral movements into connected U.S. defense networks across the world.  

The 75-cent error that tipped Stoll off was linked to an unauthorized user called “Hunter” (Hess), who was billed for computer time at Berkeley Labs. And Hess was only flagged because his account didn’t match any legitimate user profile, and no one had paid the bill. 

After meticulous research, Stoll discovered the account was being used to access sensitive military defense systems. That’s when he knew he wasn’t dealing with a simple billing error but an intrusion.   

For his part, Hess was able to leverage default passwords and weak authentication protocols to exfiltrate data to his KGB handlers. 

In 1986, there were no digital honeypots or intrusion detection systems (IDS) to track Hess’ movements. So, Stoll created his own. 

  • Since Hess relied on dial-up connections to access Berkeley’s network, Stolle set up a honeypot with 50 devices – teletypes, printers, and computers – connected to phone lines.  
  • Stoll also invented a fake computer network Berkeley Labs was supposedly managing for a non-existent “Strategic Defense Initiative Network Office.” 
  • Eventually, Stoll was able to pin down which phone line Hess used to dial in. He then connected a printer to the phone line so that every time Hess logged in, the printer would print the session in real time. 
  • To find Hess physically, Stoll tracked the hacker’s dial-up connections through Tymnet, a packet-switched network service. Working with telecom providers, the FBI, and West German authorities, Stoll eventually located Hess in Hannover, West Germany. 

According to the Guiness Book of Records, the Hess campaign was the first documented real-world example of cyber data exfiltration. 

It was crude by today’s standards: No rootkits. No automated scanning. No AI-powered polymorphic malware. And no encrypted tunneling for data transfers. 

Instead, Hess kept detailed logs in a notebook and saved sessions on floppy disks. He used guesswork and default passwords to try infiltrating defense organizations like the White Sands Missile Range in New Mexico (a site for testing advanced missile technologies). 

Fast forward to today, and the game has changed. The players are bigger, and the stakes are just as high. 

Below, we meet the modern cybergangs who’ve turned data exfiltration into a multinational enterprise. 

Who is most likely to exfiltrate data? 

The parties most likely to exfiltrate data are RaaS groups, APT gangs, insider threat actors, and hacktivists. 

Today’s attackers are patient, strategic, and far more dangerous. 

Welcome to the era of “Steal Now, Decrypt Later.” This is where attackers exfiltrate your data and sit on it, waiting for quantum computers to break trusted encryption algorithms on “Q-Day.”  

And leading the charge are six (6) of the most sophisticated data exfiltration groups on the planet. 

SCATTERED SPIDER (aka Octo Tempest UNC 3944) 

Origin: 

  • Primarily based in the United States and United Kingdom, with members mostly aged 19-22 
  • Also known as Octo Tempest, Scatter Swine, UNC 3944, Roasted Oktapus, and Storm-0875 

Primary industries targeted: Telecom, hospitality, gaming, retail, managed service providers (MSP), manufacturing, and financial sectors

 

SCATTERED SPIDER data exfiltration techniques:

  • Tools like ngrok to create secure, encrypted tunnels for data exfiltration to Scattered Spider C2 servers 
  • DragonForce ransomware + double extortion 

AKIRA 

Origin

  • Eastern European threat group possibly linked to the defunct Conti group 
  • Active since 2023 

Primary industries targeted: Healthcare, manufacturing, critical infrastructure, hospitality, education, professional services, financial services

 

AKIRA data exfiltration techniques: 

  • Gains initial access through stolen credentials, spear phishing, RDP systems, and VPNs without multi-factor authentication 
  • Use of credential-scraping tools like Mimikatz and LaZagne 
  • Megazord ransomware 
  • Tools like ngrok to create secure, encrypted tunnels for data exfiltration to Akira C2 servers 

ROYAL 

Origin: 

  • Active since early 2022 

Primary industries targeted: Education, manufacturing, healthcare, defense, financial services, and critical infrastructure

 

ROYAL data exfiltration techniques: 

  • Double extortion, with ransom demands ranging from $250,000 to over $2 million 
  • Targets Windows, Linux, and VMware ESXi environments 
  • Uses weak or stolen RDP (remote desktop protocol) credentials to gain initial access 
  • Exploits vulnerabilities in applications 

Use FIDO2 MFA for RDP access with LastPass Workstation MFA to protect against credential theft and data exfiltration. 

LOCKBIT 

Origin:  

  • Active since 2019 
  • Reinvented as Lockbit 5.0 in 2025 

Primary industries targeted: Education, manufacturing, logistics, healthcare, government, critical infrastructure, and automotive manufacturers

 

LOCKBIT data exfiltration techniques: 

  • LockBit 5.0 improved detection evasion and advanced data theft capabilities across Windows, Linux, and VMware ESXi environments 
  • Double extortion (demands payment to decrypt stolen files and prevent data from being sold on Dark Web sites

Combine CSPM (cloud security posture management) and DLP (data loss prevention) with LastPass Dark Web Monitoring, which sends alerts if stolen credentials are found on Dark Web forums 

QILIN (also known as AGENDA) 

Origin: 

  • Double-extortion RaaS (Ransomware-as-a-Service) group believed to have roots in Eastern Europe 
  • Active since 2022 
  • Qilin RaaS affiliates earn 80% on ransom demands < $3 million and 85% on ransom demands > $3 million 

Primary industries targeted: Education, manufacturing, healthcare, U.S. state-local-tribal-territorial (SLTT) organizations

 

QILIN data exfiltration techniques: 

  • Uses Golang and Rust languages to create ransomware variants targeting both Windows and Linux systems 
  • Employs a PowerShell script to extract credentials from Chrome browsers and exfiltrate them to Qilin C2 (command-and-control) servers 

Even if Chrome credentials are compromised, LastPass FIDO2 MFA logins require both biometric verification and physical access to a registered device (which makes unauthorized access more difficult). LastPass Zero Knowledge encryption also protects data from being exploited if it’s exfiltrated. 

FIN7 

Origin: 

  • Active since 2013 
  • Also known as GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Savage Ladybug, or Sangria Tempest 

Primary industries targeted: Hospitality, financial services, critical infrastructure, and retail 

FIN7 data exfiltration techniques: 

  • Exploitation of public-facing applications 
  • Use of OpenSSH proxy servers to create secure, encrypted connections that bypass firewalls and enables covert data exfiltration from the infected machine back to the attacker’s C2 server 
  • Increasingly targeting high-value, large organizations (“big game hunting”) with Python-based “Anubis BackDoor” malware, REvil ransomware, and DarkSide RaaS (ransomware-as-a-service) 

Combine FIDO2 MFA, LastPass SaaS Monitoring & SaaS Protect with other tools like XDR (extended detection & response) and DLP (data loss prevention) for a multi-layered defense against data exfiltration.  

While the above groups dominate headlines, they’re just one part of the data exfiltration landscape. Two other major threats are insider threat actors and hacktivists, and they operate with very different motives and methods. 

Insider threat actors: The danger within 

Who they are: 

  • Disgruntled employees seeking revenge for disciplinary actions or perceived injustice 
  • Opportunists looking to sell intellectual property or customer data for profit 
  • Corporate spies planted by competitors or rogue nation states for supply chain infiltration 

Primary industries targeted: Finance, healthcare, tech, government & defense

 

Insider threat data exfiltration techniques:

  • Copying files to USB drives 
  • Using legitimate credentials to exfiltrate data over time 
  • Exploiting poor access controls or over-privileged access 
  • Emailing sensitive documents to personal accounts 

Hacktivists: Ideology over profit 

Who they are:

  • Groups like Dark Engine, Sector 16, Z-Pentest, NoName057(16), Special Forces of the Electronic Army 

Primary industries targeted: Government agencies, law enforcement databases, corporations involved in sensitive industries like defense and pharmaceuticals, critical infrastructure

 

Hacktivist data exfiltration techniques:

  • Targeting insecure versions of Modbus and DNP3 (industrial protocols for exchanging operational data) to exfiltrate event logs and censor readings from SCADA (supervisory control & data acquisition) and ICS (industrial control system) environments 
  • Exploiting unpatched Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) for persistent access 

Before modern-day cybergangs, hacktivists, and insider threat actors, there was Markus Hess, a hacker by night and programmer by day at a small software firm in downtown Hannover, West Germany. 

Hess’ goal was simple: Help the KGB obtain access to Western aircraft tech, satellite and space research, SDI (Strategic Defense Initiative) data, and designs for high-speed integrated circuits. 

Hess was arrested in 1988 and charged along with four other co-conspirators. However, he didn’t serve any actual jail time, due to the lack of cybercrime legislation and the fact that he operated from foreign soil. In the end, Hess received a suspended sentence, a slap-on-the-wrist for a crime that could have sparked a geopolitical crisis. 

His case sparked an international discussion about the need for targeted cybercrime legislation and led to new amendments to the 1986 Computer Fraud and Abuse Act (CFAA). It also spurred the creation of modern intrusion detection systems, honeypots, and firewalls. 

How do you detect data exfiltration? 

As can be seen, data exfiltration is a stealthy threat. And unless you’re using the right tools, you’ll never know it’s happening. 

These cutting-edge data exfiltration detection tools are your early warning system. 

Detection method

Description

Recommended tools

Security information and event management (SIEM)

-Monitors traffic for suspicious file transfers

 

-Integrates with LastPass to identify suspicious login patterns or password changes that may indicate account compromise

Splunk, Microsoft Sentinel

User behavior analytics (UEBA)

-Establishes baselines for normal user activity

 

-Uses machine learning and advanced analytics to identify deviations from those baselines

Exabeam, Securonix, Rapid7

Extended detection and response (XDR)

-Tracks file access and downloads across endpoints and workloads in both on-prem and cloud environments

 

-LastPass SaaS Monitoring & SaaS Protect complements XDRs to detect suspicious app logins

SentinelOne Singularity, Sophos XDR, CrowdStrike Falcon Insight XDR

Network protocol monitoring

-Flags unusual data flows across open ports

Zeek, Cisco Secure Network Analytics

 

 

How do you protect against data exfiltration? 

Every byte of stolen data is a potential lawsuit, lost customer, or PR disaster. These tools and tactics don’t just secure your systems, they also safeguard your reputation, revenues, and future. 

Protection strategy

Description

Recommended tools and practices

Data loss prevention (DLP)

Blocks unauthorized data transfers across both on-prem and cloud environments

Symantec DLP, Forcepoint DLP, Nightfall DLP, Trellix DLP

Zero Trust

-Assumes no user or device is trusted by default

 

-IdP integration with LastPass supports least privilege access policies, enhancing Zero Trust enforcement

IdPs like Okta Identity Cloud, Microsoft Active Directory, Microsoft Entra ID

FIDO2 MFA

Prevents suspicious credential-based access to VPNs and RDP systems

The LastPass Authenticator and hardware security keys

Network segmentation

-Isolates critical systems to limit lateral movement

 

-Fortinet FortiGate NGFW supports physical segmentation, logical segmentation, and micro-segmentation between individual VMs in virtualized environments like VMWare NSX

Fortinet, Cisco Firepower, VMWare NSX

Encryption at rest and in transit

-Ensures sensitive data is unreadable to threat actors at rest and in transit

 

-LastPass protects vault data (data at rest) with AES-CBC-256 and data in transit with TLS 1.3

LastPass, TLS 1.3

Cloud security posture management (CSPM)

-Detects misconfigurations that create attack paths for lateral movement in cloud environments

Wiz, SentinelOne Singularity CSPM, Palo Alto Prisma Cloud

Insider threat detection tools

-Monitors and identifies suspicious file transfers and cloud uploads

 

-Protects your source code, intellectual property, and customer data

ObserveIT/Proofpoint Insider Threat Management, Syteca, Mimecast Incydr

 

*Please note: The above recommendations are not a substitute for professional advice. Be sure to perform due diligence and consult with security professionals to deploy the right solutions for your specific needs and risk profiles. For LastPass support, click here. * 

FAQs about data exfiltration 

What’s the difference between data exfiltration and data theft? 

Data theft is any unauthorized access and taking of data. Data exfiltration specifically refers to the transfer of data to an external system. Thus, exfiltration is a form of data theft focused on covert data removal. 

How do you limit data exfiltration from endpoints?   

You can limit data exfiltration from endpoints by implementing employee awareness training, DLP tools, Zero Trust access controls, XDR (extended detection & response), and quantum-safe encryption

Can CrowdStrike detect data exfiltration? 

Yes, the CrowdStrike Falcon platform can detect data exfiltration by combining AI-powered behavioral analytics with telemetry from endpoints, cloud workloads, and identity security tools.  

Falcon Device Control also offers granular visibility into data copied to removable media like USB drives, enhancing insider threat detection and prevention. 

How do you detect DNS data exfiltration? 

DNS data exfiltration can be detected via tools like Palo Alto Networks Exfiltration Shield. In DNS relay attacks, threat actors try to sneak stolen data out by hiding it inside normal web traffic sent to trusted websites.  

In turn, these websites unknowingly forward the stolen data to attacker controlled C2 servers inside a relay. This “tunneling” disguises the data exfiltration, and the Palo Alto Exfiltration Shield identifies and interrupts it. 

How much does data exfiltration cost? 

The cost of data exfiltration varies but often includes millions in financial losses, ransom payments, and legal fees. In 2025, the average cost of data exfiltration is $4.44 million. 

What is anti-data exfiltration (ADX)? 

Anti-data exfiltration (ADX) is a technique designed to prevent unauthorized data from leaving a device. It was pioneered as a lightweight, AI-driven solution by BlackFog to prevent direct on-device data exfiltration. 

Interested in another layer of security against data exfiltration? Read how Axxor, a world-renowned manufacturer, transformed their business with robust identity controls like FIDO2 MFA, SSO, SaaS Monitoring, and SaaS Protect.  

Then, unlock the same benefits with your free trial of Business Max today (no credit card required).   

It’s smart, secure, and it just works.” (Wout Zwiep, Axxor Process Engineer)

 

Sources: 

https://archive.nytimes.com/www.nytimes.com/books/99/01/03/specials/stoll-egg.html

https://historyofdomainnames.com/milnet-the-history-of-domain-names/

Stoll, Clifford. (1989). The Cuckoo’s Egg: Inside the world of computer espionage. Doubleday. 

https://www.guinnessworldrecords.com/world-records/612868-first-incident-of-cyber-espionage

https://www.node-magazine.com/thoughtleadership/harvest-now-decrypt-later-the-looming-quantum-threat

https://dailysecurityreview.com/ransomware/qilin-ransomware-now-steals-credentials-from-chrome-browsers/

https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025

https://attack.mitre.org/groups/G0046/

https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html

https://www.akamai.com/glossary/what-is-royal-ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

https://cyberpress.org/hacktivist-groups-target-critical-ics-systems/

https://www.insiderisk.io/research/insider-threat-trends-2025

Share this post via:share on linkedinshare on xshare on facebooksend an email