Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
|
Key takeaways: Data exfiltration |
|
It all started with a 75-cent billing error.
And a West German spy, armed with nothing but a modem, phone line, and basic hacker skills, quietly slipping into the most powerful military network on Earth.
This early, real-world example of data exfiltration (the illegal transfer of data) was a campaign executed with daring and calm.
The year was 1986. Clifford Stoll, an astronomer turned reluctant sysadmin at Lawrence Berkeley Lab, was asked to chase down an accounting glitch.
No one expected him to find anything. But what Stoll uncovered was far more dangerous than a misplaced decimal. It was a live wire from Berkeley Lab into ARPANET (the precursor to our modern internet) and MILNET, a packet-switched network for unclassified but sensitive military info.
“Hunter,” as Markus Hess was known in Berkeley Lab’s billing records, was a 25-year-old German Unix programmer who chain-smoked Benson & Hedges cigarettes. His main targets were password files and documents detailing tactical warfare plans. Stoll noticed Hess was obsessed with keywords like nuclear bomb, stealth, ICBM, SDI, and Norad.
What followed was a cat-and-mouse chase that later became The Cuckoo’s Egg, a New York Times bestseller detailing Stoll’s brilliant tactics in exposing a Cold War spy.
What is data exfiltration?
Before we get into the story of how a 75-cent error became a smoking gun, let’s define data exfiltration. This is the intentional, unauthorized transfer of data from a computer, network, or system to an external attacker-controlled server.
Unlike accidental data leaks, exfiltration involves the deliberate removal of sensitive info without permission.
In Stoll’s story, the term “cuckoo’s egg” is a metaphor describing the habit of cuckoo birds laying their eggs in the nests of other avian species. This was how they tricked other birds into raising their chicks.
Hess was the cuckoo who planted his “egg” program in Berkeley’s network, letting the system “hatch” it and “feed it privileges.” This allowed him to make lateral movements into connected U.S. defense networks across the world.
The 75-cent error that tipped Stoll off was linked to an unauthorized user called “Hunter” (Hess), who was billed for computer time at Berkeley Labs. And Hess was only flagged because his account didn’t match any legitimate user profile, and no one had paid the bill.
After meticulous research, Stoll discovered the account was being used to access sensitive military defense systems. That’s when he knew he wasn’t dealing with a simple billing error but an intrusion.
For his part, Hess was able to leverage default passwords and weak authentication protocols to exfiltrate data to his KGB handlers.
In 1986, there were no digital honeypots or intrusion detection systems (IDS) to track Hess’ movements. So, Stoll created his own.
- Since Hess relied on dial-up connections to access Berkeley’s network, Stolle set up a honeypot with 50 devices – teletypes, printers, and computers – connected to phone lines.
- Stoll also invented a fake computer network Berkeley Labs was supposedly managing for a non-existent “Strategic Defense Initiative Network Office.”
- Eventually, Stoll was able to pin down which phone line Hess used to dial in. He then connected a printer to the phone line so that every time Hess logged in, the printer would print the session in real time.
- To find Hess physically, Stoll tracked the hacker’s dial-up connections through Tymnet, a packet-switched network service. Working with telecom providers, the FBI, and West German authorities, Stoll eventually located Hess in Hannover, West Germany.
According to the Guiness Book of Records, the Hess campaign was the first documented real-world example of cyber data exfiltration.
It was crude by today’s standards: No rootkits. No automated scanning. No AI-powered polymorphic malware. And no encrypted tunneling for data transfers.
Instead, Hess kept detailed logs in a notebook and saved sessions on floppy disks. He used guesswork and default passwords to try infiltrating defense organizations like the White Sands Missile Range in New Mexico (a site for testing advanced missile technologies).
Fast forward to today, and the game has changed. The players are bigger, and the stakes are just as high.
Below, we meet the modern cybergangs who’ve turned data exfiltration into a multinational enterprise.
Who is most likely to exfiltrate data?
The parties most likely to exfiltrate data are RaaS groups, APT gangs, insider threat actors, and hacktivists.
Today’s attackers are patient, strategic, and far more dangerous.
Welcome to the era of “Steal Now, Decrypt Later.” This is where attackers exfiltrate your data and sit on it, waiting for quantum computers to break trusted encryption algorithms on “Q-Day.”
And leading the charge are six (6) of the most sophisticated data exfiltration groups on the planet.
SCATTERED SPIDER (aka Octo Tempest UNC 3944)
Origin:
- Primarily based in the United States and United Kingdom, with members mostly aged 19-22
- Active since at least 2022
- Also known as Octo Tempest, Scatter Swine, UNC 3944, Roasted Oktapus, and Storm-0875
Primary industries targeted: Telecom, hospitality, gaming, retail, managed service providers (MSP), manufacturing, and financial sectors
SCATTERED SPIDER data exfiltration techniques:
- Tools like ngrok to create secure, encrypted tunnels for data exfiltration to Scattered Spider C2 servers
- Spear phishing, vishing, and use of credentials from Dark Web purchases to gain initial access
- Use of SIM swapping to obtain credentials
- Use of credential stealers like Raccoon Stealer and VIDAR Stealer
- DragonForce ransomware + double extortion
AKIRA
Origin
- Eastern European threat group possibly linked to the defunct Conti group
- Active since 2023
Primary industries targeted: Healthcare, manufacturing, critical infrastructure, hospitality, education, professional services, financial services
AKIRA data exfiltration techniques:
- Gains initial access through stolen credentials, spear phishing, RDP systems, and VPNs without multi-factor authentication
- Use of kerberoasting (an attack that exploits the Kerberos protocol in Active Directory) to extract credentials stored in the AD LSASS, a Windows process responsible for handling user logins
- Use of credential-scraping tools like Mimikatz and LaZagne
- Megazord ransomware
- Tools like ngrok to create secure, encrypted tunnels for data exfiltration to Akira C2 servers
ROYAL
Origin:
- Believed to be composed of former members of defunct group Conti Team One
- Active since early 2022
- Rebranded as “BlackSuit” in 2024
Primary industries targeted: Education, manufacturing, healthcare, defense, financial services, and critical infrastructure
ROYAL data exfiltration techniques:
- Double extortion, with ransom demands ranging from $250,000 to over $2 million
- Targets Windows, Linux, and VMware ESXi environments
- Deploys trojans
- Employs malvertising through Google ads
- Uses weak or stolen RDP (remote desktop protocol) credentials to gain initial access
- Exploits vulnerabilities in applications
Use FIDO2 MFA for RDP access with LastPass Workstation MFA to protect against credential theft and data exfiltration.
LOCKBIT
Origin:
- Eastern European Ransomware-as-a-Service (RaaS) group
- Active since 2019
- Leadership team and infrastructure severely disrupted by Operation Cronos in Feb 2024
- Reinvented as Lockbit 5.0 in 2025
Primary industries targeted: Education, manufacturing, logistics, healthcare, government, critical infrastructure, and automotive manufacturers
LOCKBIT data exfiltration techniques:
- LockBit 5.0 improved detection evasion and advanced data theft capabilities across Windows, Linux, and VMware ESXi environments
- Double extortion (demands payment to decrypt stolen files and prevent data from being sold on Dark Web sites)
Combine CSPM (cloud security posture management) and DLP (data loss prevention) with LastPass Dark Web Monitoring, which sends alerts if stolen credentials are found on Dark Web forums
QILIN (also known as AGENDA)
Origin:
- Double-extortion RaaS (Ransomware-as-a-Service) group believed to have roots in Eastern Europe
- Active since 2022
- Qilin RaaS affiliates earn 80% on ransom demands < $3 million and 85% on ransom demands > $3 million
Primary industries targeted: Education, manufacturing, healthcare, U.S. state-local-tribal-territorial (SLTT) organizations
QILIN data exfiltration techniques:
- Uses Golang and Rust languages to create ransomware variants targeting both Windows and Linux systems
- Employs a PowerShell script to extract credentials from Chrome browsers and exfiltrate them to Qilin C2 (command-and-control) servers
- Targets exposed RDP (remote desktop protocol) servers and VPN portals lacking multi-factor authentication
Even if Chrome credentials are compromised, LastPass FIDO2 MFA logins require both biometric verification and physical access to a registered device (which makes unauthorized access more difficult). LastPass Zero Knowledge encryption also protects data from being exploited if it’s exfiltrated.
FIN7
Origin:
- Financially motivated APT (advanced persistent threat) group operating out of Eastern Europe
- Active since 2013
- Also known as GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Savage Ladybug, or Sangria Tempest
Primary industries targeted: Hospitality, financial services, critical infrastructure, and retail
FIN7 data exfiltration techniques:
- Exploitation of public-facing applications
- Use of OpenSSH proxy servers to create secure, encrypted connections that bypass firewalls and enables covert data exfiltration from the infected machine back to the attacker’s C2 server
- Increasingly targeting high-value, large organizations (“big game hunting”) with Python-based “Anubis BackDoor” malware, REvil ransomware, and DarkSide RaaS (ransomware-as-a-service)
Combine FIDO2 MFA, LastPass SaaS Monitoring & SaaS Protect with other tools like XDR (extended detection & response) and DLP (data loss prevention) for a multi-layered defense against data exfiltration.
While the above groups dominate headlines, they’re just one part of the data exfiltration landscape. Two other major threats are insider threat actors and hacktivists, and they operate with very different motives and methods.
Insider threat actors: The danger within
Who they are:
- Disgruntled employees seeking revenge for disciplinary actions or perceived injustice
- Opportunists looking to sell intellectual property or customer data for profit
- Corporate spies planted by competitors or rogue nation states for supply chain infiltration
Primary industries targeted: Finance, healthcare, tech, government & defense
Insider threat data exfiltration techniques:
- Copying files to USB drives
- Using legitimate credentials to exfiltrate data over time
- Exploiting poor access controls or over-privileged access
- Emailing sensitive documents to personal accounts
Hacktivists: Ideology over profit
Who they are:
- Groups like Dark Engine, Sector 16, Z-Pentest, NoName057(16), Special Forces of the Electronic Army
- Anti-Western or anti-NATO activists protesting geopolitical power structures
Primary industries targeted: Government agencies, law enforcement databases, corporations involved in sensitive industries like defense and pharmaceuticals, critical infrastructure
Hacktivist data exfiltration techniques:
- Deploying botnets for service disruptions and credential harvesting
- Targeting insecure versions of Modbus and DNP3 (industrial protocols for exchanging operational data) to exfiltrate event logs and censor readings from SCADA (supervisory control & data acquisition) and ICS (industrial control system) environments
- Exploiting unpatched Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) for persistent access
Before modern-day cybergangs, hacktivists, and insider threat actors, there was Markus Hess, a hacker by night and programmer by day at a small software firm in downtown Hannover, West Germany.
Hess’ goal was simple: Help the KGB obtain access to Western aircraft tech, satellite and space research, SDI (Strategic Defense Initiative) data, and designs for high-speed integrated circuits.
Hess was arrested in 1988 and charged along with four other co-conspirators. However, he didn’t serve any actual jail time, due to the lack of cybercrime legislation and the fact that he operated from foreign soil. In the end, Hess received a suspended sentence, a slap-on-the-wrist for a crime that could have sparked a geopolitical crisis.
His case sparked an international discussion about the need for targeted cybercrime legislation and led to new amendments to the 1986 Computer Fraud and Abuse Act (CFAA). It also spurred the creation of modern intrusion detection systems, honeypots, and firewalls.
How do you detect data exfiltration?
As can be seen, data exfiltration is a stealthy threat. And unless you’re using the right tools, you’ll never know it’s happening.
These cutting-edge data exfiltration detection tools are your early warning system.
|
Detection method |
Description |
Recommended tools |
|
Security information and event management (SIEM) |
-Monitors traffic for suspicious file transfers
-Integrates with LastPass to identify suspicious login patterns or password changes that may indicate account compromise |
Splunk, Microsoft Sentinel |
|
User behavior analytics (UEBA) |
-Establishes baselines for normal user activity
-Uses machine learning and advanced analytics to identify deviations from those baselines |
Exabeam, Securonix, Rapid7 |
|
Extended detection and response (XDR) |
-Tracks file access and downloads across endpoints and workloads in both on-prem and cloud environments
-LastPass SaaS Monitoring & SaaS Protect complements XDRs to detect suspicious app logins |
SentinelOne Singularity, Sophos XDR, CrowdStrike Falcon Insight XDR |
|
Network protocol monitoring |
-Flags unusual data flows across open ports |
Zeek, Cisco Secure Network Analytics
|
How do you protect against data exfiltration?
Every byte of stolen data is a potential lawsuit, lost customer, or PR disaster. These tools and tactics don’t just secure your systems, they also safeguard your reputation, revenues, and future.
|
Protection strategy |
Description |
Recommended tools and practices |
|
Data loss prevention (DLP) |
Blocks unauthorized data transfers across both on-prem and cloud environments |
Symantec DLP, Forcepoint DLP, Nightfall DLP, Trellix DLP |
|
Zero Trust |
-Assumes no user or device is trusted by default
-IdP integration with LastPass supports least privilege access policies, enhancing Zero Trust enforcement |
IdPs like Okta Identity Cloud, Microsoft Active Directory, Microsoft Entra ID |
|
Prevents suspicious credential-based access to VPNs and RDP systems |
The LastPass Authenticator and hardware security keys | |
|
Network segmentation |
-Isolates critical systems to limit lateral movement
-Fortinet FortiGate NGFW supports physical segmentation, logical segmentation, and micro-segmentation between individual VMs in virtualized environments like VMWare NSX |
Fortinet, Cisco Firepower, VMWare NSX |
|
Encryption at rest and in transit |
-Ensures sensitive data is unreadable to threat actors at rest and in transit
-LastPass protects vault data (data at rest) with AES-CBC-256 and data in transit with TLS 1.3 |
LastPass, TLS 1.3 |
|
Cloud security posture management (CSPM) |
-Detects misconfigurations that create attack paths for lateral movement in cloud environments |
Wiz, SentinelOne Singularity CSPM, Palo Alto Prisma Cloud |
|
Insider threat detection tools |
-Monitors and identifies suspicious file transfers and cloud uploads
-Protects your source code, intellectual property, and customer data |
ObserveIT/Proofpoint Insider Threat Management, Syteca, Mimecast Incydr |
*Please note: The above recommendations are not a substitute for professional advice. Be sure to perform due diligence and consult with security professionals to deploy the right solutions for your specific needs and risk profiles. For LastPass support, click here. *
FAQs about data exfiltration
What’s the difference between data exfiltration and data theft?
Data theft is any unauthorized access and taking of data. Data exfiltration specifically refers to the transfer of data to an external system. Thus, exfiltration is a form of data theft focused on covert data removal.
How do you limit data exfiltration from endpoints?
You can limit data exfiltration from endpoints by implementing employee awareness training, DLP tools, Zero Trust access controls, XDR (extended detection & response), and quantum-safe encryption.
Can CrowdStrike detect data exfiltration?
Yes, the CrowdStrike Falcon platform can detect data exfiltration by combining AI-powered behavioral analytics with telemetry from endpoints, cloud workloads, and identity security tools.
Falcon Device Control also offers granular visibility into data copied to removable media like USB drives, enhancing insider threat detection and prevention.
How do you detect DNS data exfiltration?
DNS data exfiltration can be detected via tools like Palo Alto Networks Exfiltration Shield. In DNS relay attacks, threat actors try to sneak stolen data out by hiding it inside normal web traffic sent to trusted websites.
In turn, these websites unknowingly forward the stolen data to attacker controlled C2 servers inside a relay. This “tunneling” disguises the data exfiltration, and the Palo Alto Exfiltration Shield identifies and interrupts it.
How much does data exfiltration cost?
The cost of data exfiltration varies but often includes millions in financial losses, ransom payments, and legal fees. In 2025, the average cost of data exfiltration is $4.44 million.
What is anti-data exfiltration (ADX)?
Anti-data exfiltration (ADX) is a technique designed to prevent unauthorized data from leaving a device. It was pioneered as a lightweight, AI-driven solution by BlackFog to prevent direct on-device data exfiltration.
Interested in another layer of security against data exfiltration? Read how Axxor, a world-renowned manufacturer, transformed their business with robust identity controls like FIDO2 MFA, SSO, SaaS Monitoring, and SaaS Protect.
Then, unlock the same benefits with your free trial of Business Max today (no credit card required).
It’s smart, secure, and it just works.” (Wout Zwiep, Axxor Process Engineer)
Sources:
https://archive.nytimes.com/www.nytimes.com/books/99/01/03/specials/stoll-egg.html
https://historyofdomainnames.com/milnet-the-history-of-domain-names/
Stoll, Clifford. (1989). The Cuckoo’s Egg: Inside the world of computer espionage. Doubleday.
https://www.guinnessworldrecords.com/world-records/612868-first-incident-of-cyber-espionage
https://www.node-magazine.com/thoughtleadership/harvest-now-decrypt-later-the-looming-quantum-threat
https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025
https://attack.mitre.org/groups/G0046/
https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html
https://www.akamai.com/glossary/what-is-royal-ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
https://cyberpress.org/hacktivist-groups-target-critical-ics-systems/
https://www.insiderisk.io/research/insider-threat-trends-2025
Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
