Year 1986 – Dr Cliff Stoll & The Cuckoo’s Egg

Introduction

Have you ever experienced the thrill of stumbling upon something extraordinary while searching for something seemingly insignificant? Like sifting through a pile of sand for a lost coin only to unearth an entire treasure trove. This tale of unexpected discovery mirrors the remarkable experience of Dr. Cliff Stoll in 1986.

Dr. Clifford “Cliff” Stoll boasts a diverse array of accomplishments, having worn many hats throughout his career. He has operated a radio station, worked as an engineer, teacher and explored the cosmos as an astronomer. Yet, it’s one particularly illustrious achievement that stands out. Stoll gained widespread recognition as the systems administrator at Lawrence Berkeley National Laboratory. This recognition came after he accidentally uncovered the presence of a hacker within the system he managed. Interesting, isn’t it?

This captivating narrative has captured the imagination of audiences worldwide. The story has even inspired the production of a television documentary titled “The KGB, the Computer, and Me.” Let’s read further to know what makes this story so captivating and unique.

The Cyber-Sleuth- Dr. Cliff Stoll

With a Ph.D. in Astronomy, Dr. Cliff Stoll had undertaken the task of designing telescope optics for the Keck Observatory. He worked on this project at Lawrence Berkeley Lab, applying his expertise to advance astronomical research and technology. Unfortunately, a lack of grant funding cut short his project. However, Lawrence Berkeley National Laboratory gave him a new opportunity by transferring him to the computer center in the building. Here, he began working as a computer systems manager.

During the 1980s, computers and ARPANET were new, used mainly by tech enthusiasts, spies, and organizations like NASA. Lawrence Berkeley National Laboratory had advanced computers leased for $300 per hour to access ARPANET. Stoll in an interview described their equipment: Sun workstations with 100 megabytes of disk space and 128 kilobytes of memory. These systems operated at a speed of 8 megahertz, highlighting their advanced capabilities for the time. He contrasted this with the present-day power of smartphones, which are exponentially more capable. Additionally, the laboratory housed 50 external disk drives, each with an 80-megabyte capacity, resembling the size of washing machines. These disk drives made a sound like washing machines when in operation, reflecting the technology of the time.

How 75 Cents Lead Dr. Cliff Stoll to a Hacker

At Lawrence Berkeley National Laboratory, meticulous accounting was a point of pride, with monthly reports consistently error-free. However, this ended when Stoll’s manager, Dave Cleveland, found a tiny 75-cent discrepancy in one report, halting the streak. Determined to rectify the situation, Cleveland tasked Stoll with investigating the anomaly and recovering the missing amount.

In the course of his investigation, Stoll uncovered an unusual situation involving the leasing of computing time. Each user had an assigned account number for billing. However, an account named “Hunter” had attempted unauthorized access to the system. Recognizing this as suspicious activity, Stoll promptly deactivated the “Hunter” account. Yet, his actions triggered an unexpected consequence. An email notification revealed that one of the laboratory’s computers had attempted to breach another system. This revelation hinted at a potential security breach, prompting Stoll to dig deeper into the matter.

Dr. Cliff Stoll’s Great Reveal

As Stoll began his investigation, he traced the attempted breach back to the account of a local professor named Joe Sventek. However, Stoll quickly realized that Sventek couldn’t have been responsible, as he was out of town during the incident and lacked access to the laboratory’s computers. Suspecting that someone else was using the professor’s account, possibly a university graduate student, Stoll devised a plan.

To catch the culprit, Stoll set up a trap. He programmed his computer to emit a beep whenever someone attempted to access the professor’s account. Vigilantly monitoring the system, Stoll observed each connection, particularly those made through teletype sessions. When the professor’s account was accessed, it became evident that the connection did not originate from a local terminal but instead came through one of the 50 modems via a dial-up session.

This discovery confirmed that an unauthorized individual was attempting to gain entry into the system, indicating a potential compromise of security. Moreover, it suggested that the hackers possessed considerable knowledge of the UNIX System V and its internal workings, providing them with an advantage in exploiting vulnerabilities and elevating their privileges within the system.

Given their expertise with the UNIX System, the hackers managed to obtain access to all the passwords and deleted the encrypted ones, allowing them to enter the computer without needing a password. Recognizing the gravity of the situation, Stoll understood that the hackers could cover their tracks by erasing all evidence of their activities.

To counter this, Stoll devised a proactive measure: he installed a pager system that would immediately notify him whenever the hacker connected to the system. This allowed him to swiftly respond and monitor the intruder’s actions in real-time. However, the threat extended beyond mere intrusion into the LBL’s computers. The hackers were utilizing the lab’s network to access other computer systems, including military ones located in Anniston, Alabama.

This revelation underscored the seriousness of the security breach and the potential ramifications of the hackers’ activities.

Intervention of the Authorities

Compromising the system of the Lawrence Berkeley National Laboratory was one thing. But being able to hack into the military systems was a national threat. Upon realizing the direness of the situation, Stoll immediately informed the FBI and told them “Hey, they’re breaking into my computer. They’re stealing military stuff!”. However, the FBI wanted to know how much money had LBL lost due this intervention. And 75 cents were not enough for the FBI to give it the significance that it deserved. Stoll persisted and contacted the CIA, NSA and US Air Force. Over the course of the next 10 months, he relentlessly kept looking for the intruder.

Driven by his determination to catch this mysterious hacker, Stoll spent countless nights at the laboratory itself. This hacker, who usually came online at night, was trying to steal national security intelligence from LBL’s computer. He often used keywords such as “nuclear” and “SDI”, an abbreviation for Ronald Reagan’s Strategic Defense Initiative program.

Stoll thought of this hacker’s behaviour similar to that of a “cuckoo bird”, which lays its eggs in another bird’s nest, exploiting the unwitting host to raise its young.

How Dr. Cliff Stoll trapped the Cuckoo Bird

As Stoll’s frustration grew, he sought a decisive solution to end this game of cat and mouse. He conceived the idea of setting up a honeypot sting—a form of electronic trap designed to appear as legitimate data but actually aimed at thwarting or analyzing hackers’ activities.

It’s worth noting that some sources credit Stoll’s girlfriend with suggesting the use of a honeypot to lure the hacker. With the trap set, Stoll and his team patiently waited, and their patience paid off when the hacker took the bait, remaining online for hours. This allowed them to trace the connection back to Hanover, Germany.

The mask was finally off and the hacker was Markus Hess, a member of a spy ring dedicated to collecting military passwords and stealing sensitive information. Hess was accused of breaking into approximately 400 military computers to obtain intelligence on various technologies, including semiconductors, satellites, and aircraft. This stolen information was then sold to a KGB agent codenamed “Sergie”. Hess was not acting alone; he had accomplices named Dirk-Otto Brezinski (DOB), Hans Hübner (Pengo), and Karl Koch (also referred to as Pengo), who aided him in the operation. Together, they managed to sell the stolen intel from the United States, Europe, and East Asia to the KGB for approximately $54,000.

What Happened Next?

The gang, led by Markus Hess, received suspended sentences of approximately two years as the verdict was delivered. Despite facing charges, they wore smiles, seemingly confident in avoiding severe consequences. Surprisingly, the German judge concluded that the damage inflicted on Germany was minimal, leading to the decision not to impose prison sentences on the hackers. Subsequently, Hess was ordered to maintain his distance from the hacker community.

The Cuckoo’s Egg incident of 1986, as uncovered by Dr. Clifford Stoll, marked a turning point in the understanding of cybersecurity. It demonstrated the real-world consequences of cyber espionage and underscored the need for robust security measures. Stoll’s dedication and the collaborative efforts of law enforcement agencies led to the apprehension of the hackers, setting a precedent for future cybersecurity practices.