Cyber-Sleuth Cliff Stoll: How a Mad Genius Exposed Moscow’s Hacker Spies

What would you do if you accidentally discovered hackers were using your computer to illegally access US missile bases? If you’re like astronomer-turned-cyber-sleuth Clifford Stoll, you’d chase down a spy ring operating halfway around the world.

Hackers were a new phenomenon in 1986 when Stoll managed computers for California’s Lawrence Berkeley National Laboratory (LBL). He was a 36-year-old with Einstein-inspired hair and a mind soaring among the stars. His idols were Bletchley codebreaker Alan Turing and German mathematicians Felix Klein and Emmy Noether. 

Stoll - and the world - stood on the cusp of an 80s IT revolution reminiscent of today's AI boom, but cybersecurity was lax. “People paid more attention to locking their cars than securing their data, Stoll says in his thrilling exposé, The Cuckoo’s Egg.

Clifford Stoll with his state-of-the-art computers

Stalking a hacker

The trouble in Stoll’s computer lab kicked off with a small accounting glitch; there was a 75-cent billing error on LBL’s computer system. It was minor league stuff, but it bugged him anyway. At the time, It cost $300 an hour to go online and most people didn’t even know what the Internet/Arpanet was aside from techies, spies, and NASA types like Stoll. So who, or what, could have caused the error? 

LBL’s computers were hot stuff - cutting-edge SUN workstations with almost 100 megabytes of disk space, 128 kilobytes of memory, and a whiplash speed of 8 megahertz. “We also had fifty 80-megabyte external disk drives the size of washing machines,” Stoll told CalTech. “They sounded like washing machines, too, rattling around like they were on spin cycle.”

As Stoll sat in an astronomy lecture listening to a discussion about gravitational waves one day, a chilling thought seized his mind: What if the accounting mistake was caused by an outsider hacking into LBL’s computer system? It was a radical idea. If Stoll was right, he may have stumbled on the world's first known case of cyber espionage, a hack that would change computer security forever.

Clifford Stoll, tech icon and cyber detective

The Techno-Thriller Unfolds

To a generation of whitehat and black hat hackers, Cliff Stoll is a cybersecurity icon who stalked a shocking culprit with relentless zeal. When Stoll first started poking around, he wanted to know why there was a 75-cent discrepancy between two accounting programs used to charge for nine seconds of computer use. He discovered someone changed the password on one of the accounts.

“That’s weird,” Stoll thought. The intruder would need to be a Unix ‘superuser’ with the same license as the system administrator to manipulate LBL’s computer. Normally, Stoll would just log in, disable the account, and make the problem go away but Stoll was intrigued. He figured it was probably a university grad student trying to yank his chain but how could he prove it? 

At 5:30 pm one Friday evening, with the lab emptying for the weekend, Stoll built an elaborate, electronic spy trap by relying on a technique he’d learned in grad school - “There will be hell to pay on Monday but it’s easier to give an apology than get permission." Stoll ‘liberated’ 50 of his co-workers’ printers and teletype machines from their cubicles and hooked them up to his computer. If a hacker targeted Berkeley, he could now record it on a printer or a floppy disk.

Stoll drained his flask of hot tomato soup, rolled out his sleeping bag on the office floor, and slept deeply that evening. His hacker did not disappoint.

Cyber-Sleuth Cliff Stoll: How a Mad Genius Exposed Moscow’s Hacker Spies

SPYSCAPE
Share
Share to Facebook
Share with email

What would you do if you accidentally discovered hackers were using your computer to illegally access US missile bases? If you’re like astronomer-turned-cyber-sleuth Clifford Stoll, you’d chase down a spy ring operating halfway around the world.

Hackers were a new phenomenon in 1986 when Stoll managed computers for California’s Lawrence Berkeley National Laboratory (LBL). He was a 36-year-old with Einstein-inspired hair and a mind soaring among the stars. His idols were Bletchley codebreaker Alan Turing and German mathematicians Felix Klein and Emmy Noether. 

Stoll - and the world - stood on the cusp of an 80s IT revolution reminiscent of today's AI boom, but cybersecurity was lax. “People paid more attention to locking their cars than securing their data, Stoll says in his thrilling exposé, The Cuckoo’s Egg.

Clifford Stoll with his state-of-the-art computers

Stalking a hacker

The trouble in Stoll’s computer lab kicked off with a small accounting glitch; there was a 75-cent billing error on LBL’s computer system. It was minor league stuff, but it bugged him anyway. At the time, It cost $300 an hour to go online and most people didn’t even know what the Internet/Arpanet was aside from techies, spies, and NASA types like Stoll. So who, or what, could have caused the error? 

LBL’s computers were hot stuff - cutting-edge SUN workstations with almost 100 megabytes of disk space, 128 kilobytes of memory, and a whiplash speed of 8 megahertz. “We also had fifty 80-megabyte external disk drives the size of washing machines,” Stoll told CalTech. “They sounded like washing machines, too, rattling around like they were on spin cycle.”

As Stoll sat in an astronomy lecture listening to a discussion about gravitational waves one day, a chilling thought seized his mind: What if the accounting mistake was caused by an outsider hacking into LBL’s computer system? It was a radical idea. If Stoll was right, he may have stumbled on the world's first known case of cyber espionage, a hack that would change computer security forever.

Clifford Stoll, tech icon and cyber detective

The Techno-Thriller Unfolds

To a generation of whitehat and black hat hackers, Cliff Stoll is a cybersecurity icon who stalked a shocking culprit with relentless zeal. When Stoll first started poking around, he wanted to know why there was a 75-cent discrepancy between two accounting programs used to charge for nine seconds of computer use. He discovered someone changed the password on one of the accounts.

“That’s weird,” Stoll thought. The intruder would need to be a Unix ‘superuser’ with the same license as the system administrator to manipulate LBL’s computer. Normally, Stoll would just log in, disable the account, and make the problem go away but Stoll was intrigued. He figured it was probably a university grad student trying to yank his chain but how could he prove it? 

At 5:30 pm one Friday evening, with the lab emptying for the weekend, Stoll built an elaborate, electronic spy trap by relying on a technique he’d learned in grad school - “There will be hell to pay on Monday but it’s easier to give an apology than get permission." Stoll ‘liberated’ 50 of his co-workers’ printers and teletype machines from their cubicles and hooked them up to his computer. If a hacker targeted Berkeley, he could now record it on a printer or a floppy disk.

Stoll drained his flask of hot tomato soup, rolled out his sleeping bag on the office floor, and slept deeply that evening. His hacker did not disappoint.


A Eureka Moment

The next morning, when LBL’s director dropped by to suggest it would be ‘neighborly’ to return all 50 stolen printers pronto, Stoll noticed a 20-foot print-out on one of the machines. Finally, he had concrete evidence that a devious hacker had infiltrated Berkeley via a programming ‘hole’ - a mistake in a program attached to the Unix operating system - that allowed the infiltrator to become a superuser. 

It seemed the hacker had broken into LBL’s computer system, then went out through the Berkeley center’s Local Area Network - the only router in northeastern California at the time - and used the Arpanet to infiltrate a US military computer based in Anniston, Alabama. The hacker siphoned out military information before disappearing into the great unknown. Stoll was stunned.

“So I did what anybody else would do,” Stoll later recalled. “I called the FBI and said, ‘Hey, they’re breaking into my computer. They’re stealing military stuff!’”

The Bureau wanted to know how much money the Berkeley computer laboratory had lost. Unsurprisingly, the G-Men were unimpressed with Stoll’s 75-cent estimate. Undeterred, Stoll then called up the NSA, CIA, and the US Air Force. He persisted for the next 10 months, obsessed with tracking his nemesis.

Lawrence Berkeley National Laboratory

Stoll often bedded down in the office because his hacker tended to log on late at night. Eventually, Stoll and US spooks discovered the same thing: some guy was using Stoll’s computer to steal national security intelligence. The mysterious hacker was searching for keywords like “nuclear” and SDI (short for Ronald Reagan’s Strategic Defense Initiative program).

Stoll described his adversary as a “cuckoo bird”, one that laid its egg in another bird’s nest so the other bird would hatch it and raise it.

While it all seemed a bit kooky to Stoll - Berkeley researched astronomy and physics, not state secrets, after all - he knew the hacker was clever enough to connect to the Berkeley computer system for only a few seconds or minutes at a time, then log off to ensure the trail went cold if anyone tried to track him.

Stoll felt it was getting personal: “I found out I had skin in the game,” he said. It was time to set another trap.


Spies like us: Operation Showerhead

An idea came to Stoll in the shower one day: he'd set up a honeypot sting dubbed Operation Showerhead. He’d create a phony SDInet folder loaded with impressive-sounding but fake national security ‘intelligence’ that would be impossible for a hacker to resist.

The trap was sprung. The hacker took the bait. Hours later, Stoll’s target was still online, a delay that enabled Stoll to trace the hacker from Stoll’s Berkeley computer, across AT&T landlines to the military base in Virginia where the hacker extorted fake military intelligence, then circled back to Berkeley. From there, the hacker’s trail led sky-high to a satellite that connected to Hanover, Germany, and what Stoll described as ‘a guy’s apartment’.

‘The guy’, it transpired, was notorious hacker Markus Hess, a member of a spy ring that collected passwords into military systems. Hess is believed to have broken into 400 military computers to steal sensitive intelligence about semiconductors, satellites, space, and aircraft technologies. The intel was then stored on floppy disks and sold to a KGB agent code-named Sergei who operated from the trade mission in Soviet-controlled East Berlin.

Hess, alongside his co-conspirators Dirk Brzezinski and Peter Carl, was accused of selling intel stolen from the US, Europe, and East Asia to the KGB for about $54,000. The men, all in their late 20s and 30s in 1990, received suspended sentences of about two years and smiled as their verdicts were read aloud. The Berlin Wall had fallen at that point. It was a whole new world. The German judge figured the damage to Germany was minimal, so why throw the lads in prison?

Stoll chased hackers to the DoD’s MILNET systems, the White Sands Missile Range, and the CIA

Cyberspies & Success

Stoll’s sleuthing changed the world of computing and cybersecurity forever. His investigation revealed a vast web of similar hacks into military and government agencies worldwide carried out by the German spy ring and others. 

Purists might already own a copy of The Cuckoo’s Egg. Stoll’s thrilling exposé was published in 1989 around the time the Internet was becoming a global tool for terrorists and cyber-spies. For those who haven’t read it, the book may be worth diving into. The Cuckoo’s Egg hit its 35th anniversary in 2024, selling more than 1m copies and inspiring an entire generation of network defenders.

Stoll, born in 1950, is still one of the most celebrated (and unlikely) cybersecurity geniuses on Earth. In his later years, Stoll lectured at the NSA, CIA, and even to FBI experts who once rolled their eyes to the heavens over his 75-cent accounting loss. 

“People who get into cybersecurity dream they’ll work on something like this,” Chris Sanders, a security consultant, told Wired. “They imagine finding the thing that becomes the bigger thing. We all want to live that. Some live it and some don’t. But we all get to live it vicariously through Cliff.”

Read mORE

RELATED aRTICLES

This story is part of our weekly briefing. Sign up to receive the FREE briefing to your inbox.

Gadgets & Gifts

Put your spy skills to work with these fabulous choices from secret notepads & invisible inks to Hacker hoodies & high-tech handbags. We also have an exceptional range of rare spy books, including many signed first editions.

Shop Now

Your Spy SKILLS

We all have valuable spy skills - your mission is to discover yours. See if you have what it takes to be a secret agent, with our authentic spy skills evaluation* developed by a former Head of Training at British Intelligence. It's FREE so share & compare with friends now!

dISCOVER Your Spy SKILLS

* Find more information about the scientific methods behind the evaluation here.