In 1986, a minor 75-cent billing anomaly on a university computer network sparked the first documented hunt for an international cyber spy. Cliff Stoll was a 36-year-old astronomer managing computers at California’s Lawrence Berkeley National Laboratory.
When he noticed a tiny discrepancy between two accounting programs charging for nine seconds of computer time, he suspected an unauthorized user. At the time, cybersecurity was practically nonexistent. People secured their vehicles but left their data completely unprotected. This small accounting error led Stoll on a ten-month pursuit that exposed a massive espionage operation targeting the United States military.
A Small Discrepancy at the Berkeley Lab
Stoll monitored cutting-edge SUN workstations. These machines boasted 100 megabytes of disk space, 128 kilobytes of memory, and a speed of 8 megahertz. The laboratory also utilized massive 80-megabyte external disk drives the size of washing machines. When Stoll found the 75-cent error, he realized someone had bypassed the system.
The intruder exploited a programming vulnerability in the Unix operating system to gain superuser access. The hacker was extremely cautious. They connected to the network only for a few seconds or minutes at a time to ensure the trail went cold before anyone could track the connection.
Trapping an Intruder with 50 Printers
To capture the infiltrator, Stoll built an elaborate electronic trap. On a Friday evening, he connected 50 office printers and teletype machines to his terminal so he could record any suspicious network activity. He slept on his office floor that night.
The following morning, he discovered a 20-foot (6.1-meter) continuous printout on one of the machines. The logs proved that the hacker used the Berkeley network to infiltrate a military computer in Anniston, Alabama. Stoll contacted the FBI, the CIA, and the National Security Agency. The authorities initially showed little interest in a 75-cent financial loss.
Operation Showerhead and the Fake Secrets
Stoll noticed the hacker was actively searching for keywords related to nuclear technology and the Strategic Defense Initiative. To keep the intruder online long enough for a manual trace, Stoll created a honeypot sting called Operation Showerhead.
He generated a massive directory of authentic-sounding but entirely fabricated national security intelligence. The hacker took the bait and spent hours downloading the counterfeit files. This extended connection allowed telecommunications technicians to trace the signal across landlines to Virginia, up to a satellite, and finally back down to Europe.
Tracing the Hack to West Germany
The international trace revealed the hacker was operating from an apartment in Hanover, Germany. The culprit was Markus Hess. Hess belonged to a spy ring that infiltrated 400 military computers to steal sensitive aircraft, semiconductor, and satellite technology.
They stored the intelligence on floppy disks and sold it to the KGB in East Berlin for $54,000. In 1990, Hess and two co-conspirators received suspended sentences of approximately two years. Stoll documented the entire investigation in his 1989 publication, The Cuckoo’s Egg, effectively changing global computer security protocols without ever firing a single weapon.