INVITATION TO CYBERSECURITY 86 In most cases, the hacker will not only view data but will also want to obtain a copy of it. This is called data exfiltration or exfil for short. It is essentially stealing data, but unlike in physical space where stealing entails taking it away from the victim, in cyberspace exfiltration means copying data from a victim to the attacker. This usually occurs over a computer network—in other words, the attacker downloads the data. It could also occur locally—the attacker copies the data onto a USB stick. Once this happens, the data is outside of the victim’s control. In some cases the data may be used to extort the victim. The attacker may threaten to publish the data unless the victim pays him money. The scary thing for the victim is that even if he gives into the hacker’s demands, he can never really be sure that the threat will go away—there is no way to ensure that the hacker’s copy (or more likely, copies) of the data will be permanently deleted. The hacker could potentially come back later with another extortion demand. Hackers may also want to exfil data to sell it on the black market. As we saw in Chapter 3, personally identifiable information (PII) and intellectual property (IP) have market value. In May 2026 a hacker group called ShinyHunters gained unauthorized admin access to Canvas, a popular learning management system used by thousands of educational institutions, and published an extortion note on course websites across the country. This happened right at the end of the semester at many universities—imagine students’ surprise when they went to submit their final exams and projects and found an extortion demand instead (see Figure 4.6)! The note threatened to publish private data unless a settlement was negotiated with Instructure (the parent company of Canvas), or with the affected schools directly. Incredibly, Instructure paid the cyber criminals in return for their assurance that the exfiltrated data would be permanently deleted—so problem solved! (or not) To avoid detection, hackers may try to exfil data using a covert channel. A covert channel is a hidden communication path. Covert channels usually involve steganography—the art and science of hiding information in plain sight (covered in more depth in Section 7.3). An example of a covert channel for exfiltrating data is using flag bits and other fields in network protocol headers. These headers are only supposed to contain metadata, not payload data, and therefore can potentially pass out of a network undetected. The data may also be broken up between several messages and spread out over time to avoid arousing suspicion. What using covert channels costs in efficiency it gains in maintaining cover. In a doxxing attack the attacker publishes exfiltrated data to embarrass or otherwise harm the victim. The Sony Pictures hack in 2014 was a doxxing attack. Sony Pictures is a major American film studio. The hackers gained unauthorized access to Sony’s network and exfiltrated as much data as they could and then published it on the Internet. The published data included everything from not-yet-released films to employee PII to internal emails. The emails exposed sensitive business dealings and private communications that embarrassed Sony executives. The United States government attributed the attack to North Korea, and the motive was to financially harm Sony Pictures for producing a satirical film making fun of North Korea.
RkJQdWJsaXNoZXIy MTM4ODY=