It’s a supercomputer center, so I imagine large data transfer is normal in the environment. They could have piggybacked on existing high-throughput data workflows, or somehow blended into expected large transfers. Data can be exfiltrated over weeks or months, across multiple endpoints or accounts, … and compression could have happened prior to transfer (meaning the transfer may have been smaller than 10PB). Monitoring could have been inadequate or bypassed.
I imagine the puny change could be indicative of wanting a fast sale. Possibly, if they decided to store the data on cloud drives via a credit line. They might want a sale before the bill comes.
Edit: yup
According to the alleged attacker, they gained access through a compromised VPN domain, then deployed a botnet to extract data. Instead of transferring data in bulk, the attacker distributed the exfiltration across multiple systems and moved ‘smaller’ amounts over about six months to avoid detection. Such a method relies more on exploiting system architecture than on advanced hacking techniques, which in part helped the perpetrator to avoid detection.
It’s a supercomputer center, so I imagine large data transfer is normal in the environment. They could have piggybacked on existing high-throughput data workflows, or somehow blended into expected large transfers. Data can be exfiltrated over weeks or months, across multiple endpoints or accounts, … and compression could have happened prior to transfer (meaning the transfer may have been smaller than 10PB). Monitoring could have been inadequate or bypassed.
I imagine the puny change could be indicative of wanting a fast sale. Possibly, if they decided to store the data on cloud drives via a credit line. They might want a sale before the bill comes.
Edit: yup