(not working in security) Say they do infect this recording server that is not connected to the Internet. So what then, how do they send this data elsewhere? It's just infected and sitting there?
It’s very common for the recording server to have some kind of WAN/internet connectivity in larger scale systems. At a minimum the recording server usually has access to other internal networks. Would be possible to execute something similar to the centrifuge attack to disable other systems, wipe data, etc. It doesn’t have to always involve internet access to do bad things.
