Full Report
Joins the ranks of Nottingham Uni and 100 other unnamed victims
Analysis Summary
# Incident Report: ShinyHunters PeopleSoft Zero-Day Campaign
## Executive Summary
The Council of Europe and over 100 other organizations have been compromised by the threat actor group ShinyHunters through the exploitation of a zero-day vulnerability in Oracle PeopleSoft. The breach resulted in the exfiltration of nearly 300 GB of sensitive HR and financial data, part of a wider campaign targeting the public sector and higher education.
## Incident Details
- **Discovery Date:** Approximately June 9, 2026 (based on Google threat reporting)
- **Incident Date:** May 27 – June 9, 2026
- **Affected Organization:** Council of Europe, Nottingham University, and 100+ unnamed victims
- **Sector:** Government / International Relations / Higher Education
- **Geography:** Global (predominantly USA and Europe)
## Timeline of Events
### Initial Access
- **Date/Time:** May 27, 2026
- **Vector:** Zero-day exploitation
- **Details:** Attackers exploited CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft, to gain unauthorized entry into over 300 instances of the software.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not detailed in the report, but the exploit allowed direct access to backend systems containing HR and payroll databases.
### Data Exfiltration/Impact
- **Details:** ShinyHunters exfiltrated 297 GB of data (429,000 files) from the Council of Europe. Stolen data includes HR records, payroll/payslips, banking information, tax records, medical records, and purchase orders. Nottingham University also had data for 454,600 individuals leaked.
### Detection & Response
- **Detection:** Discovered via malicious activity monitoring by Google’s threat intelligence team between May 27 and June 9.
- **Response:** Google notified over 100 global organizations with vulnerable endpoints; the Council of Europe launched an internal investigation.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-35273 (Oracle PeopleSoft).
- **Persistence:** Not specified (likely web shells or compromised service accounts).
- **Collection:** Automated extraction of database records and document repositories.
- **Exfiltration:** Transfer of large-scale datasets (297 GB) to threat actor-controlled storage.
- **Impact:** Extortion via data-leak sites; public disclosure of sensitive personal and financial data.
## Impact Assessment
- **Financial:** Potential for major fines (GDPR) and recovery costs; previous related victims (Instructure) have reportedly paid ransoms.
- **Data Breach:** Massive loss of PII, including banking, tax, and medical records for government and academic personnel.
- **Operational:** Disruption to HR and payroll functions; intensive incident response requirements for 100+ orgs.
- **Reputational:** High-profile compromise of a major international human rights organization and prominent universities.
## Indicators of Compromise
- **Network indicators:** IP addresses correlating with vulnerable Oracle PeopleSoft endpoints (specific IPs not listed in text).
- **File indicators:** CVE-2026-35273 exploit payloads.
- **Behavioral indicators:** Large-scale outbound data transfers corresponding to HR/Payroll database paths.
## Response Actions
- **Containment:** Council of Europe is currently assessing the situation and investigating the extent of the breach.
- **Eradication:** Identification and patching of vulnerable Oracle PeopleSoft instances.
- **Notification:** Google incident responders conducted proactive outreach to at-risk organizations.
## Lessons Learned
- **Zero-Day Exposure:** Critical business systems like PeopleSoft are high-value targets; a single zero-day can lead to a mass-casualty event across hundreds of organizations simultaneously.
- **Third-Party Risk:** The education and government sectors remain highly vulnerable to supply-chain and software-specific heists.
- **Ransom Trends:** Payment of ransoms (as seen with Instructure) may embolden the group to target similar high-value entities.
## Recommendations
- **Patch Management:** Immediately apply patches for CVE-2026-35273 once released by Oracle.
- **Egress Monitoring:** Implement strict egress filtering and monitoring to detect large-scale data exfiltration from sensitive database servers.
- **Network Segmentation:** Isolate HR and Payroll systems (like PeopleSoft) from the public internet using VPNs or Zero Trust Network Access (ZTNA) to mitigate zero-day exploitation risks.
- **Data Encryption:** Ensure data-at-rest encryption is applied to sensitive HR and banking files to reduce the utility of stolen data.