A publicly accessible Kibana instance left more than 600GB of internal network and security logs from Mexico’s Federal Electricity Commission (CFE) exposed online for over three years. Cybernews researchers found the feed, which contained Managed Detection and Response data, DNS records, DPI logs and alerts—information that could let attackers map defenses and target the industrial control systems that run much of Mexico’s grid.
Researchers say the server that hosted the logs was managed by Mexican cybersecurity firm Teliko, but the data belonged to CFE, the state utility that supplies power to more than 99% of Mexico’s population. Cybernews sent 29 emails over five months asking CFE to respond and secure the instance; there was no reply.
What Was Exposed And How Researchers Found It
The leaking Kibana instance first appeared in indexes dated November 2021 and stored data produced by an MDR product called AIsaac. The exposed telemetry included a detailed view of internal activity and device state, notably:
- DNS queries and visited URLs from employee machines
- Deep Packet Inspection (DPI) logs and network flow data
- Alerts from anti-malware and network monitoring tools
- Lists of vulnerable devices, servers and services
Because the logs included device and service inventories, researchers warned the data could be used to locate unpatched systems, identify missing defenses, and prioritize targets inside CFE’s network.
Why The Leak Creates Operational And Privacy Risks
The combination of telemetry and inventory is especially dangerous for critical infrastructure. Cybernews’ analysis noted that with this information an attacker could plan a campaign to move laterally, evade detection, and interact with Industrial Control Systems (ICS) in ways that cause physical damage or wide outages. As researchers put it:
“Once a machine on CFE’s network is compromised, attackers could move laterally through the network. Ultimately, attackers could potentially interact with Industrial Control systems, modifying their settings, which can lead to damage of physical systems or the turning off of critical systems.”
Beyond operational damage, the logs represent a privacy breach. Employee internet histories and internal tool references can be mined to build convincing spear-phishing lures, register look-alike domains, or impersonate internal services.
At the time Cybernews published findings, the Kibana instance was intermittently unreachable—timing out or crashing for some observers—but the researchers cautioned that the 600GB of logs could resurface if the underlying server remains misconfigured.
Response, Third-Party Risk And Broader Context
Cybernews says it contacted CFE repeatedly without response. The leak underscores a recurring theme in attacks on critical infrastructure: third-party systems and misconfigurations can expose the most sensitive telemetry. Researchers pointed out that many ICS environments run legacy equipment and old protocols that lack modern authentication and encryption, creating an “interconnected web of various vulnerabilities and misconfigurations that the attacker can navigate.”
History shows what can follow: data- or access-driven intrusions against critical infrastructure have previously produced major service disruptions. Notable past incidents cited by analysts include the DarkSide ransomware shutdown of Colonial Pipeline in 2021, and campaigns by groups linked to nation-states that have targeted water and energy systems. Those cases illustrate how exposed logs and credentials can move an incident from data theft to physical impact.
For now, the facts are these: more than 600GB of CFE logs were public for years, the data set included device inventories and security alerts, Cybernews repeatedly sought comment but received none, and the exposed telemetry could materially ease an attacker’s path to disrupting Mexico’s power systems.
