The European Cybersecurity Agency has blamed active hacking groups for the massive data breach and leak
“”In a recent statement, the European Union’s cybersecurity authority held the hacking collective TeamPCP accountable for a significant security breach and the subsequent exposure of data within the EU’s executive body.”
According to a recent CERT-EU report, cybercriminals managed to exfiltrate approximately 92 gigabytes of compressed files from a breached Amazon Web Services (AWS) account belonging to the European Commission. The stolen information reportedly comprises personal details such as names, email addresses, and the specific contents of electronic communications .”
The compromise impacted the Europa.eu cloud environment, a platform managed by the Commission that serves as the hosting infrastructure for the websites and official publications of various EU institutions and agencies.”
CERT-EU noted that the security incident potentially impacts at least 29 additional EU organizations, suggesting that data may have also been compromised from dozens of internal clients within the European Commission.”
Following the theft, the compromised information was leaked online by the infamous hacking collective known as ShinyHunters.”
Although the magnitude of the breach is significant, the agency’s decision to hold two different hacking entities responsible for the same event is uncommon. A representative from ShinyHunters claimed in a conversation with TechCrunch that they had acquired and subsequently leaked data originally siphoned by TeamPCP during prior infiltrations.”
While TeamPCP was unavailable for comment, CERT-EU identified that the intrusion began on March 19 through a compromised secret API key for the European Commission’s AWS account. This access was gained after the Commission unknowingly downloaded a corrupted version of the open-source security tool Trivy, which had been previously breached. The hackers utilized this compromised tool to extract the API key and subsequently pivot into the Commission’s AWS infrastructure to steal stored data.”
Although the analysis of the leaked information is ongoing, it has been confirmed that nearly 52,000 files consist of sent email communications. CERT-EU noted that while most are automated messages with minimal substance, bounced emails containing error reports present a higher risk, as they may include the original text submitted by users, potentially exposing personal data.”
CERT-EU confirmed that it has already begun the process of notifying the organizations impacted by the breach.
A European Commission representative informed TechCrunch that since the institution is currently closed until the following week, a formal response to the inquiry will be provided at that time.”
Beyond the Trivy incident, Aqua Security—the developer of the tool—has connected TeamPCP to various ransomware operations and crypto-mining activities. Furthermore, Palo Alto Networks Unit 42 reports that the group has recently pivoted toward a coordinated series of supply chain attacks aimed at compromising multiple other open-source security projects.”
Unit 42 noted that by specifically targeting developers who possess access keys to sensitive infrastructure, the attackers gain the leverage to hold compromised institutions for ransom and demand extortion fees.”
Updates have been made to this story to include new information and comments from a member of the ShinyHunters collective.”
