The cybersecurity agency of the European Union, CERT-EU, revealed on April 2 that a recent cyber assault on the EU’s administrative body was orchestrated by a hacking group known as TeamPCP. The breach impacted the European Commission’s public website “europa.eu,” which is hosted on the cloud infrastructure of Amazon Web Services (AWS). According to CERT-EU’s report on the incident, the hackers managed to extract around 92 gigabytes (GB) of compressed data from a compromised cloud account on AWS. This data included names, email addresses, and the contents of email communications.
CERT-EU recently stated that on March 28, a group called ShinyHunters, known for data extortion, released the stolen dataset on their dark web leak site. They claimed to have acquired ‘data dumps of mail servers, databases, confidential documents, contracts, and other sensitive materials.’ The dataset published was approximately 91.7 GB compressed (340 GB uncompressed).
The cybersecurity agency indicated that the breach could have impacted at least 29 other EU entities and numerous internal Commission clients whose data might have been accessed. The stolen information was subsequently made public by another hacking group, ShinyHunters.
According to CERT-EU, the breach commenced on March 19 when the attackers acquired a confidential application programming interface (API) key associated with the Commission’s cloud account. This incident followed a previous breach involving Trivy, a popular open-source security scanning tool.
The Commission inadvertently downloaded a compromised version of Trivy after the tool was breached, enabling the attackers to seize the secret key and utilize it to access sensitive data stored in the Commission’s cloud environment.
CERT-EU mentioned that ongoing analysis of the leaked data is in progress. They highlighted, “The dataset includes a minimum of 51,992 files related to outbound email communications, amounting to 2.22 GB. Most of these files are automated notifications with minimal content. Nevertheless, ‘bounce-back’ notifications, which are replies to incoming messages from users, may contain the original user-submitted content, potentially exposing personal data.”
The agency confirmed that it is actively engaging with potentially affected organizations regarding the breach.
