The European Union’s cybersecurity agency (CERT-EU) said Thursday that the hacking group TeamPCP was behind a massive recent data breach at the European Commission.

CERT-EU said the hackers broke into the bloc’s Amazon Web Services (AWS) account and took about 92 gigabytes of compressed data used by the Commission. The data included names, email addresses and some email content, according to the new report from the agency, which said the breach took place on March 19.

The hack, which relied on the misuse of a secret Amazon API key, involved the Commission’s Europa.eu platform, which lives on AWS cloud infrastructure and is used by EU states to host websites belonging to bloc entities. Data belonging to 42 internal clients and at least 29 EU entities may have been stolen, according to the report.

The dataset contained at least nearly 52,000 files “related to outbound email communications” totaling 2.2 gigabytes, the report said. CERT-EU believes most of those messages were automated and had little or no content , but in some cases bounceback notifications may pose a risk of personal data exposure. 

The Commission’s cyber officials became aware of the breach on March 24 when they received notifications about “potential misuse of Amazon APIs, potential account compromise, and an abnormal increase in network traffic,” according to the report.

CERT-EU believes with high confidence that the hackers initially gained access through the Trivy supply chain compromise, which has been attributed to the hacking group TeamPCP.

The threat actor also gained “management rights” for the compromised AWS API key, which could have “allowed them to move laterally to other AWS accounts belonging to the European Commission,” the report said, adding that there is currently no sign of such movement.

On March 28, the stolen data turned up on the ShinyHunters’ dark web site. The incident is likely the latest example of cybercriminal organizations working together to make money off of hacks.

ShinyHunters claimed to have stolen “data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material,” according to CERT-EU. 

The researchers believe the hack can be attributed to the Trivy compromise because of its timing, the resources that were targeted and the fact that the Commission was “unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.”

TeamPCP is also believed to have been behind the recent LiteLLM cyberattack, which affected Mercor and thousands of other organizations, according to a Mercor spokesperson.

The hacking group also has been tied to “worm-driven ransomware, data exfiltration, and cryptomining campaigns,” according to Aqua Security.