European Commission breach exposed data of 30 EU entities, CERT-EU says

CERT-EU says a European Commission cloud hack exposed data from 30 EU entities and links the breach to the TeamPCP group.

CERT-EU attributed a European Commission cloud breach to the TeamPCP threat group, revealing that data from at least 30 EU entities was exposed. The incident was publicly disclosed on March 27 after inquiries confirmed that the Commission’s Amazon cloud environment had been compromised.

On March 24, the European Commission detected a cyberattack affecting the cloud infrastructure hosting its Europa.eu websites. The incident was quickly contained, with mitigation measures applied and no disruption to website availability. Early findings suggested some data may have been accessed, and potentially affected EU entities are being notified. The Commission alerted CERT-EU two days before disclosure, noting no signs of compromise until March 24, five days after the initial breach.

“Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident.” reads the press release published by the European Commission. “The Commission’s services are still investigating the full impact of the incident.  “

The EU has launched an investigation into the security breach to determine its full impact. However, the Commission initially pointed out that its internal systems were not affected, limiting the overall impact of the attack.

The Commission said its internal systems were not affected and will continue monitoring the situation while strengthening protections. It announced it will improve cybersecurity, as the EU faces ongoing cyber and hybrid threats targeting critical services and institutions.

BleepingComputer first reported the incident, claiming that threat actors breached the European Commission’s AWS account, stealing hundreds of gigabytes of data, including databases, and providing screenshots as proof.

“On March 25, CERT-EU received a notification from the European Commission that one of their AWS cloud accounts had been compromised. The first alerts, indicating potential misuse of Amazon APIs, potential account compromise, and an unusual volume of network traffic, had been detected by their Cybersecurity Operations Centre (CSOC) team the previous day.

An investigation uncovered that a malicious actor acquired an Amazon Web Services (AWS) secret (an API key) on March 19 through the Trivy supply chain compromise. This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS). STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities.” reported CERT-EU. “The threat actor used the compromised AWS secret to create and attach a new access key to an existing user, aiming to evade detection. They then carried out reconnaissance activities.”

TeamPCP reportedly accessed the EU’s AWS environment on March 10 using a stolen API key from the Trivy supply-chain attack.

They then used tools like TruffleHog to find more credentials, created new access keys to stay hidden, and carried out reconnaissance and data theft. TeamPCP is also linked to supply-chain attacks on platforms like GitHub, PyPI, NPM, and Docker, including a compromised LiteLLM package used to spread data-stealing malware.

“The European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security. The firm has provided comprehensive details on this compromise in its advisory.” continues CERT-EU.

“This assessment is based on three main factors:

• The timing of the Trivy supply-chain compromise coincides with the observed initial compromise on March 19.
• The specific resources being targeted: AWS credentials and cloud infrastructure.
• The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.”

On March 28, the ShinyHunters group published 350GB of stolen from the European Commission, containing emails, names, and usernames, dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.

CERT-EU confirmed tens of thousands of files were taken, affecting up to 71 Europa web hosting clients, including 42 Commission entities and at least 29 other EU bodies, using a compromised AWS credential.

“The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment.” added CERT-EU. “The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities.”

Analysis shows the leaked dataset includes personal data such as names, usernames, and email addresses, mainly from European Commission websites but possibly affecting multiple EU entities. It also contains over 51,000 outbound email files, mostly automated, though some bounce-back messages may expose user-submitted content, increasing the risk of data exposure.

“The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time.” concludes CERT-EU.

Summarizing, a compromised AWS account tied to the europa.eu hosting service exposed data from 42 European Commission clients and at least 29 other EU entities. Despite the breach, no websites were disrupted or altered. The Commission has notified affected parties and, with CERT-EU, continues investigating and will share further findings as they emerge.

On 30 January, the European Commission detected another cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours.

Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-EU)