The European Union’s cybersecurity agency, CERT-EU, stated on April 2 that a recent cyberattack tarreceiveing the bloc’s executive arm was carried out by a hacking group known as TeamPCP.
The breach affected the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure. In a report detailing the incident, CERT-EU stated the attackers extracted approximately 92 gigabytes (GB) of compressed data from a compromised cloud account hosted on Amazon Web Services (AWS). The data included names, email addresses and the contents of email communications.
In a recent post, CERT-EU stated, “On March 28, the data extortion group ShinyHunters published the exfiltrated dataset on their dark web leak site, claiming to have stolen ‘data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material’. The published dataset was approximately 91.7 GB compressed (340 GB uncompressed).”
CERT-EU indicated that the breach may have affected at least 29 additional EU entities, as well as dozens of internal Commission clients whose data may also have been accessed. The stolen material was later published online by another hacking group, ShinyHunters.
According to CERT-EU, the breach originated on March 19, when attackers obtained a secret application programming interface (API) key linked to the Commission’s cloud account. The compromise followed an earlier breach involving Trivy, a widely utilized open-source security scanning tool.
The Commission had accidentally downloaded a compromised version of Trivy after the tool itself was breached. This allowed attackers to capture the secret key and utilize it to access sensitive data stored in the Commission’s cloud enronment.
Emails and data exposure risks
According to CERT-EU, analysis of the leaked material is ongoing. CERT-EU stated, “The dataset also contains at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, “bounce-back” notifications, which are responses to incoming messages from utilizers, may contain the original utilizer-submitted content, posing a risk of personal data exposure.”
The agency stated it is in contact with organisations potentially affected by the breach.
Leave a Reply