Massive Data Breach Hits European Commission: Cybercriminal Groups TeamPCP and ShinyHunters Implicated
In a significant cybersecurity incident, the European Union’s cybersecurity agency, CERT-EU, has identified the cybercriminal group TeamPCP as responsible for a recent hack and data breach targeting the European Commission. The breach resulted in the theft of approximately 92 gigabytes of compressed data from a compromised Amazon Web Services (AWS) account utilized by the Commission. This stolen data encompasses personal information, including names, email addresses, and the contents of emails.
The breach specifically impacted the cloud infrastructure of the Commission’s Europa.eu platform, a critical resource used by EU member states to host websites and publications for the bloc’s institutions and agencies. CERT-EU has indicated that the data of at least 29 other EU entities may also be affected, with numerous internal European Commission clients potentially having their data compromised.
Following the initial theft, the notorious hacking group ShinyHunters published the stolen data online. This sequence of events highlights a rare collaboration between two separate hacking groups in the same incident. A member of ShinyHunters informed TechCrunch that they had obtained some of the data previously exfiltrated by TeamPCP in earlier attacks and subsequently leaked it. Attempts to reach TeamPCP for comment have been unsuccessful.
CERT-EU’s investigation revealed that the breach originated on March 19, when hackers acquired a secret API key associated with the European Commission’s AWS account. This was facilitated by an earlier compromise of the open-source security tool Trivy. The Commission inadvertently downloaded a compromised version of Trivy, allowing the hackers to steal the secret API key and gain access to data stored in the Commission’s AWS account.
Preliminary analysis of the published data indicates that nearly 52,000 files contain sent email messages. While the majority of these emails are automated with minimal content, CERT-EU warns that emails that bounced back with errors may contain the original user-submitted content, posing a risk of personal data exposure. CERT-EU is actively communicating with affected organizations to mitigate the impact of the breach.
A spokesperson for the European Commission informed TechCrunch that the body is currently closed until next week and will respond to requests for comment then.
Beyond the Trivy breach, TeamPCP has been linked to ransomware attacks and crypto-mining campaigns, according to Aqua Security, the developers of Trivy. More recently, the group has been implicated in systematic supply chain attacks compromising other open-source security projects, as reported by Palo Alto Networks’ Unit 42. By targeting developers with access to sensitive systems, these hackers can hold compromised organizations for ransom, demanding extortion payments.
This incident underscores the growing threat posed by sophisticated cybercriminal groups targeting critical infrastructure and sensitive data. It highlights the importance of robust cybersecurity measures, regular security audits, and the need for organizations to remain vigilant against potential vulnerabilities in their systems.
