The European Union’s cybersecurity agency announced Thursday that a recent cyberattack and data breach at the EU’s executive body were orchestrated by a cybercriminal group known as TeamPCP.
In a new report, CERT-EU disclosed that the hackers extracted approximately 92 gigabytes of compressed data from a compromised Amazon Web Services account utilized by the European Commission. This data included personal information like names, email addresses, and email contents.
The breach impacted the cloud infrastructure of the Commission’s Europa.eu platform, utilized by member states for hosting websites and institutional publications. CERT-EU indicated that data from at least 29 other EU entities might be compromised, potentially affecting numerous internal European Commission clients.
The stolen data was subsequently published online by another hacking group, ShinyHunters. The incident, marked by the hack and data leak by two distinct hacking collectives, underscores a trend of cybercriminal collaboration to exploit victims.
CERT-EU revealed that the breach began on March 19 when hackers obtained a secret API key linked to the European Commission’s AWS account, following an attack on the open source security tool Trivy. The Commission accidentally downloaded the compromised tool, enabling hackers to acquire the API key and access data in the Commission’s AWS account.
While analyzing the published data, the agency noted that close to 52,000 files contain sent email messages. Most emails are automated with minimal content, but bounced emails with errors might reveal original user-submitted information, posing personal data exposure risks.
CERT-EU is in contact with affected organizations.
A European Commission spokesperson informed TechCrunch that the body is on break until next week and will provide a comment then. A representative from ShinyHunters did not respond to requests for comment.
According to Aqua Security, which created Trivy, TeamPCP has been linked to ransomware and crypto-mining. Palo Alto Networks Unit 42 reports that the group has recently engaged in supply chain attacks on other open source security projects. By targeting developers who hold keys to sensitive systems, the hackers can demand extortion payments from compromised organizations.