CERT-EU has attributed a recent cyberattack on the European Commission to a group known as TeamPCP, with stolen data later leaked online by another hacking group, ShinyHunters. The breach exposed personal data and internal communications from the Commission’s cloud systems.
Hackers Accessed AWS Account And Extracted 92GB Of Data
CERT-EU said attackers accessed an Amazon Web Services account used by the Commission and exfiltrated around 92 gigabytes of compressed data. The stolen dataset includes names, email addresses, and email contents.
The breach affected the Commission’s Europa.eu platform, which hosts websites and publications for EU institutions and agencies. CERT-EU said at least 29 other EU entities may be impacted, along with dozens of internal Commission clients.
Two Hacker Groups Linked To Same Incident
The stolen data was later published online by ShinyHunters. CERT-EU’s report identified TeamPCP as responsible for the initial intrusion, an attribution that involves two separate groups in the same breach.
A member of ShinyHunters told TechCrunch that the group obtained some of the data previously taken by TeamPCP during earlier attacks and then released it publicly. TeamPCP did not respond to requests for comment.
Compromised API Key Enabled Access To Cloud Systems
CERT-EU said the breach began on March 19 when attackers obtained a secret API key linked to the Commission’s AWS account. The compromise followed an earlier attack on Trivy, which had been breached.
The Commission downloaded a compromised version of Trivy after that incident. The infected tool allowed attackers to extract the API key and gain access to the Commission’s cloud environment, where they retrieved stored data.
Email Data And Files Still Under Analysis
CERT-EU said approximately 52,000 of the exposed files contain sent email messages. Most of these emails are automated and contain limited content. However, emails that failed to deliver and were returned with errors may include original user-submitted data, increasing the risk of personal data exposure.
The agency said it is continuing to analyze the leaked data and has contacted affected organizations.
A spokesperson for the European Commission told TechCrunch that the institution is currently closed and will respond to inquiries next week.
TeamPCP Linked To Broader Attack Campaigns
Security firms including Aqua Security and Palo Alto Networks Unit 42 have linked TeamPCP to ransomware operations, crypto-mining campaigns, and supply chain attacks targeting open source projects.
Unit 42 said attackers targeting developers with access credentials can gain entry to sensitive systems and potentially demand ransom payments from compromised organizations.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.