The European Union’s cybersecurity agency said Thursday that a recent hack and data breach at the EU’s executive body was the work of a cybercrime group known as TeamPCP.
In one new exhibitionCERT-EU also reported that hackers stole approximately 92 gigabytes of compressed data from a compromised Amazon Web Services (AWS) account used by the bloc’s executive, the European Commission, which included personal data containing names, email addresses and the content of emails.
The breach affected the cloud infrastructure of the Commission’s Europa.eu platform, which member states use to host websites and publications of the bloc’s institutions and organisations.
CERT-EU wrote that the data of at least 29 other EU entities may have been affected, and that dozens of internal clients of the European Commission could also have had their data stolen.
The stolen data was then posted online by another hacking group, the infamous ShinyHunters.
While the scale of the data breach is remarkable in itself, the cyber industry blaming two separate hacker groups for the same incident is unusual. A ShinyHunters member told TechCrunch in an online chat that they had stolen some of the data previously obtained by TeamPCP in previous attacks and then leaked it.
TeamPCP could not be reached for comment.
CERT-EU said the breach originated on March 19 when hackers obtained a secret API key associated with the European Commission’s AWS account, following an earlier breach targeting open source security tool Trivy. The Commission accidentally downloaded a hacked copy of the Trivy tool after the project was recently breached, allowing hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
While the agency said it is still analyzing the data posted online, nearly 52,000 records contain emails sent. CERT-EU said the majority of these emails are automated with little to no content, but emails returned with an error “may contain the original user-submitted content, putting personal data at risk of exposure.”
CERT-EU said it is already in contact with affected organisations.
Contact us
Do you have more information about this breach? Or other cyber attacks? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
A spokesperson for the European Commission told TechCrunch that the body is closed until next week and will respond to a request for comment afterward.
In addition to the Trivy breach, TeamPCP has been linked to ransomware attacks and cryptocurrency mining campaigns, says Aqua Securitywhich develops Trivy. Hackers have most recently been behind a systematic campaign of supply chain attacks that have compromised other open source security projects, according to Palo Alto Networks Unit 42.
By targeting developers with keys to access sensitive systems, hackers “then have the ability to hold compromised organizations to ransom by demanding extortion payments,” Section 42 wrote.
This story has been updated to include comments from a ShinyHunters member.
