Europe’s cyber agency links major data breach and leak to hacking gangs

The European Union's cybersecurity response team, CERT-EU, has revealed that a recent cyberattack targeting the bloc's executive systems was carried out by a cybercriminal group known as TeamPCP.

In its latest report, CERT-EU stated that attackers extracted approximately 92 gigabytes of compressed data from a compromised Amazon Web Services account used by the European Commission. The stolen data reportedly includes personal information such as names, email addresses, and email contents.

The breach specifically impacted the Commission's Europa.eu infrastructure, a platform used by EU member states to host official websites and institutional publications. According to the findings, at least 29 additional EU entities may have been affected, as well as numerous internal Commission users whose data may also have been accessed.

Following the initial breach, the stolen data was later published online by another well-known hacking collective, ShinyHunters. The involvement of two separate groups in the same incident makes the case unusual. A member of ShinyHunters reportedly claimed that the group obtained portions of the data from earlier intrusions linked to TeamPCP before publicly releasing it.

CERT-EU traced the attack's origin to March 19, when hackers obtained a confidential API key associated with the European Commission's AWS environment. This access stemmed from an earlier compromise involving Trivy, a widely used security scanning tool. The Commission inadvertently downloaded a compromised version of the software following the breach, thereby enabling attackers to capture the API key and access its cloud systems.

The attackers then used this access to move laterally within the infrastructure and extract stored data. While investigations are ongoing, CERT-EU noted that nearly 52,000 of the exposed files contain sent email messages. Although many of these messages appear automated and contain minimal information, some bounced emails may include original user-submitted content, raising concerns about potential exposure of personal data.

CERT-EU confirmed that it has already begun contacting organisations that may have been affected by the breach. A spokesperson for the European Commission indicated that an official response would be provided once operations resume after a temporary closure.

Security researchers have linked TeamPCP to previous ransomware incidents and cryptocurrency mining campaigns. According to Aqua Security, which develops Trivy, the group has also been involved in broader supply chain attacks targeting open source tools. Additional analysis from Palo Alto Networks Unit 42 suggests that these campaigns are designed to infiltrate developer environments and obtain credentials that grant access to sensitive systems.

By compromising tools and credentials used across multiple organisations, attackers can gain widespread access and potentially demand ransom payments from affected entities. The incident highlights the growing risks associated with supply chain vulnerabilities and the increasing sophistication of coordinated cyberattacks targeting critical infrastructure and cloud environments.