The European Union's Cybersecurity Service has linked a significant breach of the European Commission's cloud infrastructure to the TeamPCP threat actor group. This intrusion, which originated from a supply-chain attack, resulted in the exposure of sensitive data belonging to the Commission and at least 29 other Union entities.

The European Commission officially acknowledged the cyberattack in late March following inquiries regarding a breach within its Amazon cloud environment. Although the initial unauthorized access occurred on March 10, the Commission's internal security operations did not detect any suspicious activity, such as API misuse or abnormal network traffic, until nearly two weeks later. Once the intrusion was identified, the Commission promptly notified the EU's central cybersecurity authority to begin a formal investigation into the scope of the incident.

The breach was facilitated by a compromised Amazon Web Services API key, which the attackers obtained through a previous supply-chain attack targeting the Trivy security scanner. This key granted the TeamPCP group management rights over multiple accounts, allowing them to infiltrate the executive body's cloud infrastructure. To maintain access and avoid detection, the group utilized specialized tools to locate additional credentials and attached new access keys to existing user profiles, which allowed them to conduct extensive reconnaissance and data exfiltration.

TeamPCP is a known cybercrime entity with a history of executing supply-chain attacks across major developer platforms like GitHub, PyPi, and Docker. They have previously gained notoriety for compromising popular software packages to distribute malware designed to steal cloud credentials. This latest operation demonstrates their continued focus on exploiting development tools and administrative secrets to move laterally through high-value cloud environments and compromise downstream targets.

Shortly after the intrusion was discovered, the stolen dataset appeared on a dark web leak site associated with the data extortion group ShinyHunters. The leaked information consists of a massive archive containing tens of thousands of files, including internal documents, names, and email communications. This public release of data confirmed the severity of the theft and highlighted the vulnerability of the shared digital infrastructure used by various European organizations.

Following a detailed analysis of the event, cybersecurity experts confirmed that the breach extended far beyond the European Commission's primary accounts. The investigation revealed that the incident impacted dozens of internal clients and numerous other Union entities that utilize the europa.eu web hosting service. This broad impact underscores the interconnected nature of the Union's digital assets and the significant risks posed by sophisticated actors targeting the software supply chain.

Source: https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain