The European Commission recently suffered a cloud security breach attributed to the threat group TeamPCP, resulting in the exposure of data from 30 different EU entities. The incident was confirmed following a compromise of the Commission’s Amazon Web Services environment, which was first detected in late March.

The European Commission identified a cyberattack on March 24 targeting the cloud infrastructure used for its Europa.eu websites. Although the Commission managed to contain the incident without disrupting web services, subsequent investigations revealed that the breach actually began on March 19. The attackers gained initial access by exploiting a supply chain compromise involving Trivy, which allowed them to acquire a secret API key. This key provided a foothold that the actors used to pivot into other cloud accounts associated with the European institutions.

Once inside the environment, the threat actors utilized specialized tools like TruffleHog to scan for additional credentials and validate their access through the Amazon Security Token Service. To maintain persistence and avoid detection by security operations teams, the group created new access keys and attached them to existing user profiles. This allowed them to conduct extensive reconnaissance and move laterally through the cloud architecture. Reports indicate that hundreds of gigabytes of data, including various databases, were successfully exfiltrated during the period the attackers remained undetected.

While the Commission has emphasized that its internal systems remained secure and unaffected, the breach had a significant reach across the broader EU ecosystem. At least 30 separate entities are believed to have had their data compromised, prompting a formal notification process to inform those impacted. Security researchers have linked the specific techniques used in this attack to TeamPCP, a group known for conducting sophisticated supply chain attacks across major platforms such as GitHub, PyPI, and Docker to distribute data-stealing malware.

In response to the discovery, the Commission and CERT-EU have launched a comprehensive investigation to determine the total volume of stolen information and identify all affected parties. The Commission has committed to strengthening its cloud protections and monitoring capabilities as a direct result of the incident. This breach highlights the growing vulnerability of institutional cloud environments to supply chain exploits, where a single compromised third-party tool can grant unauthorized access to vast networks of sensitive data.

The incident serves as a stark reminder of the persistent hybrid threats facing European institutions and critical services. By publicly attributing the attack to TeamPCP and sharing the technical details of the AWS compromise, CERT-EU aims to help other organizations recognize similar patterns of malicious activity. Moving forward, the European Union plans to implement more rigorous cybersecurity standards to protect its digital infrastructure from the evolving tactics of professional threat groups and supply chain vulnerabilities.

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_26_748