Cyber attack on European Commission impacted 30 EU agencies: CERT-EU

A major cyber attack on the website of the European Commission in March compromised data pertaining to at least 30 European Union entities, CERT-EU said in a press release.

 

The Brussels-based cybersecurity agency said a hacker group called TeamPCP used a compromised Amazon Web Services account to gain access to the European Commission’s website in March and exfiltrate more than 340 gigabytes of uncompressed data, including personal data such as names, email addresses, and email content.

 

The cyber attack involved the threat actor conducting a Trivy supply chain compromise to gain access to AWS accounts affiliated with the European Commission. The supply chain attack involves threat actors compromising the GitHub Actions for running Aqua Security’s Trivy vulnerability scanner used by organisations worldwide to secure their code.

 

The attack chain turns the vulnerability scanner into a threat itself. Threat actors can use the scanner to deliver malicious infostealer code into vulnerable networks to steal credentials and data. According to CERT-EU, TeamPCP actors used the supply chain attack to steal an Amazon Web Services API key and used it to control other AWS accounts affiliated with the European Commission. 

 

On 19th March, the threat group attempted to gain access to additional secrets by launching TruffleHog, a tool that scans secrets and validates AWS credentials through the Security Token Service. STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities.

 

CERT-EU said the hacker group used the compromised API key to exfiltrate data associated with the European Commission, at least 29 other Union entities, and up to 71 clients of the Europa web hosting service.

 

On 28th March, the ShinyHunters extortion group published the stolen dataset on a dark web site, stating that the dataset included information taken from mail servers, databases, confidential documents, and contracts. The size of the stolen dataset was approximately 340 gigabytes.

 

"Analysis of the published dataset has so far confirmed the presence of personal data, including lists of names, last names, usernames, and email addresses, predominantly from the European Commission’s websites but potentially pertaining to users across multiple Union entities," CERT-EU said.

 

"The dataset also contains at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, “bounce-back” notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure."

 

Upon discovering the unauthorised activity on 24th March, the European Commission quickly secured the compromised AWS API key, disabled newly created access keys, and sent breach notifications to the Data Protection Controller and the data protection officers of affected Union entities.