The European Commission (EC) has confirmed that hackers stole over 300GB of data from its AWS environment using an API key compromised in the Trivy supply chain attack.
The incident occurred on March 24 and was initially disclosed on March 27, when the EC warned that cloud infrastructure hosting its resources for the Europa.eu platform had been breached.
Now, CERT-EU reveals that the hack involved an AWS cloud account that is part of the backend for the Europa.eu hosting service, which supports public websites for the EC and other European Union entities.
Hackers gained access to the AWS account using an API key compromised on March 19 in the supply chain attack on Aqua Security’s Trivy vulnerability scanner, carried out by the TeamPCP hacking group.
“The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels,” CERT-EU explains.
Using the compromised AWS key, the attackers created and attached a new access key to a user account and carried out reconnaissance, according to the EU’s cybersecurity team.
“This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS),” CERT-EU says.
Wiz recently explained that TeamPCP wasted no time validating stolen credentials, launching discovery operations, exfiltrating more data, and attempting lateral movement.
“The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities,” CERT-EU notes.
On March 28, the infamous ShinyHunters extortion group added the stolen information to its Tor-based leak site.
The 340GB of uncompressed data includes personal information such as names, email addresses, and usernames, mainly from the EC’s websites. Users across multiple EU entities were likely affected as well, CERT-EU says.
Roughly 2.22GB of the data, or 51,992 files, represents automated notifications, including bounce-back messages containing original user-submitted content, which could include personal information.
“The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time,” CERT-EU notes.
Upon learning of the compromise, the EC revoked the compromised account’s rights, deactivated and rotated the compromised credentials, and notified the relevant data protection bodies. The Commission also confirmed that the incident did not affect its internal systems.
Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign
Related: T-Mobile Sets the Record Straight on Latest Data Breach Filing
Related: 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital
Related: Mercor Hit by LiteLLM Supply Chain Attack
