EU cybersecurity agency attributes major data breach to TeamPCP hacking group

The European Union’s cybersecurity agency, CERT-EU, has attributed a significant data breach at the bloc’s executive body to the cybercriminal group known as TeamPCP. In a report published on Thursday, the agency confirmed that approximately 92 gigabytes of compressed data were stolen from a compromised Amazon Web Services (AWS) account used by the European Commission.

The breach, which affected the Commission's Europa.eu cloud platform, included personal data such as names, email addresses, and the contents of emails. CERT-EU stated that the data of at least 29 other EU entities may have been compromised, with dozens of internal Commission clients potentially affected.

Supply Chain Attack Vector

The incident originated on 19 March when hackers acquired a secret API key linked to the Commission's AWS account. This followed an earlier compromise of the open-source security tool Trivy. The European Commission inadvertently downloaded a compromised version of Trivy, allowing the attackers to steal the API key and pivot to access data stored in the AWS account.

Aqua Security, the developer of Trivy, links TeamPCP to previous ransomware attacks and crypto-mining campaigns. According to Palo Alto Networks Unit 42, the group has recently conducted a systematic campaign of supply chain attacks targeting other open-source security projects.

Subsequent Leak by ShinyHunters

The stolen data was subsequently posted online by a separate, notorious hacking group, ShinyHunters. CERT-EU's analysis indicates that close to 52,000 of the published files contain sent email messages.

While the agency noted that the majority are automated emails with minimal content, it warned that bounced messages with delivery errors "may contain the original user-submitted content, posing a risk of personal data exposure."

Growing Trend of Criminal Collaboration

This incident highlights an emerging trend of cybercriminal groups collaborating to extort victims. By first breaching systems and then leaking the stolen data, they increase pressure for ransom payments. Unit 42 analysts explained that by targeting developers with access to sensitive systems, hackers "then have the ability to hold compromised organizations for ransom."

CERT-EU confirmed it is already in contact with the affected organisations. A spokesperson for the European Commission told TechCrunch that the institution is closed until next week and would respond to requests for comment then. A member of the ShinyHunters group did not respond to requests for comment.