The European Internet Agency blames hacking gangs for large-scale data breaches and leaks

The European Union’s cybersecurity agency said Thursday that a recent hack and data breach at the European Union’s executive body was the work of a cybercriminal group known as TeamPCP.

In a new report, CERT-EU also reported that hackers stole around 92 GB of compressed data from a compromised Amazon Web Services (AWS) account used by the European Commission, which included personal data containing names, email addresses and the contents of emails.

The hack affected the cloud infrastructure of the Commission’s Europe.eu platform, which member states use to host websites and publications of the bloc’s institutions and agencies.

CERT-EU wrote that the data of at least 29 other EU entities may have been affected, and that dozens of internal European Commission agents may have been stolen as well.

The stolen data was then posted online by another hacking group, the notorious ShinyHunters.

While the scale of the data breach is notable in itself, the hack and subsequent leak of European Commission data by two separate hacking groups highlights the growing trend of cybercriminals working together to extort their victims.

The breach arose on March 19 when hackers obtained a secret API key linked to the European Commission’s AWS account, following a previous breach targeting the open source security tool Trivy, CERT-EU said. The Commission inadvertently downloaded a copy of the compromised Trivy tool after the project’s recent hack, allowing hackers to steal its secret API key and use that access to the hub to obtain data stored in the Commission’s AWS account.

While the service said it was still analyzing data posted online, nearly 52,000 files contained emails sent. The majority of these emails are automated with little or no content, but emails that bounced with an error “may contain the original content provided by the user, posing a risk of personal data disclosure,” CERT-EU said.

CERT-EU said it was already in contact with affected organizations.

A European Commission spokesperson told TechCrunch that the body is closed until next week, and will respond to a request for comment after that.

A ShinyHunters member did not respond to requests for comment.

Besides the Trivy hack, TeamPCP has been linked to ransomware attacks and cryptocurrency mining campaigns, says Aqua Security, which develops Trivy. Hackers were recently behind an organized campaign of supply chain attacks that threatens other open source security projects, according to Palo Alto Networks Unit 42.

By targeting developers with access keys to sensitive systems, hackers “then have the ability to hold compromised organizations for ransom and demand extortionate payments,” Unit 42 wrote.