Major EU Data Breach: How Hacking Gangs TeamPCP and ShinyHunters Compromised Commission’s Cloud

The European Union’s cybersecurity landscape has been rocked by a significant incident. In a detailed report, the EU’s Computer Emergency Response Team (CERT-EU) has formally attributed a massive data breach affecting the bloc’s executive body to coordinated actions by two distinct cybercriminal groups. This EU data breach underscores a growing trend of sophisticated, multi-stage attacks targeting critical infrastructure.

The Anatomy of the Attack: A Two-Gang Operation

According to the agency’s findings, the incident was not the work of a single entity. Instead, it involved a chain of events initiated by one group and capitalized on by another. The initial intrusion is credited to a group known as TeamPCP. This group managed to compromise a critical Amazon Web Services (AWS) account used by the European Commission. From this account, they exfiltrated approximately 92 gigabytes of compressed data.

This stolen data, which included sensitive personal information such as names, email addresses, and the contents of emails, was later published online. However, the publication was carried out by a separate, notorious entity: the ShinyHunters hacking group. This dual attribution for a single breach event is a notable development in cyber threat analysis, highlighting complex digital crime ecosystems. A member of ShinyHunters later claimed they had obtained and leaked data that TeamPCP had stolen in earlier operations.

Exploiting the Supply Chain: The Trivy Tool Compromise

So, how did the attackers gain their initial foothold? The breach traces back to March 19. CERT-EU’s investigation reveals that hackers first targeted an open-source security tool named Trivy. Following a compromise of the Trivy project itself, the European Commission inadvertently downloaded a tainted version of this very tool meant to protect its systems.

This compromised tool contained malicious code that allowed TeamPCP to steal a secret API key. Possession of this key was the master stroke. It granted the attackers direct access to the Commission’s AWS cloud infrastructure, specifically the Europa.eu platform used to host official websites and publications. Consequently, they could pivot freely within the system to locate and steal vast amounts of data. For more on securing development tools, read our guide on open-source security best practices.

The Scope and Impact of the Data Exposure

The ramifications of this EU data breach are extensive. The 92GB cache of data is just the starting point. CERT-EU warns that the breach potentially affects the cloud infrastructure of at least 29 other EU entities. Dozens of internal European Commission clients may also have had their data stolen.

Within the published data, analysts found close to 52,000 files containing sent email messages. While many of these are automated system emails with little sensitive content, a significant risk remains. Emails that bounced back with delivery errors likely contain the original user-submitted content in full. This poses a direct and serious risk of personal data exposure for countless individuals who interacted with EU institutions.

A Pattern of Malicious Activity

This incident is not an isolated event for the involved groups. Security researchers, including Aqua Security (the developer of Trivy) and Palo Alto Networks Unit 42, have linked TeamPCP to a broader campaign of supply chain attacks. Their modus operandi involves compromising open-source security projects to gain access to the developers and organizations that use them.

By stealing credentials and API keys from developers, these hackers gain keys to far more sensitive systems. As Unit 42 noted, this access provides them “the ability to hold compromised organizations for ransom, demanding extortion payments,” linking their activities to ransomware and crypto-mining campaigns. Understanding these supply chain threats is crucial for modern defense.

Response and Ongoing Analysis

In the wake of the breach, what is being done? CERT-EU has confirmed it is actively engaged with all affected organizations to manage the fallout and bolster defenses. The agency continues to analyze the full dataset that was leaked online to understand the complete scope of the exposure.

Meanwhile, a spokesperson for the European Commission stated the body was closed at the time of the report and would provide further comment later. This incident serves as a stark reminder of the vulnerabilities inherent in complex digital supply chains, where a single compromised tool can cascade into a continent-scale data disaster.

Ultimately, this breach illustrates a critical evolution in cyber threats. It’s no longer just about breaking in; it’s about manipulating the very tools of defense to enable the theft. For EU institutions and organizations worldwide, the lesson is clear: vigilance must extend beyond perimeter security to encompass every link in the software development and deployment chain.