Full Report
The European Union's Cybersecurity Service (CERT-EU) has attributed the European Commission cloud hack to the TeamPCP threat group, saying the resulting breach exposed the data of at least 29 other Union entities. [...]
Analysis Summary
# Incident Report: European Commission Cloud Environment Compromise
## Executive Summary
The European Commission’s Amazon Web Services (AWS) cloud environment was breached by the **TeamPCP** threat group, leading to the exfiltration of approximately 90GB of data. The incident, which originated from a supply-chain attack on the Trivy vulnerability scanner, impacted 42 internal Commission clients and at least 29 other European Union entities. The stolen data, including personal information and email communications, was subsequently leaked on the dark web by the **ShinyHunters** extortion group.
## Incident Details
- **Discovery Date:** March 24, 2026
- **Incident Date:** March 10, 2026 – March 24, 2026
- **Affected Organization:** European Commission (and 29+ other EU entities)
- **Sector:** Government / Public Sector
- **Geography:** European Union
## Timeline of Events
### Initial Access
- **Date/Time:** March 10, 2026
- **Vector:** Supply-chain compromise (Trivy vulnerability scanner).
- **Details:** TeamPCP utilized a compromised AWS API key with management rights, stolen during a previous supply-chain attack involving GitHub Actions and the Trivy scanner.
### Lateral Movement
- **Reconnaissance:** The attackers used the tool **TruffleHog** within the cloud environment to scan for and validate additional secrets and credentials.
- **Persistence/Stealth:** Attackers attached a newly created access key to an existing user account to maintain access while evading detection.
### Data Exfiltration/Impact
- **Detailed Impact:** Exfiltration of 90GB (340GB uncompressed) of data, including 51,992 files related to outbound email communications and databases containing usernames and email addresses.
- **Leak Date:** March 28, 2026, the dataset was published on the ShinyHunters dark web leak site.
### Detection & Response
- **How it was discovered:** Detected by the Cybersecurity Operations Center on March 24 after identifying the breach (five days after the full intrusion was established).
- **Response actions taken:** Notification to CERT-EU on March 25; public disclosure on March 27; notification of data protection authorities and impacted Union entities.
## Attack Methodology
- **Initial Access:** Stolen AWS API keys via supply-chain attack (Trivy).
- **Persistence:** Created and attached new access keys to existing legitimate users.
- **Privilege Escalation:** Exploited management rights associated with the initial stolen API key.
- **Defense Evasion:** Used legitimate management accounts to mask activity; no initial alerts triggered by API misuse.
- **Credential Access:** Used **TruffleHog** to discover further secrets/keys in the environment.
- **Discovery:** Cloud-based reconnaissance of AWS accounts and web hosting services.
- **Lateral Movement:** Limited to the Europa web hosting cloud environment; no movement to other Commission AWS accounts noted.
- **Collection:** Gathering of databases and email notification archives.
- **Exfiltration:** Standard cloud data egress.
- **Impact:** Data breach and extortion via ShinyHunters.
## Impact Assessment
- **Financial:** Costs associated with forensic analysis, legal notifications, and potential regulatory fines (GDPR/EUDPR).
- **Data Breach:** 90GB archive containing names, email addresses, and "bounce-back" email content containing user-submitted data.
- **Operational:** No websites were taken offline, but extensive manual review of 51,000+ files is required.
- **Reputational:** High-profile compromise of the EU's main executive body; second reported breach in two months.
## Indicators of Compromise
- **Tools:** `TruffleHog` (Credential scanner), `TeamPCP Cloud Stealer` (Malware family).
- **Threat Actors:** `TeamPCP` (Attribution), `ShinyHunters` (Data Leak/Extortion).
- **Behavioral Indicators:**
- Creation of new AWS access keys attached to existing users.
- API calls originating from known compromised Trivy infrastructure.
- Large volume data egress from AWS S3 or RDS to external IPs.
## Response Actions
- **Containment:** Revocation of compromised AWS API keys and newly created backdoor keys.
- **Eradication:** Cleanup of secrets discovered by TruffleHog to prevent re-entry.
- **Recovery:** Restoration of integrity for the Europa web hosting service.
- **Notification:** Direct communication with 71 affected clients and data protection authorities.
## Lessons Learned
- **Visibility Gap:** The SOC was not alerted to API misuse or abnormal traffic for 14 days after the initial key compromise.
- **Supply Chain Risk:** Integrity of third-party security tools (like Trivy) is as critical as the environment they scan.
- **Secret Management:** Hardcoded or management-level keys stored in accessible areas allowed the attackers to escalate their footprint using TruffleHog.
## Recommendations
- **Rotate Secrets:** Implement aggressive rotation policies for AWS IAM keys, especially those used in CI/CD pipelines.
- **Least Privilege:** Ensure API keys used in automated scanners have read-only access and cannot manage other IAM users or keys.
- **GuardDuty Elevation:** Enable and tune Amazon GuardDuty to alert on "Unusual Discovery Tool Usage" (like TruffleHog activity) and "IAM User Access Key Creation."
- **Supply Chain Hardening:** Verify the integrity of GitHub Actions and container security scanners regularly.