The European Union Cybersecurity Agency announced Thursday that recent hacks and data breaches at EU executive agencies were the work of a cybercrime group known as TeamPCP.
CERT-EU said in a new report that hackers stole about 92 gigabytes of compressed data from a compromised Amazon Web Services (AWS) account used by the EU’s executive body, the European Commission, containing personal data including names, email addresses, and email content.
The breach affected the cloud infrastructure of the Commission’s Europa.eu platform, which member states use to host the websites and publications of the bloc’s institutions and institutions.
CERT-EU wrote that the data of at least 29 other EU institutions may have been affected, and that dozens of customers within the European Commission may have had their data stolen as well.
The stolen data was posted online by another hacking group, the infamous ShinyHunters.
While the scale of the data breach is noteworthy in itself, the hack and subsequent leak of the European Commission’s data by two separate hacking groups highlights the growing trend of cybercriminals collaborating to blackmail their victims.
CERT-EU said the breach occurred on March 19, when hackers obtained private API keys associated with the European Commission’s AWS account, following an earlier hack targeting the open source security tool Trivy. After the project’s recent breach, the Commission accidentally downloaded a compromised copy of the Trivy tool, allowing hackers to steal its private API key and use that access to retrieve data stored in the Commission’s AWS account using Pivot.
The service says it is still analyzing the data published online, but says nearly 52,000 files contain email messages sent. CERT-EU said that while the majority of these emails are automated and have little or no content, emails that come back in error “may contain original content sent by the user and may pose a risk of personal data leakage.”
CERT-EU said it was already in contact with the affected organizations.
inquiry
Do you have more information about this breach? Or is it some other cyber attack? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
A spokesperson for the European Commission told TechCrunch that the Commission is closed until next week and will respond to requests for comment at that time.
Members of ShinyHunters did not respond to requests for comment.
In addition to the Trivy breach, TeamPCP has also been linked to ransomware attacks and cryptocurrency mining campaigns, according to Trivy developer Aqua Security. According to Palo Alto Networks Unit 42, hackers have recently been behind a coordinated campaign of supply chain attacks that have compromised other open source security projects.
By targeting developers with keys to access sensitive systems, hackers “gain the ability to hold compromised organizations to ransom and demand extortion payments,” Unit 42 writes.
Source link
