The European Union’s Cybersecurity Service, CERT-EU, has confirmed that a cyberattack against the European Commission compromised cloud infrastructure and exposed data belonging to dozens of EU organizations.
According to CERT-EU’s investigation, the intrusion has been attributed to the TeamPCP threat group, a cybercriminal operation previously associated with multiple supply-chain attacks targeting developer ecosystems and cloud environments.
The breach affected the Commission’s cloud infrastructure hosted on Amazon Web Services, potentially exposing sensitive information from up to 71 clients of the europa.eu web hosting platform, including 42 internal European Commission entities and at least 29 additional EU organizations.
Timeline of the European Commission Cloud Attack
The incident was publicly acknowledged on March 27 after cybersecurity researchers contacted the Commission regarding reports that its cloud environment had been compromised.
Earlier, on March 25, the Commission notified CERT-EU of suspicious activity within its cloud infrastructure. However, the Commission’s Cybersecurity Operations Center did not initially detect the intrusion.
According to forensic analysis, the attackers first gained access on March 10, when they exploited a compromised AWS API key that had management privileges over multiple European Commission cloud accounts.
The compromised credential is believed to have originated from the Trivy supply-chain attack, which previously exposed sensitive cloud authentication keys.
The attackers remained undetected for several days. Abnormal activity was not identified until March 24, highlighting the challenges organizations face in detecting sophisticated cloud-based intrusions.
How the Attackers Exploited AWS Credentials
Once inside the Commission’s cloud infrastructure, the attackers performed a series of reconnaissance and privilege persistence operations.
One of the key tools used during the intrusion was TruffleHog, an open-source security tool commonly used to detect exposed secrets and credentials in repositories and cloud environments.
Threat actors used TruffleHog to search for additional credentials and sensitive data stored within the cloud environment. To maintain access while avoiding detection, they created a new access key and attached it to an existing AWS user account.
This technique allowed the attackers to persist within the environment while continuing to harvest sensitive data and conduct further reconnaissance.
Supply-Chain Attacks Linked to TeamPCP
The TeamPCP threat group has previously been associated with multiple software supply-chain attacks, targeting widely used developer ecosystems such as:
- GitHub
- PyPI
- npm
- Docker
In one notable incident, attackers compromised the LiteLLM package on PyPI, distributing an information-stealing malware known as TeamPCP Cloud Stealer. The malicious package reportedly impacted tens of thousands of systems by harvesting sensitive credentials and cloud authentication tokens.
These incidents demonstrate the increasing role of software supply-chain attacks in modern cyber espionage and cybercrime operations, where attackers infiltrate development tools or package repositories to compromise downstream environments.
Stolen Data Published on the Dark Web
Following the breach, the data extortion group ShinyHunters published the stolen dataset on a dark web leak portal.
The exposed archive reportedly contains 90 GB of compressed data (approximately 340 GB when extracted), including:
- Names and surnames
- Email addresses
- Usernames
- Email communication records
CERT-EU confirmed that the attackers exfiltrated tens of thousands of files from the compromised cloud environment.
Among the stolen data were 51,992 files related to outbound email communications, totaling roughly 2.22 GB.
Most of these files consisted of automated system notifications. However, some “bounce-back” email responses contained original messages submitted by users, potentially exposing personal data.
Because the affected websites were hosted on the europa.eu platform, the compromised information may involve users interacting with multiple EU institutions and services.
Scope and Impact of the Data Breach
CERT-EU confirmed that the data exfiltration specifically targeted the cloud environment supporting the Europa web hosting service.
The affected infrastructure hosts websites for numerous European Union institutions and agencies. As a result, the breach could impact both internal EU organizations and external stakeholders interacting with those platforms.
Despite the significant data exposure, investigators reported that:
- No websites were taken offline
- No website content was modified
- No lateral movement to other European Commission AWS accounts has been detected
However, the full scope of the data breach is still under investigation.
CERT-EU stated that analysis of the stolen databases and files will likely require substantial time, given the volume and complexity of the dataset.
Incident Response and Regulatory Notification
Following the discovery of the breach, the European Commission initiated incident response procedures and notified relevant data protection authorities.
The Commission is also working directly with affected organizations and internal departments to assess potential risks related to personal data exposure.
This incident follows another cybersecurity event disclosed earlier in February, when the Commission reported that a mobile device management platform used to manage staff devices had been compromised.
The two incidents highlight the growing cybersecurity challenges faced by large public institutions operating complex digital infrastructure across multiple cloud environments and third-party platforms.