# European Commission Hit by AWS Cloud Breach The **European Commission** suffered a major data breach on March 19th, with the intrusion attributed to the hacking group **TeamPCP** by **CERT-EU**. The breach exploited a compromised **Amazon Web Services (AWS)** account, resulting in the theft of approximately 92 gigabytes of compressed data. ## Breach Details The attackers gained access through the misuse of a secret Amazon API key, targeting the Commission's Europa.eu platform hosted on **AWS** cloud infrastructure. This platform is utilized by EU states to host websites for various bloc entities. According to the **CERT-EU** report, data belonging to 42 internal clients and at least 29 EU entities may have been compromised. The stolen dataset contained nearly 52,000 files, totaling 2.2 gigabytes, primarily related to outbound email communications. While **CERT-EU** believes most of these messages were automated with minimal content, some bounceback notifications may pose a risk of personal data exposure. ## Timeline and Discovery The Commission's cyber officials detected the breach on March 24th, triggered by notifications indicating potential misuse of Amazon APIs, possible account compromise, and an unusual surge in network traffic. ## Root Cause: Trivy Supply Chain Compromise **CERT-EU** assesses with high confidence that the initial access was gained through the **Trivy** supply chain compromise. The Commission unknowingly used a compromised version of **Trivy** obtained through regular software update channels. ## Lateral Movement Risk The threat actors acquired "management rights" for the compromised **AWS** API key, potentially allowing them to move laterally to other **AWS** accounts within the **European Commission**. However, there is currently no evidence of such lateral movement. ## Data Leak on the Dark Web On March 28th, the stolen data surfaced on the **ShinyHunters**' dark web site. **ShinyHunters** claimed to have stolen "data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material." ## TeamPCP's Modus Operandi **TeamPCP** is also suspected to be behind the recent LiteLLM cyberattack, which affected **Mercor** and numerous other organizations. The hacking group has been linked to worm-driven ransomware, data exfiltration, and cryptomining campaigns.