European Commission Suffers Major Cloud Breach via Trivy Supply Chain Compromise
Key Takeaways
- ▸Initial access was obtained through the Trivy supply-chain compromise attributed to TeamPCP, demonstrating the critical risk of compromised development tools in CI/CD pipelines
- ▸The threat actor leveraged a single compromised AWS API key to escalate privileges, create backdoor access keys, and access multiple Commission accounts across 29+ Union entities
- ▸91.7 GB of sensitive data including personal information was exfiltrated and subsequently published on dark web leak sites by ShinyHunters
Summary
The European Commission experienced a significant cybersecurity incident affecting its public website platform europa.eu hosted on Amazon Web Services, with initial access gained through a supply-chain compromise of the Trivy vulnerability scanning tool attributed to threat actor TeamPCP. On March 24, the Commission's Cybersecurity Operations Centre detected suspicious activity including potential AWS API misuse and account compromise, leading to formal notification of CERT-EU on March 25. An investigation revealed that a malicious actor obtained an AWS API key through the Trivy compromise on March 19, which they used to create additional access keys and conduct reconnaissance across multiple Commission accounts. Approximately 91.7 GB of compressed data was exfiltrated, including personal information such as names, email addresses, and email content from at least 29 Union entities, before being publicly released by data extortion group ShinyHunters on March 28.
- CERT-EU emphasizes that supply-chain compromises pose a significant and rising threat, urging organizations to implement enhanced security recommendations
