The European Commission has confirmed a significant data breach resulting from the Trivy supply chain attack, with hackers extracting over 300GB of data from its AWS environment. This security lapse was discovered on March 24 and publicly disclosed on March 27, when the Commission alerted that its cloud infrastructure, supporting the Europa.eu platform, had been compromised.
Details of the Breach
The breach involved an AWS cloud account integral to the backend of the Europa.eu hosting service, which provides support for public websites of the European Commission and other EU entities. Access was gained through an API key compromised during a supply chain attack on Aqua Security’s Trivy vulnerability scanner by the hacking group TeamPCP.
CERT-EU has revealed that the European Commission inadvertently utilized a compromised Trivy version obtained via routine software updates. The attackers, leveraging the compromised AWS key, created new access keys, conducted reconnaissance, and attempted to uncover further secrets using the TruffleHog tool, which is commonly employed to scan for exposed secrets and verify AWS credentials.
Impact on EU Entities
The data breach impacted websites hosted for up to 71 clients of the Europa web hosting service, including 42 internal clients from the European Commission and 29 other entities within the Union. The breach involved the exfiltration of sensitive data, which was subsequently added to the ShinyHunters extortion group’s leak site on March 28.
The stolen data, amounting to 340GB uncompressed, includes personal details such as names, email addresses, and usernames, primarily from EC websites. CERT-EU has highlighted that users across various EU entities were likely affected, with approximately 2.22GB of the data comprising automated notifications and bounce-back messages potentially containing personal information.
Response and Future Measures
Following the breach, the European Commission promptly revoked access rights to the compromised account, deactivated and rotated credentials, and informed pertinent data protection authorities. Importantly, the Commission has affirmed that its internal systems remained unaffected by this incident.
As investigations into the affected databases continue, CERT-EU notes the complexity and scale of the data involved necessitate significant time for thorough analysis. The incident underscores the ongoing challenges in securing supply chains and the critical need for robust cybersecurity defenses to protect sensitive data within EU institutions.
