The European Commission has admitted that hackers may have taken data from the cloud infrastructure hosting its Europa.eu platform.
The executive body released a statement on March 27 confirming it had discovered the cyber-attack on March 24 and took “immediate steps” to investigate and contain the breach.
“The commission's swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data, without disrupting the availability of the Europa websites,” it continued.
“Early findings of our ongoing investigation suggest that data have been taken from those websites. The commission is duly notifying the Union entities who might have been affected by the incident. The commission's services are still investigating the full impact of the incident.”
The commission said that its “internal systems” were not impacted by the attack, and that it will continue to monitor the situation, analyze the incident and use any findings to “further enhance its cybersecurity capabilities.”
According to screenshots posted to X (formerly Twitter), extortion group ShinyHunters claims to have compromised over 350GB of European Commission data, including data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.
Separate screenshots allegedly posted by ShinyHunters appear to show the personally identifiable information (PII) of employees.
Security researchers at the International Cyber Digest claimed that the hackers compromised emails, DKIM signing keys, internal admin URLs, and data from content collaboration platform NextCloud and military financing mechanism Athena. A full single sign on (SSO) user directory may also have been taken.
ShinyHunters On the Prowl
ShinyHunters is a prolific hacking group with a string of big-name victims. Its most noteworthy campaign targeted SSO credentials and Salesforce data at Google, Chanel, Pandora, Panera Bread, Match Group and scores of other organizations last year. It followed that up with another campaign earlier this month targeted Experience Cloud websites.
The group specializes in vishing – and in some attacks it impersonates the IT helpdesk in calls to victims, tricking them into entering their credentials into phishing sites spoofed to look like legitimate corporate portals.
It’s unclear how the European Commission was breached although reports suggest its AWS infrastructure was targeted. Unconfirmed chatter on social media suggested EU security agency ENISA may also have been compromised.
Nick Tausek, lead security automation architect at Swimlane, argued that the breach could open the door to identity risk, operational disruption and secondary spear-phishing attacks.
“The attacker claiming they will not extort does not make it less serious, it just changes the playbook,” he added. “A quiet leak can be just as damaging for trust, diplomacy, and ongoing investigations, and it forces defenders into a messy mix of containment, forensics, and communications while the organization is still determining what was breached and what is still exposed.”