CERTEU European Commission cloud breach a supplychain compromise
pIn the interest of transparency and in full agreement with the European Commission CERTEU is publishing this
blog post to inform the wider community about a cybersecurity incident affecting the European Commissions
public website platform europaeu hosted on Amazon Web Services AWS cloud infrastructure
ppCERTEU was notified of this incident on 25 March 2026 by the European Commission in accordance with Article 21
of
Regulation EU Euratom 20232841 the Cybersecurity Regulation which requires the Union
institutions bodies offices and agencies Union entities to report significant incidents to CERTEU without
undue delay CERTEU has been providing support in accordance with Article 22 of the same Regulation
ppOn March 27 the European Commission publicly disclosed the incident through a
press release
ppOn March 25 CERTEU received a notification from the European Commission that one of their AWS cloud accounts
had been compromised The first alerts indicating potential misuse of Amazon APIs potential account
compromise and an unusual volume of network traffic had been detected by their Cybersecurity Operations Centre
CSOC team the previous dayppAn investigation uncovered that a malicious actor acquired an Amazon Web Services AWS secret an API key on
March 19 through the Trivy supply chain compromise This key granted control over
other AWS accounts affiliated with the European Commission On the same day the threat actor attempted to
discover additional secrets by launching TruffleHog a tool commonly used for scanning secrets and validating
AWS credentials by calling the Security Token Service STS STS is an AWS service that generates shortlived
security credentials for accessing AWS resources and verifying identitiesppThe threat actor used the compromised AWS secret to create and attach a new access key to an existing user
aiming to evade detection They then carried out reconnaissance activitiesppThe European Commission swiftly revoked the compromised accounts rights to block any illegitimate access All
compromised access keys have been deactivated or deletedppThe European Commission and CERTEU have assessed with high confidence that the initial access vector was the
Trivy supplychain compromise publicly attributed to TeamPCP by Aqua Security The firm has provided
comprehensive details on this compromise
in its advisoryppThis assessment is based on three main factorsppAccording to Aqua Security TeamPCPs tooling is designed to operate within CICD pipelines and exfiltrates
harvested secrets via multiple channels including typosquatted domains GitHub repositories and Cloudflare
tunnelsppThe threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment The
exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service 42 internal
clients of the European Commission and at least 29 other Union entitiesppOn March 28 the data extortion group ShinyHunters published the exfiltrated dataset on their dark web leak site
claiming to have stolen data dumps of mail servers datavases sic
confidential documents contracts and much more sensitive material The published dataset was
approximately 917 GB compressed 340 GB uncompressedppAnalysis of the published dataset has so far confirmed the presence of personal data including lists of names
last names usernames and email addresses predominantly from the European Commissions websites but
potentially pertaining to users across multiple Union entitiesppThe dataset also contains at least 51992 files related to outbound email communications totalling 222 GB The
majority of these are automated notifications with little to no content However bounceback notifications
which are responses to incoming messages from users may contain the original usersubmitted content posing a
risk of personal data exposureppThe analysis of the databases linked to the hosted websites is underway Given the volume and intricate nature of
the data involved this process requires a considerable amount of timeppThe threat actor obtained management rights for the compromised AWS secret which could have allowed them to move
laterally to other AWS accounts belonging to the European Commission However no indication of such movement
has been uncovered so farppThe European Commission took the following response actionsppThe European Commissions press release of March 27 confirmed that its internal systems
were not affected and that it would continue to monitor the situation and take all necessary measures to ensure
the security of its systems and datappThe compromised AWS cloud account forms part of the technical backend of the europaeu web hosting service
This service supports several public websites of the European Commission and other Union entities As noted
above exfiltrated data may pertain to 42 internal clients of the European Commission and at least 29 other
Union entities using the serviceppNo websites were taken offline or tampered with by the threat actor and no service interruptions have been
observedppThe European Commission has already initiated direct communications with the identified impacted clients see
Response section above facilitated where relevant by CERTEU Should the ongoing analysis of the exfiltrated
databases yield further findings additional details on specific exposure will be shared directly with the
affected partiesppAddress the Trivy supplychain compromise As a priority organisations using Trivy shouldppAudit and rotate AWS credentials Review all AWS access keys particularly those accessible from
CICD pipelines Deactivate any keys that are unused overprivileged or that may have been exposed Enable and
review AWS CloudTrail logs for indicators consistent with this incident including anomalous STS calls use of
TruffleHog creation of new access keys on existing users and lateral movementppRestrict CICD pipeline access to cloud credentials Review whether CICD pipelines have access
to AWS secrets Where they do ensure credentials are scoped to the minimum required permissions Consider
implementing AWS Service Control Policies SCPs to restrict sensitive API actions at the organisation level
ppImplement vendor risk management for CICD dependencies Establish release verification and
vendor risk assessment processes for thirdparty CICD tooling This includes verifying signatures on tool
updates maintaining an inventory of pipeline dependencies and subscribing to security advisories for critical
components The Trivy compromise demonstrates that trusted vendors can become vectors for malicious code
distributionppImplement behavioural monitoring for CICD environments Deploy behavioural monitoring and
realtime alerting to detect anomalous CICD activity such as unexpected secret access outbound connections to
unknown endpoints or atypical API usage patterns This enables early identification of supplychain compromises
before data exfiltration occursppEnforce least privilege and credential hygiene Apply least privilege principles across all
cloud accounts and CICD service accounts Implement regular credential rotation schedules restrict access to
credential storage mechanisms and monitor for suspicious credentialrelated activity Refer to MITRE
mitigations M1043 Credential
Access Protection and M1018 User
Account Management for additional guidanceppMonitor for secondary exploitation of disclosed data Given that the exfiltrated dataset has
been publicly released organisations whose data may be affected should monitor for targeted phishing or social
engineering attempts leveraging the disclosed personal information names email addresses email content
Raise awareness among staff accordinglyppMaintain software update and vulnerability scanning practices Ensure all systems applications
and CICD tooling are kept up to date with security patches Conduct regular vulnerability scans to identify
misconfigurations unpatched software or other weaknesses Refer to MITRE mitigations M1051 Update Software and M1016 Vulnerability Scanning
for additional guidanceppThis incident and CERTEUs involvement fall within the framework of
Regulation EU Euratom 20232841 of the European Parliament and of the Council of 13 December 2023 laying
down measures for a high common level of cybersecurity at the institutions bodies offices and agencies of the
Union Relevant provisions includeppCERTEU is the Cybersecurity Service for the Union institutions bodies offices and agencies established under
Regulation
EU Euratom 20232841 Under the Cybersecurity Regulation CERTEU acts as the central
cybersecurity hub for all Union entities providing threat intelligence incident response coordination
vulnerability management and security guidance CERTEU also supports Union entities in implementing their
cybersecurity riskmanagement frameworks and issues calls for action to raise the collective level of
cybersecurity across the EU institutional ecosystemppCERTEU is a member of the CSIRTs Network the network of national Computer Security Incident Response Teams
established under the NIS2 Directive Directive EU 20222555 The CSIRTs Network facilitates operational
cooperation and the exchange of cybersecurity information between EU Member States and Union entities enabling
coordinated responses to crossborder cyber incidentsppCERTEU also maintains a structured cooperation with ENISA the European Union Agency for Cybersecurity as
provided for under Regulation EU 2019881 the Cybersecurity Act This cooperation covers areas such as cyber
threat analysis and the sharing of threat landscape assessmentspp
We only use cookies that are necessary for the technical functioning of our website Find out more on
here
pp
This website is managed by CERTEU
pp
Please send any comments or suggestions to
servicescerteuropaeu
pp
The information on this site is subject to a
Legal notice
pp
PGP fingerprint
152D 5B54 B526 4A3D F420 35D3 FCB2 4C57 FE5E 446A
revocation certificate
pp
Emergency phone
32 2 299 0005
pp
Address
Rue de la Loi 1071049 Brussels Belgium
pp
The Call for Proposals CFP for the technical track is now open
pp
Want to seize the opportunity to have your voice heard and potentially participate in shaping the
discussions at our highly valued highly regarded event Easy Visit our conference page and submit
your proposal by May 4 at the latest
p
blog post to inform the wider community about a cybersecurity incident affecting the European Commissions
public website platform europaeu hosted on Amazon Web Services AWS cloud infrastructure
ppCERTEU was notified of this incident on 25 March 2026 by the European Commission in accordance with Article 21
of
Regulation EU Euratom 20232841 the Cybersecurity Regulation which requires the Union
institutions bodies offices and agencies Union entities to report significant incidents to CERTEU without
undue delay CERTEU has been providing support in accordance with Article 22 of the same Regulation
ppOn March 27 the European Commission publicly disclosed the incident through a
press release
ppOn March 25 CERTEU received a notification from the European Commission that one of their AWS cloud accounts
had been compromised The first alerts indicating potential misuse of Amazon APIs potential account
compromise and an unusual volume of network traffic had been detected by their Cybersecurity Operations Centre
CSOC team the previous dayppAn investigation uncovered that a malicious actor acquired an Amazon Web Services AWS secret an API key on
March 19 through the Trivy supply chain compromise This key granted control over
other AWS accounts affiliated with the European Commission On the same day the threat actor attempted to
discover additional secrets by launching TruffleHog a tool commonly used for scanning secrets and validating
AWS credentials by calling the Security Token Service STS STS is an AWS service that generates shortlived
security credentials for accessing AWS resources and verifying identitiesppThe threat actor used the compromised AWS secret to create and attach a new access key to an existing user
aiming to evade detection They then carried out reconnaissance activitiesppThe European Commission swiftly revoked the compromised accounts rights to block any illegitimate access All
compromised access keys have been deactivated or deletedppThe European Commission and CERTEU have assessed with high confidence that the initial access vector was the
Trivy supplychain compromise publicly attributed to TeamPCP by Aqua Security The firm has provided
comprehensive details on this compromise
in its advisoryppThis assessment is based on three main factorsppAccording to Aqua Security TeamPCPs tooling is designed to operate within CICD pipelines and exfiltrates
harvested secrets via multiple channels including typosquatted domains GitHub repositories and Cloudflare
tunnelsppThe threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment The
exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service 42 internal
clients of the European Commission and at least 29 other Union entitiesppOn March 28 the data extortion group ShinyHunters published the exfiltrated dataset on their dark web leak site
claiming to have stolen data dumps of mail servers datavases sic
confidential documents contracts and much more sensitive material The published dataset was
approximately 917 GB compressed 340 GB uncompressedppAnalysis of the published dataset has so far confirmed the presence of personal data including lists of names
last names usernames and email addresses predominantly from the European Commissions websites but
potentially pertaining to users across multiple Union entitiesppThe dataset also contains at least 51992 files related to outbound email communications totalling 222 GB The
majority of these are automated notifications with little to no content However bounceback notifications
which are responses to incoming messages from users may contain the original usersubmitted content posing a
risk of personal data exposureppThe analysis of the databases linked to the hosted websites is underway Given the volume and intricate nature of
the data involved this process requires a considerable amount of timeppThe threat actor obtained management rights for the compromised AWS secret which could have allowed them to move
laterally to other AWS accounts belonging to the European Commission However no indication of such movement
has been uncovered so farppThe European Commission took the following response actionsppThe European Commissions press release of March 27 confirmed that its internal systems
were not affected and that it would continue to monitor the situation and take all necessary measures to ensure
the security of its systems and datappThe compromised AWS cloud account forms part of the technical backend of the europaeu web hosting service
This service supports several public websites of the European Commission and other Union entities As noted
above exfiltrated data may pertain to 42 internal clients of the European Commission and at least 29 other
Union entities using the serviceppNo websites were taken offline or tampered with by the threat actor and no service interruptions have been
observedppThe European Commission has already initiated direct communications with the identified impacted clients see
Response section above facilitated where relevant by CERTEU Should the ongoing analysis of the exfiltrated
databases yield further findings additional details on specific exposure will be shared directly with the
affected partiesppAddress the Trivy supplychain compromise As a priority organisations using Trivy shouldppAudit and rotate AWS credentials Review all AWS access keys particularly those accessible from
CICD pipelines Deactivate any keys that are unused overprivileged or that may have been exposed Enable and
review AWS CloudTrail logs for indicators consistent with this incident including anomalous STS calls use of
TruffleHog creation of new access keys on existing users and lateral movementppRestrict CICD pipeline access to cloud credentials Review whether CICD pipelines have access
to AWS secrets Where they do ensure credentials are scoped to the minimum required permissions Consider
implementing AWS Service Control Policies SCPs to restrict sensitive API actions at the organisation level
ppImplement vendor risk management for CICD dependencies Establish release verification and
vendor risk assessment processes for thirdparty CICD tooling This includes verifying signatures on tool
updates maintaining an inventory of pipeline dependencies and subscribing to security advisories for critical
components The Trivy compromise demonstrates that trusted vendors can become vectors for malicious code
distributionppImplement behavioural monitoring for CICD environments Deploy behavioural monitoring and
realtime alerting to detect anomalous CICD activity such as unexpected secret access outbound connections to
unknown endpoints or atypical API usage patterns This enables early identification of supplychain compromises
before data exfiltration occursppEnforce least privilege and credential hygiene Apply least privilege principles across all
cloud accounts and CICD service accounts Implement regular credential rotation schedules restrict access to
credential storage mechanisms and monitor for suspicious credentialrelated activity Refer to MITRE
mitigations M1043 Credential
Access Protection and M1018 User
Account Management for additional guidanceppMonitor for secondary exploitation of disclosed data Given that the exfiltrated dataset has
been publicly released organisations whose data may be affected should monitor for targeted phishing or social
engineering attempts leveraging the disclosed personal information names email addresses email content
Raise awareness among staff accordinglyppMaintain software update and vulnerability scanning practices Ensure all systems applications
and CICD tooling are kept up to date with security patches Conduct regular vulnerability scans to identify
misconfigurations unpatched software or other weaknesses Refer to MITRE mitigations M1051 Update Software and M1016 Vulnerability Scanning
for additional guidanceppThis incident and CERTEUs involvement fall within the framework of
Regulation EU Euratom 20232841 of the European Parliament and of the Council of 13 December 2023 laying
down measures for a high common level of cybersecurity at the institutions bodies offices and agencies of the
Union Relevant provisions includeppCERTEU is the Cybersecurity Service for the Union institutions bodies offices and agencies established under
Regulation
EU Euratom 20232841 Under the Cybersecurity Regulation CERTEU acts as the central
cybersecurity hub for all Union entities providing threat intelligence incident response coordination
vulnerability management and security guidance CERTEU also supports Union entities in implementing their
cybersecurity riskmanagement frameworks and issues calls for action to raise the collective level of
cybersecurity across the EU institutional ecosystemppCERTEU is a member of the CSIRTs Network the network of national Computer Security Incident Response Teams
established under the NIS2 Directive Directive EU 20222555 The CSIRTs Network facilitates operational
cooperation and the exchange of cybersecurity information between EU Member States and Union entities enabling
coordinated responses to crossborder cyber incidentsppCERTEU also maintains a structured cooperation with ENISA the European Union Agency for Cybersecurity as
provided for under Regulation EU 2019881 the Cybersecurity Act This cooperation covers areas such as cyber
threat analysis and the sharing of threat landscape assessmentspp
We only use cookies that are necessary for the technical functioning of our website Find out more on
here
pp
This website is managed by CERTEU
pp
Please send any comments or suggestions to
servicescerteuropaeu
pp
The information on this site is subject to a
Legal notice
pp
PGP fingerprint
152D 5B54 B526 4A3D F420 35D3 FCB2 4C57 FE5E 446A
revocation certificate
pp
Emergency phone
32 2 299 0005
pp
Address
Rue de la Loi 1071049 Brussels Belgium
pp
The Call for Proposals CFP for the technical track is now open
pp
Want to seize the opportunity to have your voice heard and potentially participate in shaping the
discussions at our highly valued highly regarded event Easy Visit our conference page and submit
your proposal by May 4 at the latest
p
