The European Union's cybersecurity body CERT-EU has attributed the high-profile hack of the European Commission's cloud environment to the TeamPCP threat group, revealing that the resulting breach exposed data from at least 29 other EU institutions in addition to the Commission itself — bringing the total number of impacted entities to 30.
Attribution and Incident Background
The European Commission's Amazon Web Services cloud account was compromised in an attack that security researchers later linked to TeamPCP, a threat group previously associated with supply chain attacks targeting developer tooling and cloud infrastructure. CERT-EU's attribution follows a forensic investigation of the incident, which was first disclosed in late March 2026.
| Attribute | Details |
|---|---|
| Threat Group | TeamPCP |
| Initial Target | European Commission (AWS cloud account) |
| Total Entities Impacted | 30 (Commission + 29 EU bodies) |
| Attack Vector | Cloud account compromise |
| Attribution Body | CERT-EU |
| Source | BleepingComputer |
How TeamPCP Accessed EU Data
TeamPCP — a threat group that gained notoriety for its malicious PyPI package campaign in early 2026, which included backdoored versions of the telnyx package hiding stealer malware in WAV audio files — pivoted to targeting cloud infrastructure used by government and institutional clients.
In the European Commission case, investigators believe the attackers:
- Gained initial access to the Commission's AWS environment through compromised developer credentials or a compromised third-party tool with cloud access
- Leveraged cloud-native permissions to move laterally across S3 buckets, IAM roles, and shared storage used by EU agencies
- Exfiltrated data pertaining to multiple EU bodies that relied on shared cloud infrastructure administered by or connected to the Commission
- Maintained persistent access for a period before detection, consistent with TeamPCP's observed tradecraft
Scope of the Breach
The breach is notable for its cross-institutional reach. The European Union's various agencies, directorates, and bodies frequently share cloud environments, data exchanges, and collaborative platforms. A compromise of a central cloud account can therefore cascade into exposure of data from many separate entities.
CERT-EU confirmed the data of at least 29 EU entities beyond the Commission was accessible to the attackers. The specific agencies affected have not all been publicly named, but the breach is understood to involve:
- Internal administrative and operational data
- Communications stored in cloud-based collaboration platforms
- Documents and files held in shared EU cloud storage services
The full scope of what data was accessed or exfiltrated is still under investigation.
TeamPCP Threat Profile
TeamPCP is a financially and intelligence-motivated threat group known for:
| Capability | Description |
|---|---|
| Supply chain attacks | Trojanized packages on PyPI and npm |
| Steganography | Malware hidden in audio and image files |
| Cloud targeting | AWS, Azure, and GCP environment compromise |
| Credential harvesting | Infostealers targeting developer tooling |
| Lateral movement | Cross-account privilege escalation in cloud tenants |
The group's targeting of EU institutional infrastructure represents an escalation beyond their previously observed developer-focused campaigns.
CERT-EU Response
CERT-EU has issued guidance to all EU institutions, bodies, offices, and agencies (EUIBAs) following the incident. Key recommendations include:
- Audit cloud account access — review IAM permissions and active sessions across all EU-managed cloud environments
- Enable MFA on all cloud accounts — particularly AWS IAM users and service accounts with cross-account access
- Review cross-account trust policies — identify and restrict overly permissive IAM roles that allow lateral movement between EU entity accounts
- Rotate all exposed credentials — any credentials accessible from the compromised Commission environment should be treated as compromised
- Deploy cloud-native threat detection — AWS GuardDuty, Microsoft Defender for Cloud, or equivalent tools should be active on all institutional cloud accounts
Broader Implications
The incident highlights a systemic risk in how EU institutions manage shared cloud infrastructure. The interconnected nature of EU agency collaboration tools means a compromise of one organization's cloud credentials can expose data from dozens of others.
This breach follows a pattern of threat actors specifically targeting government cloud environments as a force-multiplier — one set of credentials, many victims.
Security teams at EU institutions and member state agencies should treat this incident as a signal to audit cross-account relationships and implement zero-trust network access principles in their cloud environments.
Source: BleepingComputer — April 3, 2026