Who is Behind the Cyber Attack on the European Commission?

The European Commission, the governing body that oversees and coordinates EU’s cybersecurity saw its regulations tested by fire in a recent cyberattack. 

Last week, the Commission confirmed that its cloud infrastructure hosting the Europa.eu web platform was attacked by bad actors. 

The incident affected at least one of its AWS accounts but did not disrupt website availability. 

Early findings tell a story of victory for the attackers, as the EU reveals that data was taken from the affected systems. 

The administrative body said that relevant entities are being notified as part of the containment and mitigation efforts. 

While the Commission did not implicate who was responsible for the attack, threat group ShinyHunters took responsibility.  

According to reporting from Bleeping Computer, ShinyHunters claim that they stole over 350GB of data from multiple databases before their access was revoked.

The commission is continuing to investigate the full scope of the breach and intends to use the findings to strengthen its cybersecurity posture.

Data exposure and containment

The European Union claims that their “internal systems ​were not ​affected ⁠by the cyberattack”. 

Despite the breach, containment was swift and the Commission’s public websites remained online. 

If one were to take ShinyHunters at their word, the exfiltrated data includes information from mail servers, confidential documents and contracts among other sensitive information. 

Bleeping Computer reports that ShinyHunters allegedly posted a portion of the stolen files on their dark website, releasing more than 90 GB of material.

ShinyHunters: persistent data extortion threat

ShinyHunters has a long history of breaching high-profile organisations including Infinite Campus, CarGurus, Canada Goose and Match Group, often exploiting large-scale voice phishing). 

“ShinyHunters did not use a zero-day. They did not need one,” notes Sebastiaan van der Meer, a Senior Solutions Engineer at TrendAI on his LinkedIn.

“This group runs a consistent playbook: find exposed credentials, exploit misconfigured access, extract data before anyone notices the session is abnormal.

“The institution that regulates NIS2 compliance across the EU just became a case study in why NIS2 exists.

“That tension deserves more attention than it is getting.”

Sebastiaan raises the question that every organisation should be asking: “If ShinyHunters targeted us with the same approach, at what point would we detect it?”

“At what point in the session would the behaviour look anomalous enough to trigger a response."

He says that for “for most organisations, the honest answer is: after exfiltration was already complete.”

Sebastiaan points to a solution: “TrendAI Vision One correlates identity and SaaS telemetry in real time – surfacing the abnormal session behaviour and data movement patterns that precede exfiltration, before the breach notification is written."

The Europa.eu breach serves as a reminder that public sector platforms are high-value targets and that even strong perimeter defences are not enough. 

Rapid detection, identity-aware monitoring and structured incident response are now critical to safeguarding EU digital services.