Europa.eu: IAM Misconfiguration Breach by ShinyHunters

The European Commission confirmed a breach of Europa.eu, the EU's official web hosting platform, after detecting intrusion traces on March 24 and officially acknowledging the incident on March 27. The ShinyHunters group published the stolen dataset one day later. CERT-EU issued its formal statement on April 2, attributing initial access to a poisoned release pipeline, while independent analysis from a Polish information-security researcher exposed deeper Identity and Access Management failures that converted a narrow foothold into a 340 GB exfiltration event.

What Happened

Attackers compromised Europa.eu's build and release infrastructure by abusing a misconfiguration in the GitHub Actions environment tied to Trivy, the open-source vulnerability scanner. A leaked token allowed adversaries to inject themselves into the release process and ship a malicious version containing an infostealer payload. Once inside the AWS environment, the attackers pivoted against IAM weaknesses rather than exploiting further software vulnerabilities. According to the Polish researcher's assessment, which went beyond CERT-EU's public briefing, two distinct access-control flaws enabled lateral movement: the attacker-controlled identity held permission to retrieve secrets from any ARN within the account, and the primary SSO policy contained a wildcard permitting wide-scope actions. Combined with a missing MFA requirement at the identity-provider layer, these conditions allowed unchecked enumeration and extraction.

What Was Taken

The exfiltrated dataset totals roughly 340 GB, moved out through S3, Athena, and NextCloud channels. The loot includes the full contents of the SSO directory, internal emails with attachments, DKIM signing keys stored in cleartext inside AWS Secrets Manager, AWS configuration dumps, Athena query results typically used for log and metric analysis, and URLs pointing to internal administration interfaces. The combination of directory contents and mailbox data is especially valuable for building targeted phishing campaigns against EU staff and contractors. The DKIM keys remain a risk vector until key rotation is confirmed at the DNS level, which Europa.eu has likely performed since disclosure.

Why It Matters

This incident demonstrates how a single CI/CD misstep cascades into a full cloud compromise when IAM hygiene is weak. The European Commission's hosting platform is a high-trust asset whose credentials, directory contents, and signing material carry disproportionate downstream value for statecraft-adjacent threat actors and criminal brokers alike. ShinyHunters' rapid publication of the data within 24 hours of acknowledgement signals a continued shift toward reputational extortion and open dumping over private negotiation. For defenders, the case reinforces that wildcard IAM policies and missing IdP-layer MFA are no longer theoretical risks. They are the enabling conditions that turn routine tooling exposure into multi-hundred-gigabyte breaches.

The Attack Technique

Initial access came via a token retrieved through a GitHub Actions misconfiguration in the Trivy integration path. That token permitted intrusion into the release process and the distribution of a malicious build containing an infostealer. Credentials harvested from that foothold mapped into an AWS identity whose permissions were functionally unbounded. Attackers then executed enumeration operations including s3:ListBucket and iam:ListRoles, read DKIM keys from AWS Secrets Manager in plaintext, and staged exfiltration through S3, Athena, and NextCloud. The absence of MFA at the identity provider meant no step-up authentication challenged the stolen session.

What Organizations Should Do

Audit all IAM policies for wildcard resource definitions, particularly on secretsmanager:GetSecretValue, and scope every permission to explicit ARNs.
Enforce MFA at the identity-provider layer for all human and federated identities, with no exemptions for SSO entry points.
Treat CI/CD tokens as crown-jewel credentials: rotate frequently, scope to single repositories, and use OIDC federation instead of long-lived secrets where possible.
Encrypt sensitive material like DKIM keys with customer-managed KMS keys and restrict decryption rights to narrowly defined roles.
Enable CloudTrail data events plus GuardDuty anomaly detection for S3, Athena, and Secrets Manager, and alert on bulk enumeration patterns.
Review third-party scanner integrations (Trivy, Snyk, and equivalents) for token exposure in GitHub Actions workflows and pin to verified release hashes.

Sources: Europa.eu Hack: A Lesson in IAM Configuration - Dawn Liphardt