BRUSSELS — European Union officials have tumbled into a cyber crisis after attacks hit its digital systems and officials’ phones. Cyber experts are probing to see just how deep the rabbit hole goes.
The EU executive has told some of its most senior officials to shut down a group on messaging app Signal over fears it was a hacking target, POLITICO first reported on Thursday. The move comes as the EU faced a string of attacks in the last few months that led to breaches of its cloud infrastructure and an IT system managing mobile devices.
“The EU is finally discovering its security weaknesses … spending billions on useless things, not investing in critical issues,” said one Western intelligence official briefed on the situation, granted anonymity to disclose information that has not been disclosed publicly.
It’s still unclear if the string of incidents are related. The Commission has released few details on the hacks and declined to comment in detail on sensitive security questions. Cyberattacks can be hard to investigate — and finding out who is behind them is a sensitive, tricky process.
Here are three things you need to know about the cyber crisis raging in the EU executive.
1. Commission got hacked at least twice
The EU executive has confirmed at least two breaches of its systems this year.
The Commission’s cloud services running its europa.eu website got compromised late March. Its in-house cybersecurity team, CERT-EU, said Thursday that the attackers stole personal data, including “names, email addresses and email content.”
Spokesperson Thomas Regnier said earlier this week that the Commission’s “internal infrastructure has absolutely not been affected,” and that the Commission is in contact with Amazon and the EU’s internal privacy regulator about the attack.
In an earlier incident, the EU executive found “traces of a cyberattack” in its central infrastructure managing mobile devices at the end of January. That breach “may have resulted in access to staff names and mobile numbers of some of its staff members,” it said, adding “no compromise of mobile devices was detected.”
Around the same time, tech firm Ivanti reported vulnerabilities in its software used by large organizations to manage devices. Other governments including the Netherlands reported facing attacks using these software glitches. Cybersecurity firms warned hackers were quick to use the vulnerabilities to compromise organizations — notably government institutions.
The European Commission did not confirm its own hack in January was due to the Ivanti vulnerabilities.
Separately, a private telephone conversation between a POLITICO reporter and an EU official was also intercepted and published online last month. The EU institutions did not disclose details on what caused the leak and POLITICO did not name the institution the official worked for.
2. Officials have been targeted on Signal
Since 2020, the European Commission has had guidance telling its officials to use Signal for non-work related messages. Signal is an end-to-end encrypted messaging app that is considered the most secure in the business.
But in the past few weeks, European cyber and intelligence agencies warned of a “large-scale global cyber campaign,” in which hackers from the Kremlin posed as a fake Signal support chatbot to trick officials into revealing their app PIN codes. Dutch, French, German, Portuguese and British security services have all issued similar alerts on the campaign.
The shutdown of the Commission officials’ Signal group comes in the wake of those warnings.
European governments are increasingly encouraging their officials to move away from Signal and similar services like WhatsApp and Threema, which, though secure, are less easily controlled and monitored. France, Germany, Luxembourg, NATO and most recently Belgium have switched to in-house versions. The EU also has plans for “an interoperable set of secure communication solutions,” according to a document released last year.
The use of Signal by government officials came under intense scrutiny after senior members of the Trump administration last year were found to be exchanging military plans and classified information on the app — in a catastrophic breach of security that became known as Signalgate.
3. Moscow and cybercriminals both get blame
National security services have blamed the Kremlin for the recent campaigns targeting public officials on Signal. It’s unusual for cyber and intelligence agencies to explicitly say who they think is responsible for an attack while it is still ongoing — that process usually takes place some time after the event, and requires political and diplomatic approval.
A European Commission spokesperson told POLITICO with regard to shutting down the Signal group: “We do not comment on internal security practices. We take cybersecurity risks very seriously and have clear internal guidelines for our staff.”
When it comes to the hack of EU cloud services, officials have pointed to a major cybercriminal group. CERT-EU said Thursday that the ShinyHunters hacking group was to blame for the attack, adding that the group leaked 340GB of Commission data on the dark web.
ShinyHunters was previously linked to a major hack of a Dutch telecom operator in February, and is part of a wider web of cybercrime groups that claimed responsibility for a hack of Jaguar Land Rover that knocked approximately €2.2 billion off the United Kingdom’s economy last year.
The hacking group is English-speaking and is known for sophisticated scams. It previously received global attention after attacking Google.
Europa Monitor is a seasoned News Editor with over a decade of experience in journalism. Known for his editorial expertise and commitment to accuracy, Europa Monitor leads teams to deliver high-quality news content.
