The Commission said the Europa websites remain available, and that its “swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data.” Its internal systems weren’t affected by the attack, the statement added.
The incident comes after the Commission revealed on January 30 that its central infrastructure for managing mobile devices had “identified traces of a cyber attack” which may have exposed names and mobile number of some staff.
IAM is hard
The lack of information about the attack makes it hard for security industry experts to comment. For one thing, it’s unknown how the breach of security controls happened: Did the threat actor take advantage of an unpatched software or hardware vulnerability, find a zero day, or did an employee fall for a phishing attack?
“There is very little info out,” said Kellman Meghu, chief technology officer of Canadian incident response firm DeepCove Cybersecurity, “but this does sound bad. This is why I force all my users to use AWS Identity Center sign on. No IAM-generated keys, and admin accounts are only activated through a ‘break glass’ strategy, where two people are needed to authenticate.”
By “break glass” strategy, Meghu said he meant that the AWS root/admin account that controls all of an organization’s cloud infrastructure is stored outside of AWS on a system that requires authorization from both the CEO and CTO, via credentials and hardware tokens. This access generates an alert, so if there was an unauthorized attempt to sign in, the CEO and CTO would know.
“I personally live in constant fear of this sort of thing happening” he said. “I create multiple separate AWS accounts using the AWS Organizations feature so accounts are completely isolated from each other. For example, there can be a ‘dev ORG’ for testing with no real data, and a ‘uat ORG’ for user testing with some data, and a ‘prod ORG’ where no one is allowed. You can also break things down so different application types get their own Organizations, which limits lateral movement. Azure has similar setup and options, which are called Tenants.
