Update: May 13, 12:09 EDT: Europol sent BleepingComputer a follow-up statement saying the attackers likely breached the EPE web portal using stolen credentials.
Europol, the European Union's law enforcement agency, confirmed that its Europol Platform for Experts (EPE) portal was breached and is now investigating the incident after a threat actor claimed they stole For Official Use Only (FOUO) documents containing classified data.
EPE is an online platform law enforcement experts use to "share knowledge, best practices and non-personal data on crime."
"Europol is aware of the incident and is assessing the situation. Initial actions have already been taken. The incident concerns a Europol Platform for Expert (EPE) closed user group," Europol told BleepingComputer.
"No operational information is processed on this EPE application. No core systems of Europol are affected and therefore, no operational data from Europol has been compromised."
BleepingComputer also asked when the breach occurred and whether it is true FOUO and classified documents were stolen as claimed by the threat actor, but a response was not immediately available.
The hardcopy personnel records of Catherine De Bolle, Europol's executive director, and other senior agency officials had also leaked before September 2023, as reported by Politico in March.
"On Sep. 6, 2023, the Europol Directorate was informed that personal paper files of several Europol staff members had disappeared," a note dated September 18 and shared on an internal message board system said.
"Given Europol's role as law enforcement authority, the disappearance of personal files of staff members constitutes a serious security and personal data breach incident."
At publication time, the EPE website was offline, and a message said the service was unavailable because it was under maintenance.
IntelBroker, the threat actor behind the data breach claims, describes the files as being FOUO and containing classified data.
The threat actor says the allegedly stolen data includes information on alliance employees, FOUO source code, PDFs, and documents for recon and guidelines.
They also claim to have gained access to EC3 SPACE (Secure Platform for Accredited Cybercrime Experts), one of the communities on the EPE portal, hosting hundreds of cybercrime-related materials and used by over 6,000 authorized cybercrime experts from around the world, including:
- Law enforcement from EU Member States' competent authorities and non-EU countries;
- Judicial authorities, academic institutions, private companies, non-governmental and international organizations;
- Europol staff
IntelBroker also says they compromised the SIRIUS platform used by judicial and law enforcement authorities from 47 countries, including EU member states, the United Kingdom, countries with a cooperation agreement with Eurojust, and the European Public Prosecutor's Office (EPPO).
SIRIUS is used to access cross-border electronic evidence in the context of criminal investigations and proceedings
Besides leaking screenshots of EPE's online user interface, IntelBroker also leaked a small sample of an EC3 SPACE database allegedly containing 9,128 records. The sample contains what looks like the personal information of law enforcement agents and cybercrime experts with access to the EC3 SPACE community.
"PRICING: Send offers. XMR ONLY. Message me on the forums for a point of contact. Proof of funds is required. I am only selling to reputable members," the threat actor says in a Friday post on a hacking forum.
Who is IntelBroker?
Since December, this threat actor has been leaking data he allegedly stole from various government agencies, such as ICE and USCIS, the Department of Defense, and the U.S. Army.
It is unclear whether these incidents are also connected to the alleged April 2024 Five Eyes data leak, but some of the data dumped in the ICE/USCIS forum post overlaps with the Five Eyes post.
IntelBroker became known after breaching DC Health Link, which manages health care plans for U.S. House members, staff, and families.
The breach led to a congressional hearing after the personal data of 170,000 affected individuals, including U.S. House of Representatives members and staff, was exposed.
Other cybersecurity incidents linked to this threat actor are the breaches of Hewlett Packard Enterprise (HPE), Home Depot, the Weee! grocery service, and an alleged breach of General Electric Aviation.
Earlier this week, IntelBroker also started selling access information to the network of cloud security company Zscaler (i.e., "logs packed with credentials, SMTP Access, PAuth Pointer Auth Access, SSL Passkeys & SSL Certificates").
Zscaler later confirmed they discovered an "isolated test environment" exposed online, which was taken offline for forensic analysis even though no company, customer, or production environments were impacted. Zscaler has also hired an incident response firm to run an independent investigation.
Update May 13, 12:09 EDT: In an updated statement to BleepingComputer, Europol says that the portal was not hacked through a vulnerability or a misconfiguration, but, instead, the attackers gained access to the data using stolen credentials.
The attempt took place recently and was discovered immediately. Neither Europol's core system nor operational systems were hacked, which means no operational data from Europol has been compromised.
The Europol Expert Platform (EPE) was also not hacked. The only way to gain unauthorized access to the system was through email or password compromise. Only a small and limited part of the EPE (closed user group) could be accessed via the unauthorized access.
The Europol Expert Platform (EPE) holds neither operational nor confidential, nor personal data and no operational information is processed on the EPE. Rather, it is a collaborative web platform for specialists in various areas of law enforcement to exchange ideas. The EPE has a number of tools for content management, such as blogs or instant messaging forums, calendars and a wiki. The platform has over 20,000 users. — Europol