Cyber Incident Victim: European Banking Authority

The European Banking Authority (EBA) experienced a cybersecurity incident involving its Microsoft Exchange Servers around March 7-8, 2021, prompting an immediate shutdown of all email systems. The breach occurred amid global attacks exploiting zero-day vulnerabilities in on-premises Microsoft Exchange Servers, which Microsoft had patched days earlier. EBA initiated a full investigation in collaboration with its ICT provider, forensic experts, and relevant entities to assess the compromise. Initial advisories on March 7 indicated attackers potentially accessed personal information stored on the email servers. By March 8, forensic analysis found no evidence of data exfiltration, though the investigation remained ongoing. The agency secured its email infrastructure and implemented additional security measures while monitoring systems to restore full functionality. EBA committed to informing affected parties if data exposure risks were confirmed and advised mitigation steps if necessary.

The incident was linked to coordinated attacks by multiple state-sponsored hacking groups exploiting Microsoft Exchange vulnerabilities. Microsoft initially attributed the campaign to Hafnium, a China-backed group targeting U.S. entities in sectors like defense, research, and NGOs. Subsequent analyses by ESET identified other actors, including APT27, Bronze Butler, and Calypso, exploiting unpatched servers globally. Attackers deployed web shells to maintain remote access even after patching, leading CISA to warn of widespread exploitation and urge admins to use Microsoft’s IOC detection tools. Microsoft updated its Safety Scanner and released a PowerShell script to detect compromise indicators in Exchange and OWA logs. The EBA’s breach underscored the rapid weaponization of the vulnerabilities, though no data theft or broader network infiltration beyond email servers was confirmed.