Several European government institutions appear to have been targeted in a coordinated campaign designed to steal data on mobile users, it has emerged.
First reported late last week, the incidents occurred at the European Commission, the Finnish government, and at least two Dutch government agencies. Tens of thousands of users may have had their personal details exposed.
Only the Dutch authorities named the likely target – Ivanti Endpoint Manager Mobile (EPMM) – which has previously been compromised by likely Chinese state actors in attacks on the Norwegian government.
However, the timing would suggest a link between all three breaches.
Read more on Ivanti EPMM: Two Ivanti Zero-Days Actively Exploited in the Wild
The European Commission released a brief statement on Friday February 6 explaining that its “central infrastructure managing mobile devices” had discovered signs of a breach on January 30. This “may have resulted in access to staff names and mobile numbers of some of its staff members,” it added.
“The commission’s swift response ensured the incident was contained and the system cleaned within nine hours,” the statement continued. “No compromise of mobile devices was detected.”
Also on February 6, the Dutch justice and security secretary explained in an official letter to parliament that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) had been caught in a similar breach.
It claimed that the country’s National Cyber Security Centre was told by Ivanti on January 29 about vulnerabilities in EPMM.
“It has now been revealed that work-related data of AP employees, such as name, business email address, and telephone number, has been accessed by unauthorized persons,” the letter continued.
“Immediately after the incident was discovered, measures were taken. In addition, employees of the AP and the Rvdr have been notified.”
Finally, an update from Finnish government ICT centre Valtori on February 6 explained that it discovered a breach on January 30 affecting the “mobile device management service” it provides to agencies.
“The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details,” it explained. “A user’s precise location cannot be determined based on this data. According to current information, no data stored directly on the mobile devices themselves has been compromised.”
Valtori claimed that as many as 50,000 government workers may have had their details exposed in this way – nearly two-thirds of the total number of central government employees in the country.
Ivanti Zero Days Cause Havoc Again
Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, noting: “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”
CVE-2026-1281 and CVE-2026-1340 are described as code injection flaws which could allow attackers to achieve unauthenticated remote code execution.
Ross Filipek, CISO at Corsica Technologies, warned that the threat actors may use the information they compromised to launch follow-on spearphishing attacks, in order to gain deeper access into internal systems.
“Social engineering campaigns targeting government officials have grown in popularity over the last several months,” he added. “UK parliamentarians were subject to Russian spear phishing attacks this past December which aimed to establish stealthy continuous monitoring of government activity.”
Keeper Security CISO, Shane Barney, said that attacks on device management systems can carry “disproportionate risk,” even when the initial impact appears limited.
“The fact that these flaws can be exploited without authentication changes how organizations should respond. Patching addresses the vulnerability, but it does not restore trust,” he continued.
“Once a privileged control plane is exposed, organizations need to reassess credentials, keys and administrative permissions that depend on it. The objective is not just to remove the flaw, but to reestablish confidence in how access is granted and exercised.”
Cequence Security CISO, Randolph Barr, warned that if a threat actor were able to access an EPMM server, they could push malicious configuration changes, alter authentication settings or manipulate device certificates.
“The other important point is that EPMM is typically deployed on-prem or in customer-managed private cloud environments,” he added. “That actually gives security teams more control than many SaaS platforms. With the right architecture and access controls, organizations can materially reduce their exposure and limit blast radius.”
