Remote access firm TeamViewer hit by Russian intelligence cyberattack
The intrusion was restricted to internal systems, company says
TeamViewer, the German software company behind the widely used remote access and management tool of the same name, disclosed on Thursday that it detected a suspicious activity within its internal IT environment on 26th June.
The company said it immediately activated its security protocols and launched an investigation with the help of cybersecurity experts.
TeamViewer emphasised that the intrusion was contained within its internal systems.
"TeamViewer's internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected," the firm said.
In another statement, TeamViewer attributed the attack to threat actor known as Midnight Blizzard/APT29.
The company found that the threat actor used a compromised employee account to copy the employee directory data, which included names, corporate contact information, and encrypted employee passwords for the internal corporate IT environment.
It said the risk associated with the encrypted passwords in the directory was mitigated in collaboration with leading experts from incident response partner, Microsoft.
"We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state."
TeamViewer did not disclose how the hackers compromised an employee's credentials, but this method aligns with APT29's known tactics.
TeamViewer is a critical tool for many businesses, allowing them to remotely access and manage devices and computers.
With more than 600,000 paying customers facilitating remote access to over 2.5 billion devices globally, a successful attack on TeamViewer could have far-reaching consequences.
Security firm NCC Group, which initially reported the breach, recommended a cautious approach. It advised users to remove TeamViewer until further details are known about the type of compromise.
TeamViewer is not the first tech company targeted by APT29 in recent months.
The group gained global attention due to its involvement in the SolarWinds supply chain breach in December 2020.
Since then, it has persisted in employing sophisticated tools in targeted attacks, specifically aimed at foreign ministries and diplomatic entities.
APT29 is linked to Russia's intelligence services and is monitored under various names such as Midnight Blizzard, Nobelium, Cozy Bear, Iron Hemlock and The Dukes.
During the SolarWinds hack, the attackers compromised the company's Orion network monitoring software and inserted malicious code into legitimate software updates for the Orion software, which allowed them remote access into the victim's environment.
Microsoft, one of those victims, said later that the hackers were able to access some of its source code, although they could not make any changes to it.
In January, Microsoft disclosed that hackers compromised its corporate network in November 2023, resulting in the theft of emails from top executives. This week Microsoft informed some customers that their email was compromised, too.
Also in January, Hewlett Packard Enterprise (HPE) said its cloud-based email systems were infiltrated by Midnight Blizzard, affecting a "small percentage" of HPE mailboxes in various departments.