TeamViewer, a popular remote access software company, has disclosed a security breach affecting its corporate IT environment. The breach, which occurred on June 26, 2024, has now been attributed to the Russian state-sponsored hacking group known as APT29, Midnight Blizzard, or Cozy Bear.
Initial Detection and Response
TeamViewer’s security team detected an “irregularity” in their internal corporate IT systems on Wednesday, June 26. The company promptly activated its incident response procedures, engaging a team of cybersecurity experts to investigate and implement necessary remediation measures.
Scope of the Breach
According to TeamViewer, their internal corporate IT environment is completely separate from the product environment. The company stated that there is no evidence suggesting that the product environment or customer data has been affected. However, investigations are ongoing, and the company’s primary focus remains ensuring its systems’ integrity.
APT29 Involvement Confirmed
In an update released on Friday, June 28, TeamViewer officially attributed the attack to APT29. The company revealed that the threat actors targeted credentials associated with an employee account within the corporate IT environment. TeamViewer’s security teams identified suspicious behavior related to this account and immediately implemented incident response measures.
Widespread Implications
TeamViewer’s software is used by over 640,000 customers worldwide and has been installed on more than 2.5 billion devices since the company’s inception. This extensive user base makes any potential breach a significant concern, as it could potentially provide access to numerous internal networks.
Industry Alerts and Warnings
Before TeamViewer’s official attribution, several cybersecurity entities had already raised alarms about the incident:
- NCC Group’s Global Threat Intelligence team warned of a “significant compromise” of the TeamViewer platform by an APT group.
- Health-ISAC, a community for healthcare professionals, issued an alert stating that APT29 was actively exploiting TeamViewer.
- The Dutch Digital Trust Center shared information about the cybersecurity threat on its web portal.
APT29: A Persistent Threat
APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard, is a Russian advanced persistent threat group linked to Russia’s Foreign Intelligence Service (SVR).
The group is notorious for its cyberespionage capabilities and has been implicated in numerous high-profile attacks, including recent breaches of Microsoft’s and Hewlett Packard Enterprise’s corporate email environments.
Transparency and Communication
TeamViewer has pledged to maintain transparency throughout the investigation and will provide continuous updates as more information becomes available. However, it’s worth noting that the company initially included a “noindex” HTML tag on their update page, which prevented search engines from indexing the document. TeamViewer has since removed this tag, making the information more accessible.
Recommendations and Precautions
Given the widespread use of TeamViewer software and the potential implications of this breach, cybersecurity experts recommend the following precautions:
- Review logs for any unusual remote desktop traffic.
- Be vigilant for potential exploitation of remote access tools.
- Consider temporarily removing TeamViewer software until more details about the compromise are known.
As investigations continue, users and organizations relying on TeamViewer should stay alert for further updates and guidance from the company and cybersecurity authorities.
