Header image

APT29 Blamed for TeamViewer Intrusion

Suspicious behaviour was detected and investigated inside two days.

TeamViewer has pointed the finger at a Russian attack group, but says no major damage done in last week’s incident.

Following the announcement on Friday that it was investigating an incident, the company issued a series of updates over the weekend determining that the attack occurred last Wednesday 26th June “tied to credentials of a standard employee account within our Corporate IT environment.” 

It said: “Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action.”

Specifically, it was able to determine that the attacker leveraged a compromised employee account to copy employee directory data, including names, corporate contact information, and encrypted employee passwords for its internal corporate IT environment. 

The company also said that it had put together a “comprehensive taskforce” of both TeamViewer’s security team and external cybersecurity experts to work 24/7 on investigating the incident “with all means available.”

It said: “We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.”

Contained Attack

In an update posted on Sunday 30th June, TeamViewer confirmed that the attack had been contained to its internal corporate IT environment. 

“Our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data,” it said.

Also, it has hardened authentication procedures for employees to a maximum level, and implemented further strong protection layers. 

Midnight Blizzard

In terms of who was responsible, TeamViewer pointed the finger at the threat actor known as APT29/Midnight Blizzard. The group has been linked to Russia's Foreign Intelligence Service and according to MITRE, has operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.

Amongst its activity is the compromise of the Democratic National Committee starting in the summer of 2015, while its primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe.
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

08
Aug
Webinar

How to Automate the Lifecycle of Joiners, Movers, and Leavers With No-Code Solutions

Streamlining the lifecycle of joiners, movers, and leavers using no-code automation

The process of onboarding new employees and quickly removing departing staff profiles can be both time-consuming and labour-intensive.
In this live webinar, we will look at how to streamline these processes to save time and resources, and providing a smooth experience for both admins and employees.

Key takeaways:
  • Understanding the importance of securing the joiners, movers and leavers process
  • Exploring successful attacks that occurred due to errors in managing these transitions
  • Discover which advanced controls can be utilized
image image image