Header image

APT29 Blamed for TeamViewer Intrusion

Suspicious behaviour was detected and investigated inside two days.

TeamViewer has pointed the finger at a Russian attack group, but says no major damage done in last week’s incident.

Following the announcement on Friday that it was investigating an incident, the company issued a series of updates over the weekend determining that the attack occurred last Wednesday 26th June “tied to credentials of a standard employee account within our Corporate IT environment.” 

It said: “Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action.”

Specifically, it was able to determine that the attacker leveraged a compromised employee account to copy employee directory data, including names, corporate contact information, and encrypted employee passwords for its internal corporate IT environment. 

The company also said that it had put together a “comprehensive taskforce” of both TeamViewer’s security team and external cybersecurity experts to work 24/7 on investigating the incident “with all means available.”

It said: “We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.”

Contained Attack

In an update posted on Sunday 30th June, TeamViewer confirmed that the attack had been contained to its internal corporate IT environment. 

“Our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data,” it said.

Also, it has hardened authentication procedures for employees to a maximum level, and implemented further strong protection layers. 

Midnight Blizzard

In terms of who was responsible, TeamViewer pointed the finger at the threat actor known as APT29/Midnight Blizzard. The group has been linked to Russia's Foreign Intelligence Service and according to MITRE, has operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.

Amongst its activity is the compromise of the Democratic National Committee starting in the summer of 2015, while its primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe.
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

24
Oct
Webinar

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

Discussing the current trends in cloud security, focusing on the challenges of hybrid environments

In this live webinar, join security specialists from OPSWAT to discuss the current trends in cloud security, focusing on the challenges of hybrid environments, including diminished visibility and weakened threat detection.

image image