Suspicious behaviour was detected and investigated inside two days.
TeamViewer has pointed the finger at a Russian attack group, but says no major damage done in last week’s incident.
Following the announcement on Friday that it was investigating an incident, the company issued a series of updates over the weekend determining that the attack occurred last Wednesday 26th June “tied to credentials of a standard employee account within our Corporate IT environment.”
It said: “Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action.”
Specifically, it was able to determine that the attacker leveraged a compromised employee account to copy employee directory data, including names, corporate contact information, and encrypted employee passwords for its internal corporate IT environment.
The company also said that it had put together a “comprehensive taskforce” of both TeamViewer’s security team and external cybersecurity experts to work 24/7 on investigating the incident “with all means available.”
It said: “We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.”
In an update posted on Sunday 30th June, TeamViewer confirmed that the attack had been contained to its internal corporate IT environment.
“Our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data,” it said.
Also, it has hardened authentication procedures for employees to a maximum level, and implemented further strong protection layers.
In terms of who was responsible, TeamViewer pointed the finger at the threat actor known as APT29/Midnight Blizzard. The group has been linked to Russia's Foreign Intelligence Service and according to MITRE, has operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.
Amongst its activity is the compromise of the Democratic National Committee starting in the summer of 2015, while its primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe.Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
