Suspicious behaviour was detected and investigated inside two days.
TeamViewer has pointed the finger at a Russian attack group, but says no major damage done in last week’s incident.
Following the announcement on Friday that it was investigating an incident, the company issued a series of updates over the weekend determining that the attack occurred last Wednesday 26th June “tied to credentials of a standard employee account within our Corporate IT environment.”
It said: “Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action.”
Specifically, it was able to determine that the attacker leveraged a compromised employee account to copy employee directory data, including names, corporate contact information, and encrypted employee passwords for its internal corporate IT environment.
The company also said that it had put together a “comprehensive taskforce” of both TeamViewer’s security team and external cybersecurity experts to work 24/7 on investigating the incident “with all means available.”
It said: “We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.”
Contained Attack
In an update posted on Sunday 30th June, TeamViewer confirmed that the attack had been contained to its internal corporate IT environment.
“Our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data,” it said.
Also, it has hardened authentication procedures for employees to a maximum level, and implemented further strong protection layers.
Midnight Blizzard
In terms of who was responsible, TeamViewer pointed the finger at the threat actor known as APT29/Midnight Blizzard. The group has been linked to Russia's Foreign Intelligence Service and according to MITRE, has operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.
Amongst its activity is the
compromise of the Democratic National Committee starting in the summer of 2015, while its
primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
