TeamViewer Attributes Corporate Network Breach to APT29 aka Midnight Blizzard

TeamViewer, a leading provider of remote access software, has attributed a security breach in its corporate network to an advanced persistent threat group, tracked as APT29. The TeamViewer data breach incident was first detected on June 26, 2024, prompting immediate action from TeamViewer’s security team.

In an initial statement posted on Thursday in the the company’s Trust Center, TeamViewer reassured users that the breach occurred solely within their internal corporate IT environment, which is separate from their product environment. They emphasized that there is currently no evidence suggesting that customer data or the product itself has been compromised.

In a Friday update the company reiterated the same and tied the compromise to employee account credentials that gave the threat actor access to Team Viewer’s corporate IT environment.
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard.

Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.” – TeamViewer
The company that provides enterprise solutions for remote access, reassured its customers that it follows best-practices in its overall system architecture and thus, has segmented the Corporate IT, the production environment, and the TeamViewer connectivity platform.
“This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.” – TeamViewer
Despite ongoing investigations, the company remains focused on safeguarding system integrity and ensuring transparency in its communication regarding the incident.

TeamViewer Data Breach Confirmed 

The TeamViewer data breach was highlighted by cybersecurity firm NCC Group, which was alerted about the compromise of TeamViewer’s remote access and support platform by an APT group. This group, identified as APT29, aka Midnight Blizzard or Cozy Bear, is known for its cyberespionage capabilities and has previously been linked to cyberattacks targeting various global entities, including Western diplomats and technology firms.

“On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts, and implemented necessary remediation measures”, reads the official statement.

Coinciding with TeamViewer’s disclosure, alerts from the Dutch Digital Trust Center and Health-ISAC highlighted the severity of the situation. The Health-ISAC alert specifically warned of active exploitation of TeamViewer by APT29, advising organizations to monitor remote desktop traffic for any suspicious activity.

Mitigation Against the TeamViewer Data Leak

TeamViewer, known for its widespread adoption with thousands of customers globally and installed on billions of devices, continues to update stakeholders through its IT security update page. However, concerns have been raised about transparency practices, as the page currently includes a directive preventing indexing by search engines.

“There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems. Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available” concludes the statement. 

For users and organizations relying on remote access solutions like TeamViewer, vigilance and proactive monitoring are recommended to mitigate risks posed by sophisticated cyber adversaries. 

*Update (Friday, June 28 – 8:10 A.M. ET): The headline and text through the article was updated to reflect TeamViewer’s Friday update and attribution of the cyberattack to APT29 or Midnight Blizzard. 

Source: Read More