Security news that informs and inspires

TeamViewer Ties Cyberattack to Russian APT29 Group


After disclosing a security incident on Thursday, remote access software company TeamViewer on Friday said that the attack was “tied to credentials of a standard employee account” within its corporate IT environment. The company on Friday also said it currently attributes the activity to APT29, a Russian threat actor also known as Midnight Blizzard that has hit other high-profile targets this year including Microsoft and HPE.

TeamViewer, which first detected the attack on Wednesday, June 26, said that its internal corporate IT environment was impacted. The company said its internal corporate IT environment is “completely independent” from its product environment, and there is no evidence as of Friday morning that the threat actor gained access to its product environment or customer data. After identifying suspicious behavior on the compromised account, TeamViewer said it carried out incident response measures.

“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” according to the security statement from TeamViewer. “This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.”

TeamViewer did not give more details when asked for more information about the credentials that were part of the incident and whether multi-factor authentication was enabled on the compromised account.

The investigation into the incident is ongoing. Other third-party organizations have also sent out alerts regarding the incident. NCC Group on Thursday issued a warning to its customers sharing details of the attack "with the relevant stakeholders that are affected by this threat actor." While the alert was initially privately issued under the TLP:AMBER-STRICT limited disclosure classification it has since been changed to the TLP:GREEN classification, and NCC Group has issued an alert on its website.

"NCC group is continuing its investigation into this intelligence and attempting to establish the extent of the APT’s activities," according to Matt Hull, global head of threat intelligence with NCC Group in a Friday statement. "Our SOC teams have been placed on heightened alert for activity associated with TeamViewer. We advise that until further details are known about the type of compromise TeamViewer has been subjected to, removal of TeamViewer from your estate will assist in mitigating any potential compromise via this vector."

"We also recommend reviewing hosts that have this installed for unusual behaviour that might suggest it has already been compromised," according to Hull. "If you are unable to remove the application, then placing those hosts with it installed under heightened monitoring may provide you with further assurance."

According to a separate alert by the American Hospital Association (AHA), the Health Information Sharing and Analysis Center (H-ISAC) on Thursday also issued a private threat bulletin alerting the healthcare space about threats that were “exploiting TeamViewer.”

“H-ISAC recommends users review logs for any unusual remote desktop traffic,” according to the AHA alert. “Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”

APT29, which has been tracked by Mandiant since 2014, has previously targeted the U.S. and countries part of NATO, and has been behind major attacks over the years including the SolarWinds supply-chain intrusion. The group is well-resourced in its capabilities and tactics, and in an advisory earlier this year the Cybersecurity and Infrastructure Security Agency (CISA) said the threat group is continuing to evolve its techniques and in more recent attacks has targeted cloud providers. APT29 is known to use a variety of methods to gain initial access, including tactics like password spraying and brute forcing to gain access to service accounts and unused accounts, according to CISA.

Meanwhile, as a remote access tool, TeamViewer is a prime target for threat actors and it has previously been abused in various attacks. In January, Huntress researchers discovered that attackers had used TeamViewer to gain initial access to endpoint devices and attempt to install ransomware. Researchers in May 2023 also discovered threat actors achieving access to target companies via TeamViewer in order to install XMRig cryptomining malware on several dozen endpoints.