On June 28, 2024, TeamViewer, a leading remote access and support software provider, confirmed that Russian state-sponsored hackers breached its corporate network. The attack, attributed to the group APT29 (also known as Midnight Blizzard, Nobelium, or Cozy Bear), occurred on June 26 and targeted the company’s internal IT systems.
In an official statement released at 12:10 PM CEST, TeamViewer disclosed that the breach was initiated through compromised credentials of a standard employee account within their Corporate IT environment. The company’s security teams swiftly detected suspicious activity and implemented immediate incident response measures.
TeamViewer says that the attack appears to have been contained within the Corporate IT environment based on their ongoing investigation, conducted in collaboration with leading cybersecurity experts. They assert that there is currently no evidence suggesting the threat actors gained access to their product environment or customer data.
The company highlighted its “defense-in-depth” approach, which includes strong segregation between Corporate IT, the production environment, and the TeamViewer connectivity platform. This architecture, they claim, helps prevent unauthorized access and lateral movement between different environments, potentially explaining the contained nature of the breach.
This confirmation from TeamViewer clarifies earlier reports and speculations about the incident. On June 27, the company initially disclosed a security breach affecting its internal IT systems but did not attribute the attack to any specific group. However, security experts, including Jeffrey Tigchelaar, a respected voice in the cybersecurity community, had already begun speculating about APT29’s involvement.
APT29, believed to have ties to Russia’s foreign intelligence service (SVR), has a history of high-profile attacks, including a recent breach of Microsoft’s systems earlier in 2024.
Health-ISAC, a trusted information-sharing community for healthcare cybersecurity professionals, had issued an alert attributing the attack to APT29 before TeamViewer’s official confirmation. The alert advised members to scrutinize their logs for unusual remote desktop traffic, suggesting that the attackers may have exploited TeamViewer’s software as part of their operation.
This recommendation from Health-ISAC initially contradicted TeamViewer’s assertion that the breach was limited to their internal systems. However, TeamViewer’s latest statement maintains no evidence of compromise beyond their Corporate IT environment.
Given TeamViewer’s widespread use across various industries, including healthcare, finance, and IT support, the implications of this breach could be significant. Organizations relying on TeamViewer for remote access should remain vigilant and monitor for any signs of unauthorized access or unusual activity.
TeamViewer has committed to transparent communication throughout this incident, promising regular updates through their Trust Center. They have engaged “globally recognized IT security experts” to assist with the ongoing investigation and implementation of necessary protective measures.
Latest update: Security breach limited to internal systems
After a thorough examination with the aid of cybersecurity experts from Microsoft, TeamViewer reaffirms that the breach was confined to its internal corporate IT environment, ensuring that their product environment, connectivity platform, and customer data remain uncompromised.
In a security update released on July 4, 2024, at 8:15 PM CEST, TeamViewer stated, “Based on the results of our diligent investigation together with leading cyber security experts from Microsoft, we reconfirm that the incident was contained to our internal corporate IT environment.” The company emphasized that its software solutions have remained secure throughout the incident.
TeamViewer’s investigation found no suspicious activity in their internal corporate IT environment following the initial detection and immediate remediation measures. This was crucial in confirming that the attack was isolated and did not extend to the product environment or affect customer data.
The company also reiterated that this update concludes their regular status updates on the incident.
