Remote desktop software provider TeamViewer has disclosed a cyberattack on its corporate network, but maintains that no customer data or product functionality was compromised.
The company said the notorious Russian hacking group APT29, also known as Midnight Blizzard, is behind the attack.
The attack occurred on June 26, and was detected and mitigated by TeamViewer’s security team, working in collaboration with leading cybersecurity experts, the company said in a statement.
“On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environmen,” TeamViewer said in its initial update. “We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures.”
The company assured users that “TeamViewer’s internal corporate IT environment is completely independent from the product environment” and emphasized that “there is no evidence to suggest that the product environment or customer data is affected.”
TeamViewer assembled a task force consisting of internal security personnel and “globally leading cybersecurity experts” to investigate the incident. The investigation, revealed in a later update, attributed the attack to the APT29 threat group, also known as “Midnight Blizzard.”
APT29 is a threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR), according to Mitre, a non-profit organization that operates federally funded research and development centers (FFRDCs) on behalf of the US government.
Compromised employee account
The investigation suggests the attackers gained access through a compromised standard employee account, TeamViewer said in the statement.
“Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action,” the statement added.
These measures likely included containing the compromised account and isolating the affected systems to prevent the attackers from spreading further within the network. TeamViewer highlighted its “strong segregation” between the corporate IT environment and the production environment where customer data resides. This segregation, it claimed, is a core element of its “defense in-depth” security strategy designed to prevent unauthorized access.
“Security is of utmost importance for us; it is deeply rooted in our DNA. Therefore, we commit to transparent communication to stakeholders,” TeamViewer stated, promising ongoing updates as new information becomes available.
However, the Health Information Sharing and Analysis Center (H-ISAC) issued a bulletin on June 27, warning the healthcare sector of “active cyberthreats exploiting TeamViewer.”
The bulletin advised healthcare organizations to “review logs for any unusual remote desktop traffic” and recommends implementing multi-factor authentication and access controls to mitigate potential risks.
“The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures,” HISAC said in a statement.
A TeamViewer representative said the company had nothing further to add at time of publication, but planned to make another statement before the end of the day.
More APT29 news: