TeamViewer links corporate cyberattack to Russian state hackers

RMM software developer TeamViewer says a Russian state-sponsored hacking group known as Midnight Blizzard is believed to be behind a breach of their corporate network this week.

Yesterday, BleepingComputer reported that TeamViewer had been breached and that cybersecurity experts and healthcare organizations had begun warning customers and organizations to monitor their connections.

TeamViewer is widely used by enterprises and consumers for remote monitoring and management (RMM) of devices on internal networks. As the scope of the cybersecurity incident was not known, experts began warning stakeholders to monitor for suspicious connections that could indicate threat actors attempting to use the TeamViewer breach to gain access to further networks.

Today, TeamViewer has shared an updated statement with BleepingComputer, stating that they attribute the attack to Midnight Blizzard (APT29, Nobelium, Cozy Bear).

TeamViewer says they believe their internal corporate network, not their production environment, was breached on Wednesday, June 26, using an employee's credentials.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment," reads the updated TeamViewer statement.

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard."

The company stressed that their investigation has shown no indication that the production environment or customer data was accessed in the attack and that they keep their corporate network and product environment isolated from each other.

"Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place," continues TeamViewer's statement.

"This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach."

While this is reassuring to TeamViewer customers, it is common in incidents like this for more information to come out later as the investigation progresses. This is especially true for a threat actor as advanced as Midnight Blizzard.

Therefore, it is recommended that all TeamViewer customers enable multi-factor authentication, set up an allow and block list so only authorized users can make connections, and monitor their network connections and TeamViewer logs.

BleepingComputer contacted TeamViewer with further questions about who is assisting with the investigation and how the employee credentials were compromised but has not received a response at this time.