Remote access software company TeamViewer suffered a breach to its corporate IT environment which it has attributed to Russian state-affiliated threat actors Midnight Blizzard.
In a statement on 27 June, the firm disclosed its security team had detected an irregularity in its internal corporate IT environment on 26 June.
TeamViewer updated customers on 28 June with further details on the nature of the breach, which it claimed involved threat actors leveraging compromised employee account credentials to access its systems.
The company’s internal security team, with support from an unnamed external incident response service, attributed the activity to Midnight Blizzard, also known as APT29, Cozy Bear, or Nobelium.
The group is reported to have close ties to the Russian Foreign Intelligence Service (SVR) and has been linked to several high profile cyber attacks in recent years, including the recent attack on Microsoft’s corporate email system.
The update added that the attack was contained within TeamViewer’s corporate systems and there was no evidence of further access to its product environment or customer data.
Paul Bischoff, consumer privacy advocate at Comparitech, noted Midnight Blizzard’s links to Russian intelligence agencies distinguishes the group from the majority of the financially-motivated threat actors, adding it was vital therefore that TeamViewer contained the unauthorized access to its corporate environment.
"TeamViewer attributed the attack to Cozy Bear, or ATP 29, a state-sponsored Russian hacking group. They are not your run-of-the-mill, financially-motivated attackers. Thankfully, hackers only broke into TeamViewer's corporate environment, so we shouldn't have to worry about zero-day exploits in TeamViewer software,” he explained.
“TeamViewer employees and customers might be at risk of personal data theft, but it could be months before TeamViewer finishes an investigation to find out who was impacted."
Attackers accessed TeamViewer employee data and passwords
In the most recent security update on 30 June, TeamViewer reconfirmed its previous statements assuring the breach did not extend to its separated environments, or to its TeamViewer connectivity platform.
TeamViewer was able to provide further details on the attack, stating current findings indicate the attack saw names, corporate contact information, and encrypted employee passwords for its internal systems all compromised.
Glenn Chisholm, co-founder at SaaS security specialist Obsidian, reported that identity compromise is a frequent attack vector used to target SaaS companies like TeamViewer, noting the software’s prevalence in corporate networks means it is vital the breach was contained as soon as possible.
"Identity compromise, which has been a driver in the TeamViewer incident, is a critical component of most breaches we see in customer environments, accounting for over 80% of SaaS breaches. We see TeamViewer deployed by one-in-three organizations – so ensuring that the breach is contained is the first big step for the company.”
TeamViewer said it had worked with Microsoft to mitigate risks associated with the leaked information, adding it has also elevated the security around its employee authentication in response to the breach.
“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” it added.
“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.”
