TeamViewer has confirmed a breach in its internal network, attributing the incident to an advanced persistent threat (APT) hacker group in Russia. The company assured its users that the intrusion did not compromise its product environment or customer data.

Detection and Immediate Actions

On June 26, 2024, unusual activities within TeamViewer's IT systems were detected by its security team. Following this, the company swiftly initiated response protocols and enlisted the help of global cybersecurity experts for an investigation. TeamViewer emphasized that its internal IT infrastructure is distinct from its product environment, safeguarding customer data from this breach.

The cybersecurity firm NCC Group has identified the APT group behind the incident. Alerts from the Dutch Digital Trust Center and Health-ISAC suggest APT29, also known as Cozy Bear, backed by Russia's SVR, is responsible. APT29 is recognized for its cyberespionage endeavors. This is the same state-backed attack group behind the Midnight Blizzard cyber attacks, and the SolarWinds attacks. 

Transparency Measures and Updates

TeamViewer committed to transparency throughout its investigation. However, its “TeamViewer IT security update” page is currently not indexed by search engines due to specific HTML tags. The company reassured users that there is no evidence of any compromise in the product environment. TeamViewer's remote access software is extensively used, with a client base of over 640,000 users and installations on more than 2.5 billion devices worldwide.

In 2019, TeamViewer disclosed a 2016 breach linked to Chinese entities using the Winnti backdoor but did not reveal it at the time as no data was stolen. The current breach is concerning, given the extensive use of TeamViewer's software, which potentially offers attackers access to corporate networks.

Breach Details, Implications and Recommendations

The current investigation has traced the intrusion to June 26, with the hackers using credentials from a regular employee account in TeamViewer's corporate IT environment. Martina Dier, TeamViewer's spokesperson, declined to elaborate on the specific data accessed or exfiltrated.

With TeamViewer's broad user base, the consequences of the breach are substantial. Health-ISAC has advised organizations to scrutinize their logs for irregular remote desktop activity, as cybercriminals have a history of abusing remote access tools. This advisory stresses the need for strong cybersecurity measures.

As investigations progress, TeamViewer has limited its disclosures on the breach. NCC Group has also opted to withhold further details, noting that their alert was based on varied intelligence sources.