TeamViewer says Russia broke into its corp IT network

Same APT29 crew that hit Microsoft and SolarWinds. How close were we to a mega backdoor situation?

Updated TeamViewer says it was Russian intelligence that broke into its systems this week.

Yesterday, the remote-desktop software maker said it detected an "irregularity" within its corporate IT network on Wednesday without adding much more detail.

Now it says, with the help of outside cybersecurity investigators, it reckons Russia's Cozy Bear cyber-spies, aka APT29 and Midnight Blizzard, sneaked into its network using a worker's login. This confirms earlier whispering in the infosec industry that not only did a nation state crew slip into TeamViewer but that it was the infamous Cozy Bear.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our corporate IT environment," TeamViewer said in its latest statement.

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action.

"Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard."

That's the same Kremlin unit that hit the US Democratic National Committee in the 2010s, and more recently compromised Microsoft's computer network and stole internal emails and files from its executives and staff, among other targets. It's the same crew that pulled off the SolarWinds backdoor and has been raiding cloud accounts. It's on a tear.

According to TeamViewer, its encounter with the Russians was limited to its non-production systems, which is the biz's way of asking people not to panic and assume the snoops will definitely be able to get into their PCs via TeamViewer.

"Based on current findings of the investigation, the attack was contained within the corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data," the developer said.

TeamViewer went on to briefly describe its network setup, again to reassure punters:

Following best-practice architecture, we have a strong segregation of the corporate IT, the production environment, and the TeamViewer connectivity platform in place.

This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.

And just as we were preparing this story for press, the German outfit told us its ongoing probe into the snafu has "strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements."

We're promised more updates from the biz.

TeamViewer says it has more than 600,000 customers, who use its software and web app to remotely control and manage Windows PCs and other machines. It would be a huge coup for Russia if it were able to compromise something like TeamViewer to the extent it could gain follow-up access to organizations' computers around the world – and terrible news for the rest of us.

We can see why TeamViewer is a fantastic target for the Kremlin. ®

Updated to add on July 1

TeamViewer has told us the intruders went after employee information, including their (presumably) hashed passwords. Also, the developer decided Microsoft would be best for helping it right this situation.

"According to current findings the threat actor leveraged a compromised employee account to copy employee directory data, ie: names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment," TeamViewer said. "We have informed our employees and the relevant authorities.

"The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state."

Speaking of Microsoft and APT29

The Windows giant has told more of its customers that emails they exchanged with the corporation were accessed by Cozy Bear when those spies raided Redmond's inboxes, Bloomberg reported Thursday.

“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,” a Microsoft spokesperson said.

More about


Send us news

Other stories you might like