TeamViewer on Thursday disclosed it detected an "irregularity" in its internal corporate IT environment on June 26, 2024.
"We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures," the company said in a statement.
It further noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence to indicate that any customer data has been impacted as a result of the incident.
It did not disclose any details as to who may have been behind the intrusion and how they were able to pull it off, but said an investigation is underway and that it would provide status updates as and when new information becomes available.
TeamViewer, based in Germany, is the maker of remote monitoring and management (RMM) software that allows managed service providers (MSPs) and IT departments to manage servers, workstations, network devices, and endpoints. It's used by over 600,000 customers.
Interestingly, the U.S. Health Information Sharing and Analysis Center (Health-ISAC) has issued a bulletin about threat actors' active exploitation of TeamViewer, according to the American Hospital Association (AHA).
"Threat actors have been observed leveraging remote access tools," the non-profit reportedly said. "Teamviewer has been observed being exploited by threat actors associated with APT29."
It's currently unclear at this stage whether this means the attackers are abusing shortcomings in TeamViewer to breach customer networks, using poor security practices to infiltrate targets and deploy the software, or they have carried out an attack on TeamViewer's own systems.
APT29, also called BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes, is a state-sponsored threat actor affiliated with the Russian Foreign Intelligence Service (SVR). Recently, it was linked to the breaches of Microsoft and Hewlett Packard Enterprise (HPE).
Microsoft has since revealed that some customer email inboxes were also accessed by APT29 following the hack that came to light earlier this year, per reports from Bloomberg and Reuters.
"This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," the tech giant was quoted as saying to the news agency.
Attack Officially Attributed to APT29
TeamViewer, in an update on Friday, attributed the attack to APT29, stating it targeted the credentials associated with an employee account within its corporate IT environment.
"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action," it noted in a revised alert. "There is no evidence that the threat actor gained access to our product environment or customer data."
NCC Group, which first alerted of the breach via a limited disclosure owing to widespread use of the software, has recommended the removal of the software "until further details are known about the type of compromise TeamViewer has been subjected to."
Threat Actors Target Compromised Employee Account
In an updated advisory released on June 30, TeamViewer confirmed that the breach did not impact its product environment, the TeamViewer connectivity platform, or any customer data, stating its working towards rebuilding its internal corporate IT environment to make it more secure.
"According to current findings the threat actor leveraged a compromised employee account to copy employee directory data, i.e., names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment," it said. "We have informed our employees and the relevant authorities."
TeamViewer, which is working with Microsoft as part of its incident response efforts, said the risk associated with the encrypted passwords contained in the directory has been mitigated. It also said it hardened authentication procedures for its employees to a maximum level and implemented further strong protection layers.
"APT29 is one of the most challenging actors we track and they are targeting tech companies of all sizes," John Hultquist, chief analyst at Google-owned Mandiant, said. "They work very hard to stay under the radar, but despite their focus on stealth, they are not afraid to undertake these bold supply chain attacks."
"They are moving through tech companies in order to get to their customers, where they expect to find the intelligence that feeds decision making in the Kremlin. Generally they are looking for insight into foreign affairs, with a particular emphasis on support for Ukraine, and they target government and related organizations for that information. Recently they have targeted political parties in Germany as well."
TeamViewer Reaffirms Attack Limited to Corporate IT Environment
In its latest update shared on July 4, 2024, TeamViewer said the breach was contained to its internal corporate IT environment and that no customer data was accessed.
"All immediate remediation measures that we put in place regarding our internal corporate IT environment as well as the additional protection layers that we established have proven to be very effective: there was no suspicious activity in our internal corporate IT environment after our security teams blocked the attack immediately upon detection," it said.