TeamViewer Cyber-Attack Attributed to Russian APT Midnight Blizzard

Written by

Remote software provider TeamViewer has been hit by a cyber-attack that it has attributed to Russian state-affiliated threat actor Midnight Blizzard/APT29.

The firm revealed it identified suspicious behavior on a standard employee account within its corporate IT environment on Wednesday, June 26. It has tied the incident to the credentials of that account.

TeamViewer said its security team was able to contain the attack within its corporate IT environment, with no evidence the threat actor gained access to its product environment or customer data.

“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments,” the firm stated.

TeamViewer added that it is in “constant exchange” with threat intelligence providers and relevant authorities as it continues to investigate the incident.

Attack Attributed to Russian State Group

TeamViewer, together with external incident response support, currently attributes the attack to the Midnight Blizzard/APT29 threat actor.

Midnight Blizzard is an APT group that is linked to Russia’s foreign intelligence service (SVR). It is known to specialize in espionage and intelligence gathering operations against governments and critical industries.

In January 2024, Microsoft revealed the group compromised the email accounts of some of its senior leadership team. The firm later revealed Midnight Blizzard used information exfiltrated from its corporate email systems to gain access to source code and internal systems.

In June 2024, French cybersecurity agency ANSSI said the group has been continuously targeting French diplomatic entities and public organizations since 2021.

Commenting on the story, John Hultquist, Mandiant Chief Analyst, Google Cloud, explained that Midnight Blizzard is known to conduct supply chain attacks on tech firms to gain valuable intelligence on their customers on behalf of the Russian state.

"Generally they are looking for insight into foreign affairs, with a particular emphasis on support for Ukraine, and they target government and related organizations for that information. Recently they have targeted political parties in Germany as well," he said.

Healthcare Warned of Active Exploitation

Remote software services like TeamViewer are frequently used by threat actors to gain initial access and establishing persistence on target networks.

TeamViewer is used in a number of critical sectors, including manufacturing, healthcare and public sector organizations.

The US Health Information Sharing and Analysis Center (H-ISAC) has issued a threat bulletin warning healthcare organizations of the active exploitation of TeamViewer.

The agency is recommending that users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.

Update 1 - July 1: TeamViewer has discovered that Midnight Blizzard leveraged a compromised employee account to copy sensitive employee directory data during the attack. This information includes names, corporate contact information and encrypted employee passwords for its internal corporate IT environment.

Employees and relevant authorities have been informed of the data breach, the firm added in its security update dated June 30, 2024.

TeamViewer stated that it has mitigated the risk associated with the stolen encrypted passwords in collaboration with Microsoft, and has hardened authentication procedures for employees to a “maximum level.” Work has also begun of rebuilding the company’s internal corporate IT environment to a fully trusted state.

TeamViewer also reconfirmed that the attack was contained to its internal corporate IT environment, and did not reach its product environment, connectivity platform or any customer data.

Wirestock Creators / Shutterstock.com

What’s hot on Infosecurity Magazine?