Russian APT29 Hacker Group May Be Behind Recent TeamViewer Exploitation Cyberattack

TeamViewer, a widely-used remote connectivity software provider, has reported a compromise in its corporate network, with some sources attributing the attack to a Russian Advanced Persistent Threat (APT) group. On June 26, TeamViewer’s security team identified an "irregularity" within its internal corporate IT environment. The company assured users that this environment is distinct from the product environment, thus indicating that customer data remains unaffected. Despite this reassurance, the ongoing investigation aims to uphold the integrity of their systems.

According to a statement on TeamViewer’s website, there is currently no evidence suggesting that the breach has impacted the product environment or customer data. Nevertheless, the company remains vigilant as investigations continue. TeamViewer has pledged transparency and will provide updates as more information becomes available.

The breach has garnered attention on social media, with a Mastodon user named Jeffrey reporting that NCC Group’s threat intelligence team has been notifying their customers about a "significant compromise" of the TeamViewer remote access and support platform by an APT group. Furthermore, the US-based Health Information Sharing and Analysis Center (Health-ISAC) has issued an alert, citing intelligence from a trusted partner that attributes the attack to the notorious APT29 group, also known as Cozy Bear or Midnight Blizzard. This Russian state-sponsored group is infamous for executing high-impact cyberattacks against significant organizations.

Health-ISAC’s alert recommended that organizations review their logs for any unusual remote desktop traffic, noting that threat actors have been observed using remote access tools. The organization highlighted the importance of vigilance in detecting and mitigating such threats.

APT29 has a long history of cyber-espionage, often targeting governmental and other high-profile entities. Their tactics, techniques, and procedures (TTPs) are well-documented and include leveraging remote access tools to infiltrate and persist within target networks.

This recent incident is not the first time TeamViewer has been targeted by cybercriminals. In 2019, TeamViewer disclosed that it had been hacked in 2016 by a threat actor believed to be operating from China. The company chose not to disclose the breach immediately, citing a lack of evidence of impact on customers.

In response to the latest breach, TeamViewer has emphasized its commitment to transparency and will continue to provide updates as the investigation progresses. The company’s primary focus remains on ensuring the security and integrity of its systems, safeguarding both its corporate and product environments.