TeamViewer breached by Russian state actor Midnight Blizzard

TeamViewer says a Russian state-sponsored threat actor known as Midnight Blizzard gained accessed to the company's corporate network via compromised employee credentials.

TeamViewer's corporate network was breached this week in an attack that the remote access software vendor attributed to Russian state-sponsored threat actor Midnight Blizzard.

According to a statement published Thursday, TeamViewer said its security team detected "an irregularity in TeamViewer's internal corporate IT environment" on Wednesday, June 26, though its product environment and customer data were not affected. The company wrote at the time that it immediately began an investigation and would, in the interest of transparency, share more details as they became available.

Remote access software is often misused by threat actors for lateral movement in victim environments. In 2021, a threat actor abused TeamViewer to gain access to SCADA systems at a water treatment plant in Oldsmar, Fla.

TeamViewer provided additional details Friday as an update to the initial statement. The company said its security team worked with partners "24/7" to investigate the attack and that it is in constant contact with threat intelligence providers as well as the relevant authorities.

TeamViewer attributed the attack to Midnight Blizzard, the Russian state-sponsored actor also known as APT29 and Cozy Bear. Midnight Blizzard was behind the Microsoft breach disclosed earlier this year as well as the devastating 2020 supply chain attack against SolarWinds. Moreover, TeamViewer said the attack was "tied to credentials of a standard employee account" within its corporate network environment.

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard," the updated statement read. "Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data."

TeamViewer emphasized in the update that based on current evidence, its product environment and customer data were unaffected by the breach. The updated statement explained that TeamViewer uses a defense-in-depth approach that limited the threat actor's ability to gain access to other parts of the company's environment.

"Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place," the statement read. "This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments."

TechTarget Editorial asked TeamViewer how the employee credentials were stolen, but a spokesperson declined to comment, promising more details as they become available. The next update is expected by the end of business on Friday, Central European Summer Time.

UPDATE: In an update on July 4, TeamViewer announced it had concluded "the main incident response and investigation phase" following the breach, which reaffirmed the findings of its initial security advisory.

"Based on the results of our diligent investigation together with leading cyber security experts from Microsoft, we reconfirm that the incident was contained to our internal corporate IT environment. This means, neither our separated product environment, nor the connectivity platform, nor any customer data has been touched," the update read. "These findings confirm that our software solutions have at all times been safe to use."

TeamViewer added that as the primary investigation is complete, it will no longer provide regular status updates regarding the incident.

This article was updated on 7/8/2024.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing