TeamViewer says Russia broke into its corp IT network

Updated TeamViewer says it was Russian intelligence that broke into its systems this week.

Yesterday, the remote-desktop software maker said it detected an "irregularity" within its corporate IT network on Wednesday without adding much more detail.

Now it says, with the help of outside cybersecurity investigators, it reckons Russia's Cozy Bear cyber-spies, aka APT29 and Midnight Blizzard, sneaked into its network using a worker's login. This confirms earlier whispering in the infosec industry that not only did a nation state crew slip into TeamViewer but that it was the infamous Cozy Bear.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our corporate IT environment," TeamViewer said in its latest statement.

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action.

"Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard."

That's the same Kremlin unit that hit the US Democratic National Committee in the 2010s, and more recently compromised Microsoft's computer network and stole internal emails and files from its executives and staff, among other targets. It's the same crew that pulled off the SolarWinds backdoor and has been raiding cloud accounts. It's on a tear.

According to TeamViewer, its encounter with the Russians was limited to its non-production systems, which is the biz's way of asking people not to panic and assume the snoops will definitely be able to get into their PCs via TeamViewer.

"Based on current findings of the investigation, the attack was contained within the corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data," the developer said.

• Russia's cyber spies still threatening French national security, democracy
• Russia's Cozy Bear caught phishing German politicos with phony dinner invites
• Microsoft confirms Russian spies stole source code, accessed internal systems
• Near-undetectable malware linked to Russia's Cozy Bear

TeamViewer went on to briefly describe its network setup, again to reassure punters:

And just as we were preparing this story for press, the German outfit told us its ongoing probe into the snafu has "strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements."

We're promised more updates from the biz.

TeamViewer says it has more than 600,000 customers, who use its software and web app to remotely control and manage Windows PCs and other machines. It would be a huge coup for Russia if it were able to compromise something like TeamViewer to the extent it could gain follow-up access to organizations' computers around the world – and terrible news for the rest of us.

We can see why TeamViewer is a fantastic target for the Kremlin. ®

Updated to add on July 1

TeamViewer has told us the intruders went after employee information, including their (presumably) hashed passwords. Also, the developer decided Microsoft would be best for helping it right this situation.

"According to current findings the threat actor leveraged a compromised employee account to copy employee directory data, ie: names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment," TeamViewer said. "We have informed our employees and the relevant authorities.

"The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state."