Update: TeamViewer Links Corporate Cyberattack to Russian State Hackers

Summary:
TeamViewer, a prominent developer of remote monitoring and management (RMM) software, reported a breach of their corporate network this week. The company attributes the attack to Midnight Blizzard, a Russian state-sponsored hacking group also known as APT29, Nobelium, or Cozy Bear. The breach, which occurred on June 26, involved the compromise of an employee's credentials within TeamViewer's Corporate IT environment. Upon detecting suspicious activity through continuous security monitoring, TeamViewer's internal and external incident response teams quickly implemented measures to contain the breach. The company emphasized that there is no evidence indicating that the production environment or customer data was accessed, as their corporate and production networks are kept strictly segregated.


In an updated statement to BleepingComputer, TeamViewer reassured stakeholders that their defense-in-depth approach includes multiple layers of protection, with a strong separation between corporate IT, production environments, and the TeamViewer connectivity platform. This architecture helps prevent unauthorized access and lateral movement across different environments.

Security Officer Comments:
Midnight Blizzard, associated with Russia's Foreign Intelligence Service (SVR), has a history of sophisticated cyber espionage operations. The group was behind the infamous SolarWinds supply chain attack in 2020, where they breached the company's developer environment and added a malicious backdoor to a Windows DLL file. This backdoor was then distributed to SolarWinds customers via an automatic update, allowing the hackers to monitor and steal data from high-value targets.

More recently, Midnight Blizzard targeted Microsoft in a series of successful cyberattacks. In 2023, the group breached Microsoft's corporate Exchange Online accounts, stealing emails from company leadership, cybersecurity, and legal teams. They specifically targeted email accounts to gather information about themselves. In March 2024, using secrets obtained from the stolen emails, Midnight Blizzard breached Microsoft's internal systems and source code repositories again. These attacks often employed password spray techniques to gain initial access and then leveraged compromised accounts to infiltrate further into the targeted systems. Microsoft has previously provided guidance for responding to and investigating attacks by Midnight Blizzard, highlighting the group's persistent and advanced capabilities. As the investigation into the TeamViewer breach continues, it is likely that more information will emerge, underscoring the importance of robust security measures and vigilant monitoring to defend against such sophisticated threat actors.

Suggested Corrections:
TeamViewer advises all customers to take precautionary measures. These include enabling multi-factor authentication, setting up allow and block lists to restrict connections to authorized users, and closely monitoring network connections and TeamViewer logs for any unusual activity.

Midnight Blizzard: Guidance for Responders on Nation-State Attack:
https://www.microsoft.com/en-us/sec...idance-for-responders-on-nation-state-attack/


Link(s):
https://www.bleepingcomputer.com/ne...rporate-cyberattack-to-russian-state-hackers/