After some early reporting by independent cybersecurity firms, Teamviewer has now confirmed that a Russian APT group is the likely culprit in a security breach that impacts the “corporate environment” of its company. While that group is the same one responsible for the SolarWinds breach, Teamviewer is assuring the public that the level of penetration it achieved has left no cause for serious alarm.
Teamviewer has said that the product environment, connectivity and customer data are not impacted by the security breach. All of that said, it is far from unheard of for the extent of breach damage to be revised upward weeks or months later as investigations deepen. But for now, there are only reasonable and basic precautions that some Teamviewer clients are advised to take.
Second security breach for Teamviewer involving an APT Group
Teamviewer had one previous encounter with an APT group back in 2016, though that was thought to be one of China’s hacking teams. That incident also did not appear to involve significant access to client systems or theft of data, but the company was nevertheless criticized as it did not voluntarily disclose the security breach until 2019.
Teamviewer is one of the biggest remote access tools in use by businesses around the world, but it has also established some reputation as a ransomware tool as hackers have found it useful in getting malware past defense systems (LockBit has been observed using it numerous times). Any security breach there will thus raise serious alarms, having the potential to mirror something like the SolarWinds or MOVEit incidents, but so far there does not appear to be reason to panic.
But there is sound reason to believe that Teamviewer’s early assessment of the security breach is accurate, as the company has previously implemented “defense in depth” principles that include segmentation of all of these different areas of the internal network. The reported cause of the breach was also the compromise of an employee’s credentials, which could mean the attackers could not make it any farther than whatever segment that employee was restricted to.
Nevertheless, it may be prudent for some clients to remove Teamviewer until there is an update on the investigation. One element that is still unknown is exactly how long the software was compromised, and if it is possible that any data was stored in the “corporate environment.”
Teamviewer directing clients to its “Trust Center” for future updates
The security breach was detected on June 26, though the actual start date is still unknown. Some private cybersecurity firms began informing their clients that an APT group had been observed exploiting Teamviewer on June 27, just a little ahead of the company making its first public statement on the issue.
APT29 is a long-established nation-state APT group, but has been highly active as of late in targeting foreign governments and the world’s largest tech companies. The group has been hounding Microsoft’s cloud and email services since early in the year and has also shown a strong interest in Germany’s political parties.