iTeamViewer, a remote access software company, has announced that its corporate environment was compromised in a cyberattack. According to the company, the breach was detected on Wednesday, June 26, 2024, and is believed to have been carried out by an advanced persistent threat (APT) hacking group.
"On Wednesday, June 26, 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment," TeamViewer stated in a post on its Trust Center. "We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures."
TeamViewer assured that its internal corporate IT environment is entirely separate from its product environment. They emphasized that there is no evidence suggesting that the product environment or customer data has been affected. The company continues to investigate and is focused on maintaining the integrity of its systems.
Despite their commitment to transparency, the "TeamViewer IT security update" page includes a <meta name="robots" content="noindex"> HTML tag, preventing search engines from indexing the document and making it harder to find.
TeamViewer is widely used for remote access, allowing users to control computers remotely as if they were physically present. The software is currently used by over 640,000 customers worldwide and has been installed on over 2.5 billion devices since its launch.
While TeamViewer has stated there is no evidence of a breach in its product environment or customer data, the extensive use of their software in both consumer and corporate settings makes any breach a significant concern, potentially granting full access to internal networks.
In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors through the Winnti backdoor. At the time, the company did not disclose the breach as no data was stolen.
News of the latest breach was first reported on Mastodon by IT security professional Jeffrey, who shared parts of an alert from the Dutch Digital Trust Center. This web portal is used by the government, security experts, and Dutch corporations to share information about cybersecurity threats.
"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," warned an alert from cybersecurity firm NCC Group. "Due to the widespread usage of this software, the following alert is being circulated securely to our customers."
Another alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, warned that TeamViewer services were allegedly being targeted by the Russian hacking group APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard.
"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting TeamViewer," reads the Health-ISAC alert shared by Jeffrey. "Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. TeamViewer has been observed being exploited by threat actors associated with APT29."
APT29 is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The group is known for its cyberespionage capabilities and has been involved in numerous attacks, including breaches of Western diplomats and a recent compromise of Microsoft's corporate email environment.
Although TeamViewer disclosed the incident at the same time as the alerts from NCC Group and Health-ISAC, it is unclear if they are directly related. TeamViewer's and NCC's alerts address the corporate breach, while the Health-ISAC alert focuses on targeting TeamViewer connections.
BleepingComputer reached out to TeamViewer for comments on the attack but was informed that no further information would be provided during the ongoing investigation. NCC Group also told BleepingComputer that they had nothing further to add beyond the alert issued to their clients.
On June 28, 2024, TeamViewer informed BleepingComputer that they had removed the noindex tag from their Trust Center, and the page should soon be indexed by search engines.