TeamViewer breached by Russian state actor Midnight Blizzard

TeamViewer's corporate network was breached this week in an attack that the remote access software vendor attributed to Russian state-sponsored threat actor Midnight Blizzard.

According to a statement published Thursday, TeamViewer said its security team detected "an irregularity in TeamViewer's internal corporate IT environment" on Wednesday, June 26, though its product environment and customer data were not affected. The company wrote at the time that it immediately began an investigation and would, in the interest of transparency, share more details as they became available.

Remote access software is often misused by threat actors for lateral movement in victim environments. In 2021, a threat actor abused TeamViewer to gain access to SCADA systems at a water treatment plant in Oldsmar, Fla.

TeamViewer provided additional details Friday as an update to the initial statement. The company said its security team worked with partners "24/7" to investigate the attack and that it is in constant contact with threat intelligence providers as well as the relevant authorities.

TeamViewer attributed the attack to Midnight Blizzard, the Russian state-sponsored actor also known as APT29 and Cozy Bear. Midnight Blizzard was behind the Microsoft breach disclosed earlier this year as well as the devastating 2020 supply chain attack against SolarWinds. Moreover, TeamViewer said the attack was "tied to credentials of a standard employee account" within its corporate network environment.

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard," the updated statement read. "Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data."

TeamViewer emphasized in the update that based on current evidence, its product environment and customer data were unaffected by the breach. The updated statement explained that TeamViewer uses a defense-in-depth approach that limited the threat actor's ability to gain access to other parts of the company's environment.

"Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place," the statement read. "This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments."

TechTarget Editorial asked TeamViewer how the employee credentials were stolen, but a spokesperson declined to comment, promising more details as they become available. The next update is expected by the end of business on Friday, Central European Summer Time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.