Article Details

TeamViewer says Russia broke into its corp IT network. Same APT29 crew that hit Microsoft and SolarWinds. How close were we to a mega backdoor situation?. TeamViewer says it was Russian intelligence that broke into its systems this week. Yesterday, the remote-desktop software maker said it detected an "irregularity" within its corporate IT network on Wednesday without adding much more detail. Now it says, with the help of outside cybersecurity investigators, it reckons Russia's Cozy Bear cyber-spies, aka APT29 and Midnight Blizzard, sneaked into its network using a worker's login. This confirms earlier whispering in the infosec industry that not only did a nation state crew slip into TeamViewer but that it was the infamous Cozy Bear. "Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our corporate IT environment," TeamViewer said in its latest statement. "Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. "Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard." That's the same Kremlin unit that hit the US Democratic National Committee in the 2010s, and more recently compromised Microsoft's computer network and stole internal emails and files from its executives and staff, among other targets. It's the same crew that pulled off the SolarWinds backdoor and has been raiding cloud accounts. It's on a tear. According to TeamViewer, its encounter with the Russians was limited to its non-production systems, which is the biz's way of asking people not to panic and assume the snoops will definitely be able to get into their PCs via TeamViewer. "Based on current findings of the investigation, the attack was contained within the corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data," the developer said. TeamViewer went on to briefly describe its network setup, again to reassure punters: Following best-practice architecture, we have a strong segregation of the corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach. And just as we were preparing this story for press, the German outfit told us its ongoing probe into the snafu has "strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements." We're promised more updates from the biz. TeamViewer says it has more than 600,000 customers, who use its software and web app to remotely control and manage Windows PCs and other machines. It would be a huge coup for Russia if it were able to compromise something like TeamViewer to the extent it could gain follow-up access to organizations' computers around the world – and terrible news for the rest of us. We can see why TeamViewer is a fantastic target for the Kremlin. Speaking of Microsoft and APT29 The Windows giant has told more of its customers that emails they exchanged with the corporation were accessed by Cozy Bear when those spies raided Redmond's inboxes, Bloomberg reported Thursday. “This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,” a Microsoft spokesperson said.