TeamViewer confirms cyber incident, its scale unclear

TeamViewer, one of the largest remote access and control software providers, confirmed a cyber breach. Previously, security researchers alleged that the company was compromised by an advanced persistent threat group. Some attributed the incident to APT29, also known as Cozy Bear or Midnight Blizzard.

In a statement, Teamviewer confirmed that on Wednesday, 26 June 2024, their security team “detected an irregularity in TeamViewer’s internal corporate IT environment.”

The company assures that this environment is “completely independent from the product environment.”

“There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing, and our primary focus remains to ensure the integrity of our systems,” the company said.

Previously, NCC Group, a cybersecurity company, alerted its customers about a “significant compromise of the TeamViewer remote access and support platform by an APT group,” as shared by a security expert calling himself Jeffrey on Mastodon.

The posted screenshot indicates a traffic light protocol of “AMBER+STRICT,” which means that sensitive information is designated only for limited disclosure, restricted to the participants’ organization.

The organization Health-ISAC (Information Sharing and Analysis Center) warned that TeamViewer might have been breached by “Cozy Bear,” a state-sponsored actor controlled by a Russian secret service.

“On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting Teamviewer. Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. Teamviewer has been observed being exploited by threat actors associated with APT29,” Jeffrey shared.

Teamviewer said they immediately activated the response team and procedures, started investigations, and implemented necessary remediation measures. The company said it will continuously update “the status of our investigations as new information becomes available.”

However, experts from BleepingComputer noted that those notifications would not be seen by search engines as the website’s meta tag for robots has “no index” values.

Based in Germany, Teamviewer has more than 640,000 customers worldwide, while its free Remote access tools are used by hundreds of millions of non-commercial users.