[German]The hack of the remote maintenance provider TeamViewer seems to have gone more smoothly than feared. A state actor (APT29) did have access to the company's internal IT environment. However, neither the production environment with the sources and binaries of the remote maintenance software nor customer data appear to have been affected. This was announced by the provider in what is now the third status update.
The TeamViewer hack
On June 28, 2024, I reported in the blog post TeamViewer hacked (June 2024) that TeamViewer had probably been the victim of a successful cyberattack. The remote maintenance provider later confirmed this and provided further information. The rumor that the attacker was a state-sponsored group (APT29) was confirmed. APT29 or Cozy Bear is the name of a Russian state hacker group that is responsible for many attacks. APT29 is said to have links to the Russian Foreign Intelligence Service (SVR).
The internal TeamViewer security team discovered an anomaly in the company's internal IT environment on Wednesday, June 26, 2024. The TeamViewer response team was immediately activated and the corresponding processes for emergency plans were initiated and the necessary protective measures implemented.
Final report on their findings
After the incident became known, TeamViewer IT staff began investigating the hack together with external IT security experts. The company assured early on that the internal IT environment is completely independent of the TeamViewer product environment. The company was therefore able to rule out the possibility that TeamViewer had been compromised – and no customer data should have been leaked either, it said at an early stage.
The Team Viewer Trust Center has repeatedly shared updates with findings on the incident. Yesterday evening, July 4, 2024, TeamViewer informed me about the current status of the investigation. The company considers the immediate investigation phase, eight days after the discovery of the cyber security incident on June 26, 2024, to be completed. All relevant investigation options have now been exhausted.
Based on the results of this joint investigation with cybersecurity experts from Microsoft, TeamViewer reconfirms that the incident was limited to the internal corporate IT environment. This means that neither the separate TeamViewer product environment, nor the connectivity platform, nor customer data was affected, according to the status update.
The Teamviewer team writes that the immediate countermeasures taken with regard to the internal TeamViewer Corporate IT environment and the additional protective measures introduced proved to be very effective. After the security team stopped the attack immediately after it was discovered, there was no further suspicious activity in the internal corporate IT environment.
The status update does not provide any information on how the hackers from Midnight Blizzard were able to penetrate the TeamViewer corporate network. In the status update dated June 30, 2024, TeamViewer wrote that according to current knowledge, the attacker used a compromised employee access to copy information from the employee directory. The copied information includes names, business contact details and encrypted passwords for the internal corporate IT environment.
Between the lines of the various status updates, it can still be read that IT infrastructure consisting of Microsoft products was affected. The company is now in the process of completely rebuilding its internal corporate IT environment.