TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services.

TeamViewer Breach Overview and Immediate Response

The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement.

Details of the Data Compromise

According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement.

The Role of NCC Group

The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

TeamViewer, a leading provider of remote access software, has attributed a security breach in its corporate network to an advanced persistent threat group, tracked as APT29. The TeamViewer data breach incident was first detected on June 26, 2024, prompting immediate action from TeamViewer's security team. In an initial statement posted on Thursday in the the company's Trust Center, TeamViewer reassured users that the breach occurred solely within their internal corporate IT environment, which is separate from their product environment. They emphasized that there is currently no evidence suggesting that customer data or the product itself has been compromised. In a Friday update the company reiterated the same and tied the compromise to employee account credentials that gave the threat actor access to Team Viewer's corporate IT environment.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data." - TeamViewer

The company that provides enterprise solutions for remote access, reassured its customers that it follows best-practices in its overall system architecture and thus, has segmented the Corporate IT, the production environment, and the TeamViewer connectivity platform.

"This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach." - TeamViewer

Despite ongoing investigations, the company remains focused on safeguarding system integrity and ensuring transparency in its communication regarding the incident.

TeamViewer Data Breach Confirmed 

The TeamViewer data breach was highlighted by cybersecurity firm NCC Group, which was alerted about the compromise of TeamViewer's remote access and support platform by an APT group. This group, identified as APT29, aka Midnight Blizzard or Cozy Bear, is known for its cyberespionage capabilities and has previously been linked to cyberattacks targeting various global entities, including Western diplomats and technology firms. “On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts, and implemented necessary remediation measures”, reads the official statement. Coinciding with TeamViewer's disclosure, alerts from the Dutch Digital Trust Center and Health-ISAC highlighted the severity of the situation. The Health-ISAC alert specifically warned of active exploitation of TeamViewer by APT29, advising organizations to monitor remote desktop traffic for any suspicious activity.

Mitigation Against the TeamViewer Data Leak

TeamViewer, known for its widespread adoption with thousands of customers globally and installed on billions of devices, continues to update stakeholders through its IT security update page. However, concerns have been raised about transparency practices, as the page currently includes a directive preventing indexing by search engines. “There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems. Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available” concludes the statement.  For users and organizations relying on remote access solutions like TeamViewer, vigilance and proactive monitoring are recommended to mitigate risks posed by sophisticated cyber adversaries.  *Update (Friday, June 28 - 8:10 A.M. ET): The headline and text through the article was updated to reflect TeamViewer's Friday update and attribution of the cyberattack to APT29 or Midnight Blizzard.