The day after the June 26 cyberattack on their corporate IT network, TeamViewer issued a note announcing an investigation into the yet unattributed breach. The remote access software company now said that with external incident response support, they discovered that the Russian threat actor known as APT29 was behind the network compromise.
The release said the state-sponsored threat actor aligned with the Russian Foreign Intelligence Service (SVR), also identified as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes, leveraged a standard employee account’s login credentials to infiltrate the company’s corporate IT environment. No other details of how the attackers obtained the credentials are available.
The announcement reiterated that the product environment or customer data was not affected and the company’s internal corporate IT and the product environment are separate.
Security researchers had already said it was an advanced persistence threat (APT) group, and the U.S. Health Information Sharing and Analysis Center (Health-ISAC) said threat actors associated with APT29 led the attack.Â
Recently, APT29 was linked to the SolarWinds supply chain attack and the breaches of Hewlett-Packard Enterprise and Microsoft. The latter said Midnight Blizzard threat actor exfiltrated Microsoft corporate and even customer email accounts.
The popular Germany-based firm offers remote monitoring and management (RMM) software for managed service providers (MSPs) and IT departments to manage servers, workstations, network devices, and endpoints. It is currently used by over 640,000 customers worldwide, including companies and individuals.