Tech
TeamViewer investigating intrusion of corporate IT environment
Software company TeamViewer said it is investigating a possible intrusion of its internal corporate IT environment after discovering irregularities on Wednesday.
In a statement published on Thursday afternoon, the company explained that it immediately activated teams to begin looking into the issue. But TeamViewer — which creates a popular brand of remote access and remote control software — said its corporate environment is “completely independent from the product environment.”
“There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems,” the company’s statement said, adding that it plans to provide more updates as the investigation continues.
When reached for more information about the incident, a company spokesperson told Recorded Future News that it is “unable to provide further details beyond the previously shared statement at this time.”
TeamViewer is a popular software used by hundreds of large organizations to manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents.
The TeamViewer statement on Thursday came after reports emerged on social media of multiple organizations warning members of alleged nation-state attacks involving TeamViewer software.
A researcher shared a message from cybersecurity firm NCC Group and another from the non-profit healthcare cybersecurity organization Health-ISAC about the issue on Thursday.
NCC Group — which confirmed that it sent the message to its customers but declined to provide it to Recorded Future News — said in a notice to clients that it “has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group.”
Health-ISAC, which did not respond to requests for comment, allegedly sent its members a similar message saying it has “received information from a trusted intelligence partner that APT29 is actively exploiting Teamviewer.”
“Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools,” the organization reportedly said. “Teamviewer has been observed being exploited by threat actors associated with APT29.”
The American Hospital Association confirmed that the Health-ISAC sent the message and reiterated the advice provided, telling members to “enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”
APT29 is believed to be part of Russia’s Foreign Intelligence Service (SVR) which is responsible for foreign espionage and electronic surveillance. The hackers have been behind some of Russia’s most devastating, brazen attacks on the U.S., including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.
They were recently implicated in attacks on major tech providers like Microsoft and Hewlett Packard Enterprise. In April, the top cybersecurity agency in the U.S. warned that the attack on Microsoft exposed emails from several federal agencies that may have contained authentication details or credentials.
Recorded Future
Intelligence Cloud.