The APT group behind the SolarWinds attack may have struck again in the recent security breach on popular remote access program TeamViewer. There is not yet any good evidence that this breach is as damaging as SolarWinds, but the potential is there given the level of access that TeamViewer often has to client systems.
TeamViewer is thus far downplaying the scope of the security breach, issuing a statement to clients that it has seen no evidence that the product environment or customer data are impacted as of yet. The company has confirmed involvement of APT29 after certain cybersecurity firms issued messages to their clients indicating that they believed the Russian hackers were actively exploiting TeamViewer.
APT group behind SolarWinds implicated in TeamViewer attack
TeamViewer’s latest official statement as of this writing, issued on June 28, says that the incident only impacted the “internal corporate IT environment” and did not involve production, connectivity or any customer data. The company says that its internal investigation is continuing and that any new updates will be posted to its Trust Center.
The TeamViewer statement goes on to confirm that APT29 / Cozy Bear, the Russia-based hackers behind the SolarWinds attack (among many other incidents), are the suspected perpetrators. A previous statement from the company indicated that the security breach was detected on June 26, and an employee account was apparently compromised as the APT group’s source of access. There is not yet any mention of loss of data.
On June 27 several cybersecurity firms, NCC Group Global Threat Intelligence and Health-ISAC among them, warned their clients that they suspected an APT group had compromised and was actively exploiting the TeamViewer software. TeamViewer’s first official statement acknowledging the security breach followed within several hours. TeamViewer estimates that it has about 600,000 clients worldwide and its software has been installed on over two billion devices, though that estimate likely dates back to the company’s launch in 2005.
The Russian APT group became something of a household name for its election interference efforts in the US in 2016, particularly its hack of the Democratic National Convention and leak of sensitive internal emails. It has been around for longer than that and has been continually active since, however. In addition to SolarWinds, APT29 is the lead suspect in an early 2024 compromise of Microsoft executive email accounts and an ongoing campaign to raid the cloud accounts of assorted government agencies and tech companies. Microsoft has admitted to limited ability to evict the Russian hackers and keep them out of its systems, citing significant technical and resource backing from the Putin government.
TeamViewer security breach requires precautions, despite optimistic official statements
This is not TeamViewer’s first brush with an APT group, though the last known security breach of this type for the company took place back in 2016 and involved a Chinese team deploying the Winnti backdoor. The company was criticized for not disclosing the attack until 2019, and claimed that it did not go public immediately because no data was stolen.
Though TeamViewer is one of the largest remote access providers, and is used by Coca-Cola among numerous other major businesses, it has also developed a reputation as a preferred tool of hackers looking to deploy ransomware. A study published in January found that threat actors, including the LockBit ransomware gang, see it as a reliable means of sneaking past automated security detection of suspicious malware files. Thus, if an APT group (or any other threat actor) obtained “downstream” access to TeamViewer client systems via a breach, it could lead to either a massive espionage campaign akin to SolarWinds, or a massive ransomware / data extortion spree akin to the MOVEit breach.
TeamViewer says that its “defense-in-depth” approach headed off these possibilities, particularly the practice of segmenting all areas of internal network operations from each other. The concept was first advanced by the National Security Agency (NSA) over a decade ago and has been recommended by government agencies since, advising a strategy of incorporating multiple layers that can include multifactor authentication and sandboxing among its components.
While defense-in-depth may stop an APT group from compromising a corporate or government target, what can the average TeamViewer user do to ensure their safety? Cybersecurity firms have generally been advising clients that the security breach is considered a low-level threat at present, but that it nevertheless may be prudent to remove TeamViewer from their systems until there is a full accounting of the damage available to the public.
At minimum, hosts that have the application installed should be more closely monitored for unusual activity. Organizations may also want to review allowlists and blocklists associated with the software. Roger Grimes, data-driven defense evangelist at KnowBe4, adds: “It will be crucial to hear how long TeamViewer was compromised and what was compromised. Because TeamViewer is used by so many customers to remotely view and control their computers, it will be critical to understand if any customers were interfered with. It’s good we are hearing about the attack quickly. I look forward to the future details.”