TeamViewer: Hackers copied employee directory and encrypted passwords


Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.

In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment. 

The company reaffirmed that the hackers were not able to gain access to the company’s product environment or customer data, and that the breach, first reported last week, appears to be contained.

“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said. 

TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations. 

“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.

TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents

Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”

TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.

The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders. 

CybercrimeNation-stateIndustryNews BriefsNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

China’s ‘Velvet Ant’ hackers caught exploiting new zero-day in Cisco devices

Next Post

New Intel CPU Vulnerability ‘Indirector’ Exposes Sensitive Data

Related Posts

Google Introduces Project Naptime for AI-Powered Vulnerability Research

Google has developed a new framework called Project Naptime that it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches. "The Naptime architecture is centered around the interaction between an AI agent and a target codebase," Google Project Zero researchers Sergei Glazunov and Mark Brand said. "The agent is provided
Read More

U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions against a dozen individuals serving executive and senior leadership roles at Kaspersky Lab, a day after the Russian company was banned by the Commerce Department. The move "underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber
Read More

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday.
Read More