TeamViewer says Russia’s ‘Cozy Bear’ hackers attacked corporate IT system


Software company TeamViewer confirmed on Friday that a prolific Russian hacking group breached its corporate IT environment earlier in the week. 

In an updated statement, the company attributed a recently announced incident to APT29, also known as Cozy Bear, BlueBravo and Midnight Blizzard. The group, allegedly housed within Russia’s Foreign Intelligence Service (SVR), has been implicated in several of the most consequential hacks of the last decade — including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.

TeamViewer explained that Wednesday’s hack was traced back to the “credentials of a standard employee account” within the company’s corporate IT environment. 

There is “no evidence” that APT29 was able to gain access to the company’s product environment or customer data, according to the statement, which noted that the corporate IT network is segregated from other company systems.  

“This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments,” the company explained

A spokesperson for the company did not respond to several questions about what systems or data were accessed by APT29. In an update on Friday afternoon, TeamViewer confirmed that the attack “was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data.” The company pledged to continue investigating the issue.

The incident emerged on Thursday when several organizations began warning customers and members about APT29’s attack on TeamViewer. Cybersecurity firm NCC Group and a healthcare industry cybersecurity coalition both released private alerts raising alarms about the breach. 

Matt Hull, global head of threat intelligence, advised that until more information emerges, removal of TeamViewer software “will assist in mitigating any potential compromise via this vector.” 

“We also recommend reviewing hosts that have this installed for unusual behavior that might suggest it has already been compromised,” Hull said. “If you are unable to remove the application, then placing those hosts with it installed under heightened monitoring may provide you with further assurance.”

John Hultquist, chief analyst for Google Cloud security firm Mandiant, said APT29 is “one of the most challenging actors we track and they are targeting tech companies of all sizes.” The group typically tries to stay undetected but are “not afraid to undertake these bold supply chain attacks.”

Hultquist said APT29’s focus is obtaining intelligence that helps the Kremlin make strategic decisions — specifically targeting data that provides insight into foreign affairs.

APT29 was recently implicated in a major attack on Microsoft that exposed emails from several U.S. federal agencies that may have contained authentication details or credentials

Bloomberg reported on Thursday night that Microsoft has begun notifying more organizations that their emails and other information was accessed as part of APT29’s attack. 

Hultquist noted that APT29 recently targeted political parties in Germany as well. 

“Because of the conflict in Ukraine, the Russian security services are under enormous pressure to support the war effort and Russian leadership,” he said. “That pressure will be felt anywhere that offers these spies a means to gather intelligence.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Chicago children’s hospital says nearly 800,000 affected by January ransomware attack

Next Post

‘I don’t see it happening’: CISA chief dismisses ban on ransomware payments

Related Posts

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, codenamed Gomir, is "structurally almost identical to GoBear, with extensive sharing of code between
Read More

Lessons from the Ticketmaster-Snowflake Breach

Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million Ticketmaster users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of the live event company's clientele, igniting a firestorm of concern and outrage.  A massive data breach Let’s
Read More