[Cyware] TeamViewer: Hackers copied employee directory data and encrypted passwords

Summary: TeamViewer, a software company, experienced a breach in its internal corporate IT environment, resulting in the theft of encrypted passwords. The attack has been attributed to a Kremlin-backed group known as APT29.

Threat Actor: APT29 | APT29
Victim: TeamViewer | TeamViewer

Key Point :

  • A compromised employee account enabled hackers from APT29 to breach TeamViewer’s internal corporate IT environment and steal encrypted passwords.
  • The stolen data included employee directory information such as names, corporate contact details, and encrypted passwords for the company’s internal IT environment.
  • The breach did not grant access to the company’s product environment or customer data.
  • TeamViewer collaborated with Microsoft to mitigate the risk associated with the stolen encrypted passwords.
  • The incident has been reported to authorities, and APT29 is believed to be associated with Russia’s foreign intelligence service.

Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.

In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment. 

The company reaffirmed that the hackers were not able to gain access to the company’s product environment or customer data, and that the breach, first reported last week, appears to be contained.

“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said. 

TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations. 

“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.

TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents

Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”

TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.

The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders. 

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Source: https://therecord.media/teamviewer-cyberattack-employee-directory-encrypted-passwords


“An interesting youtube video that may be related to the article above”