German tech company TeamViewer said it discovered a Russian-linked cyberattack on the remote access software company’s corporate network that has exposed employees’ data to sophisticated hackers.
Information technology professionals use TeamViewer’s screen-sharing software widely. The company said Sunday it has started to rebuild its internal systems to recover from the hack.
“The threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment,” the company said in a statement Sunday evening. “We have informed our employees and the relevant authorities.”
TeamViewer first revealed the hack of its corporate IT last week and attributed the breach to “APT29 / Midnight Blizzard,” a group that the Biden administration has previously tied to the Russian Foreign Intelligence Service (SVR).
The Russian group gained widespread notoriety for its hack of SolarWinds computer network management software uncovered in 2020, which the Biden administration said compromised nine federal agencies. The U.S. government said the breach of SolarWinds gave the hackers the ability to spy on more than 16,000 computer networks around the world.
Microsoft said last year it found the Russian hacking group pursuing its conferencing platforms to reach government accounts and other espionage targets. In January, Microsoft said the same hackers breached its top executives’ emails in search of what the company knew about the hackers.
Microsoft has unique knowledge of Russian hacking operations and has worked with the U.S. intelligence community to blunt cyberattackers aiming at Ukraine.
TeamViewer said Sunday it teamed with Microsoft to respond to the Russian hackers, and TeamViewer believes it mitigated the risk of the hackers gaining its employees’ encrypted passwords.
TeamViewer said it has not found evidence that the hackers accessed customer data or its product environment.
“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers,” TeamViewer said Sunday.
Some cyber attackers, however, may not directly go after customer data and prefer to serve as initial access brokers, spotting and assessing vulnerabilities and then selling or providing that data to other attackers.
Other hackers have already sought to use TeamViewer to target victims.
The LockBit cybercriminal group used TeamViewer as an initial access point for ransomware attacks, according to cybersecurity company Huntress. In January, Huntress senior analyst Harlan Carvey said his company alerted customers about ransomware attacks that his team found leveraging TeamViewer.
U.S. and U.K. officials announced in February they disrupted the LockBit ransomware group. The Justice Department in Washington also unsealed charges in May against a Russian national accused of creating Lockbit, which the government said was formerly “the most prolific ransomware group in the world.”
The LockBit ransomware gang reemerged, however, and reportedly claimed last month to have stolen data from the Federal Reserve.
Early analyses of the gang’s published stolen data last week appeared to suggest that the group has not provided evidence that it had hit the Federal Reserve, according to Hackmanac. The United Arab Emirates-based cybersecurity company said on X that data leaked by LockBit instead appeared to come from Evolve Bank in America.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.