TeamViewer says Russia’s ‘Cozy Bear’ hackers attacked corporate IT system

Software company TeamViewer confirmed on Friday that a prolific Russian hacking group breached its corporate IT environment earlier in the week. 

In an updated statement, the company attributed a recently announced incident to APT29, also known as Cozy Bear, BlueBravo and Midnight Blizzard. The group, allegedly housed within Russia’s Foreign Intelligence Service (SVR), has been implicated in several of the most consequential hacks of the last decade — including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.

TeamViewer explained that Wednesday’s hack was traced back to the “credentials of a standard employee account” within the company’s corporate IT environment. 

There is “no evidence” that APT29 was able to gain access to the company's product environment or customer data, according to the statement, which noted that the corporate IT network is segregated from other company systems.  

“This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments,” the company explained. 

A spokesperson for the company did not respond to several questions about what systems or data were accessed by APT29. In an update on Friday afternoon, TeamViewer confirmed that the attack “was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data.” The company pledged to continue investigating the issue.

The incident emerged on Thursday when several organizations began warning customers and members about APT29’s attack on TeamViewer. Cybersecurity firm NCC Group and a healthcare industry cybersecurity coalition both released private alerts raising alarms about the breach. 

Matt Hull, global head of threat intelligence, advised that until more information emerges, removal of TeamViewer software “will assist in mitigating any potential compromise via this vector.” 

“We also recommend reviewing hosts that have this installed for unusual behavior that might suggest it has already been compromised,” Hull said. “If you are unable to remove the application, then placing those hosts with it installed under heightened monitoring may provide you with further assurance."

John Hultquist, chief analyst for Google Cloud security firm Mandiant, said APT29 is “one of the most challenging actors we track and they are targeting tech companies of all sizes.” The group typically tries to stay undetected but are “not afraid to undertake these bold supply chain attacks.”

Hultquist said APT29’s focus is obtaining intelligence that helps the Kremlin make strategic decisions — specifically targeting data that provides insight into foreign affairs.

APT29 was recently implicated in a major attack on Microsoft that exposed emails from several U.S. federal agencies that may have contained authentication details or credentials. 

Bloomberg reported on Thursday night that Microsoft has begun notifying more organizations that their emails and other information was accessed as part of APT29’s attack. 

Hultquist noted that APT29 recently targeted political parties in Germany as well. 

“Because of the conflict in Ukraine, the Russian security services are under enormous pressure to support the war effort and Russian leadership,” he said. “That pressure will be felt anywhere that offers these spies a means to gather intelligence.”