Dive Brief:
- TeamViewer, a global provider of remote access software, said the state-linked threat group Midnight Blizzard is behind a cyberattack that leveraged a compromised employee account to gain access to the company’s IT network.
- The hackers were able to copy TeamViewer employee directory data, including names, corporate contact information and encrypted employee passwords, the company said. The attack did not impact the company’s production environment, connectivity platform or any customer data.
- TeamViewer said it has worked with its incident response partner Microsoft to mitigate the risk of access to encrypted passwords; it has since hardened authentication procedures for employees. The company has also started to rebuild its internal IT environment.
Dive Insight:
The TeamViewer attack marks the latest incident in recent months attributed to Midnight Blizzard, an advanced persistent threat group formerly known as Nobelium.
The group, previously linked to the 2020 Sunburst attacks against SolarWinds, has more recently launched password spray attacks against Microsoft and exploited critical vulnerabilities in JetBrains TeamCity.
Just last week, Microsoft notified additional customers they had been targets of attacks from Midnight Blizzard. Midnight Blizzard launched a campaign of password spray attacks against senior Microsoft executives beginning in 2023, which led to follow-on attacks that targeted customer credentials from federal agencies and other cloud customers.
TeamViewer is a widely used remote access tool that can monitor, manage, repair and access computers, laptops, robots, industrial machines and mobile phones. The company has more than 640,000 subscribers and has been downloaded on more than 2.5 billion devices worldwide.
NCC Group on Thursday said it had received intelligence that TeamViewer had been compromised, and warned organizations to disengage the remote access tool from their environments.
Researchers at Mandiant say Midnight Blizzard has been targeting technology firms using stealth techniques, but is not afraid to undertake more ambitious supply chain attacks.
“They are moving through tech companies in order to get to their customers, where they expect to find the intelligence that feeds decision making in the Kremlin,” John Hultquist, Mandiant chief analyst, Google Cloud, said via email. “Generally they are looking for insight into foreign affairs, with a particular emphasis on support for Ukraine, and they target government and related organizations for that information.”