TeamViewer announced it was the victim of a cyber attack which took place in 2016 although some sources claim that hackers were in the firm’s network as early as 2014.

The data breach was reportedly the result of threat actors exploiting the recently patched Winnti backdoor trojan, a malware first seen used by a group of Chinese hackers that has since been referenced as the Winnti group.

“In autumn 2016, TeamViewer was target of a cyber-attack,” a TeamViewer spokesperson told SC Media via email. “Our systems detected the suspicious activities in time to prevent any major damage.”

The company went on to say that both internal and external investigators found that the firm’s information hadn’t been accessed or manipulated in anyway and that they company had successfully fended off the attack. In addition, the company conducted a comprehensive audit of its IT security architecture to further strengthen it.

The German newspaper Der Speigel claimed the Chinese hackers were able to infiltrate TeamViewers networks back in 2014, in contradiction to TeamViewer’s claims that the attack took place in 2016.

TeamViewer told the publication the cyberattack was identified in a timely manner and that there was no evidence that customer data or source code was compromised despite the threat actor’s access.

In July 2016, TeamViewer users took to Reddit and other platforms  to report their accounts had been compromised as services went offline with server issues. At the time TeamViewer denied the claims and it was experiencing service problems as a result of server issues.

Users made claims that both PayPal and bank accounts had been hacked but TeamViewer denied that they were related to the company’s server issues.

Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, said the attack fits the pattern of what we have seen from most of the Chinese nation-state sponsored hacking groups.

“It’s common to see APTs like this stay silent after the initial breach for years, waiting until an opportune time presents itself to become active,”
Wenzler said. “These stealthy behaviors make it much more difficult for defenders to notice abnormal patterns of activity on their networks, making it less likely that they’ll be prepared when the attack is launched.”


Wenzler went on to say that this isn’t just for high-value targets like a remote management company like TeamViewer and that these tactics are used against any network that these groups are able to breach, whether for financial data, personal information, intellectual property, or to compromise other pieces of software so that they can embed their malicious access tools.