Breach, Distributed Workforce

TeamViewer attributes security incident to Russian APT group Midnight Blizzard

(Credit: Timon –

TeamViewer confirmed on its Trust Center June 28 that it experienced a cyberattack tied to the credentials of a standard employee account within its internal corporate IT network.

In the security advisory, TeamViewer said the attack took place on Wednesday, June 26 and has been attributed to the state-sponsored Russian group Midnight Blizzard, also known as Cozy Bear and APT29.

Security pros raised concerns because Midnight Blizzard was also in the news today due to more Microsoft customers being confirmed to have had their emails compromised by the group as part of an attack against Microsoft executives’ emails. The attacks on Microsoft accounts were disclosed in January, some of which resulted in unauthorized access to correspondence from U.S. government agencies.

Midnight Blizzard has been associated with several high-profile intrusions since 2008, including the 2015 compromise of the Democratic National Committee and the 2020 SolarWinds incident. Most recently, 2023-2024 attacks against Microsoft and Hewlett Packard Enterprise have been attributed to Midnight Blizzard, with the group potentially accessing and exfiltrating sensitive information from mailboxes.

There was also concern just from the mere fact that Germany-based TeamViewer has a strong installed base of more than 600,000 customers worldwide. Companies and individuals use the platform to conduct remote access sessions.

TeamViewer maintained that there’s no evidence that the threat actor gained access to its product environment or customer data. The company said TeamViewer’s corporate IT environment runs separately from its product environment.

The recent TeamViewer incident showcases Midnight Blizzard’s mastery of advanced 3D phishing techniques, explained Stephen Kowski, field CTO at SlashNext. Kowski said by seamlessly blending meticulously crafted text messages, Microsoft Teams messages and email phishing, the threat actors have shown they can create a multi-channel assault that's incredibly difficult to detect and defend against.

Kowski added that with 3D phishing on the rise, it’s crucial for organizations to adopt a multi-layered approach to phishing. This includes implementing AI-powered solutions capable of analyzing and flagging anomalies across various communication channels, conducting regular security audits, and most importantly, investing in comprehensive employee training.

“By staying vigilant and leveraging cutting-edge security technologies, we can better protect ourselves against these increasingly immersive and deceptive attacks,” said Kowski. “Remember, in the face of such sophisticated threats, our best defense is a proactive, adaptive, and technologically-advanced security posture.”

Jason Baker, senior security consultant at GuidePoint Security, added that TeamViewer would be less likely to hold substantial value to Midnight Blizzard as a standalone intelligence collection target.

“Still, its targeting for reconnaissance purposes or attempted supply chain compromise against downstream customers is plausible,” explained Baker. “In the near term, we’re monitoring for additional updates from TeamViewer that suggest access or impact against the product environment, as this would be a more significant concern for customers and clients.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.