Remote software provider TeamViewer recently experienced a cyber-attack that has been attributed to the Russian state-affiliated threat actor known as Midnight Blizzard/APT29.

The company disclosed that it detected suspicious activity on a standard employee account within its corporate IT environment on Wednesday, June 26. TeamViewer has linked this incident to the credentials of the compromised account.

Fortunately, the security team at TeamViewer was able to contain the attack within the corporate IT environment, safeguarding the product environment and customer data from potential compromise.

TeamViewer emphasized that they have a robust security architecture in place, with a strong segregation of Corporate IT, production environment, and the TeamViewer connectivity platform. This segregation helps prevent unauthorized access and lateral movement between different environments, enhancing overall security measures.

The company stated that they are currently collaborating with threat intelligence providers and relevant authorities to further investigate the incident and gather more insights into the nature of the attack.

Attribution of the attack has been assigned to the Midnight Blizzard/APT29 threat actor by TeamViewer, with external incident response support also corroborating the assessment.

Midnight Blizzard is an Advanced Persistent Threat (APT) group known for its ties to Russia’s foreign intelligence service (SVR). The group specializes in espionage and intelligence gathering activities, primarily targeting governments and critical industries.

This is not the first time Midnight Blizzard has been implicated in cyber-attacks on tech companies. In previous instances, the group compromised email accounts of senior leadership teams and gained unauthorized access to source code and internal systems.

French cybersecurity agency ANSSI has also highlighted Midnight Blizzard’s consistent targeting of French diplomatic entities and public organizations since 2021, underscoring the group’s persistent and ongoing threat.

According to John Hultquist, Mandiant Chief Analyst at Google Cloud, Midnight Blizzard has a history of conducting supply chain attacks on tech firms to gather intelligence on customer activities, especially related to foreign affairs such as support for Ukraine. The group has also targeted political parties in Germany in recent times.

Given the prevalent use of remote software services like TeamViewer by threat actors to gain initial access to networks, various sectors, including manufacturing, healthcare, and the public sector, are at risk.

The US Health Information Sharing and Analysis Center (H-ISAC) has issued a threat bulletin cautioning healthcare organizations about the active exploitation of TeamViewer by malicious actors. The agency recommends implementing security measures such as enabling two-factor authentication and utilizing allowlists and blocklists to control device access, among other precautions.

Overall, the cyber-attack on TeamViewer serves as a stark reminder of the persistent threat posed by state-affiliated threat actors like Midnight Blizzard, emphasizing the need for heightened cybersecurity measures across various industries to protect sensitive data and systems from potential breaches.

Lidhja e burimit