According to TeamViewer, the Russian “Cozy Bear” hackers have attacked the company’s IT system

Software company TeamViewer confirmed on Friday that a prolific Russian hacker group had penetrated its company’s IT environment earlier this week.

In an updated statement, the company traced a recently disclosed incident to APT29, also known as Cozy Bear, BlueBravo and Midnight Blizzard. The group, allegedly affiliated with Russia’s Foreign Intelligence Service (SVR), has been involved in several of the most consequential hacks of the past decade – including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.

TeamViewer said Wednesday’s hack was traced back to the “credentials of a standard employee account” within the company’s IT environment.

There is “no evidence” that APT29 was able to gain access to the company’s product environment or customer data, the statement said, pointing out that the company’s IT network is separate from other corporate systems.

“This means we keep all servers, networks and accounts strictly separate to prevent unauthorized access and lateral movement between different environments,” the company explained.

A company spokesperson did not respond to several questions about which systems or data APT29 accessed. In an update Friday afternoon, TeamViewer confirmed that the attack was “limited to TeamViewer’s internal IT environment and did not affect the product environment, our connectivity platform, or customer data.” The company promised to investigate the issue further.

The incident came to light on Thursday when several organizations began warning customers and members about APT29’s attack on TeamViewer. Both cybersecurity firm NCC Group and a healthcare industry cybersecurity coalition published private alerts warning of the attack.

Matt Hull, global head of threat intelligence, noted that removing the TeamViewer software until new information emerges “will help contain any potential compromise via this vector.”

“We also recommend monitoring hosts where this is installed for any unusual behavior that might indicate it has already been compromised,” Hull said. “If you are unable to remove the application, increased monitoring of hosts where it is installed can provide you with additional security.”

John Hultquist, principal analyst at Google Cloud security firm Mandiant, said APT29 is “one of the most challenging actors we track, and they target technology companies of all sizes.” The group typically tries to remain undetected but is “not afraid of these brazen supply chain attacks.”

According to Hultquist, APT29 focuses on gathering intelligence information that helps the Kremlin make strategic decisions – particularly targeting data that provides insight into foreign policy matters.

APT29 was recently involved in a major attack on Microsoft that exposed emails from several U.S. federal agencies that may have contained authentication details or credentials.

Bloomberg reported Thursday evening that Microsoft has begun notifying more organizations that their emails and other information have been accessed as part of the APT29 attack.

Hultquist pointed out that APT29 had recently targeted political parties in Germany.

“Because of the conflict in Ukraine, Russian intelligence services are under enormous pressure to support the war effort and the Russian leadership,” he said. “This pressure will be felt wherever these spies are given the opportunity to gather intelligence.”

Learn more.