Unauthorized access to TeamViewer's IT network achieved via compromised employee credentials
In a recent cyber incident, global remote access software provider TeamViewer has been compromised by the state-linked threat group known as Midnight Blizzard (also known as Nobelium or APT29).
The Attack on TeamViewer
The attack did not impact TeamViewer's production environment, connectivity platform, or any customer data. However, the incident involved the use of a compromised employee account, leading to password spray attacks that targeted customer credentials from federal agencies and other cloud customers.
Midnight Blizzard's Modus Operandi
Midnight Blizzard has a documented history of sophisticated cyber espionage targeting government and diplomatic entities worldwide. Their attacks typically aim to infiltrate sensitive communications and gather intelligence for the Russian SVR (foreign intelligence service).
Past Cyberattacks
- A significant recent campaign involved targeting foreign embassies around the world with an attack to install a malicious TLS root certificate.
- Another major campaign uncovered in 2024 involved targeting Mongolian government websites, where Midnight Blizzard infiltrated official sites over several months, embedding sophisticated malware and JavaScript to harvest the credentials and cookies of government officials.
Targets and Tactics
- Midnight Blizzard primarily targets government and related organizations for intelligence that feeds decision making in the Kremlin, with a particular emphasis on support for Ukraine.
- The group leverages known vulnerabilities in outdated government systems, weaponized commercial spyware frameworks, and sophisticated malware toolkits.
Mitigation and Response
- TeamViewer has worked with its incident response partner Microsoft to mitigate the risk of access to encrypted passwords.
- NCC Group has warned organizations to disengage TeamViewer from their environments.
- TeamViewer is currently rebuilding its internal IT environment.
Recent Activity of Midnight Blizzard
- Midnight Blizzard has launched password spray attacks against senior Microsoft executives beginning in 2023.
- The group has also exploited critical vulnerabilities in JetBrains TeamCity.
- Microsoft notified additional customers they had been targets of attacks from Midnight Blizzard last week.
Conclusion
Midnight Blizzard is a highly capable Russian state-sponsored threat actor focused on espionage targeting diplomatic and government communications. Their recent activities include sophisticated cybersecurity breaches involving TLS certificate attacks on embassies and long-term compromises of government websites (notably in Mongolia) to steal credentials and confidential data for intelligence gathering. These operations reflect their strategic goal of advancing Russia's geopolitical interests by penetrating secure communications channels and extracting sensitive information.
Organizations are advised to remain vigilant and strengthen their cybersecurity measures in response to the ongoing activities of Midnight Blizzard.
- Despite the recent incident response efforts by TeamViewer and their partner Microsoft, the compromise of TeamViewer by Midnight Blizzard has exposed a vulnerability in technology systems, leading to password spray attacks targeting customer credentials from federal agencies and other cloud customers.
- In the aftermath of the TeamViewer attack, cybersecurity firms such as NCC Group have recommended organizations to disengage TeamViewer from their environments due to the identified risk and the group's history of cyber espionage and intelligence gathering.
- In light of Midnight Blizzard's documented history of targeting government and diplomatic entities for financial and geopolitical gain, organizations are advised to strengthen their cybersecurity measures to protect sensitive finance-related data from potential state-linked cyber threats.
