TeamViewer has confirmed that a notorious Russian cyberespionage group appears to be behind the recent hacker attack targeting the company’s systems.
The remote connectivity software provider revealed last week that it had detected an intrusion on June 26.
According to follow-up statements issued by the company on Friday and over the weekend, the breach only impacted its internal corporate IT environment, and did not affect its product environment, the TeamViewer connectivity platform, or any customer data.
“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” TeamViewer explained. “This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments.”
The company revealed that the attackers hacked into its systems after obtaining the credentials for a standard employee account that had access to the corporate IT environment.
The hackers leveraged the employee account to copy employee directory data such as names, corporate contact information, and encrypted employee passwords for the internal corporate environment.
“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” TeamViewer said.
When the hack came to light, NCC Group reported that an APT was behind the attack, and the US-based Health Information Sharing and Analysis Center (Health-ISAC) issued an alert saying that the Russia-linked APT29 was behind the intrusion.
TeamViewer has confirmed that it currently attributes the attack to APT29, which among many other names is also known as Cozy Bear and Midnight Blizzard. This state-sponsored cyberspy group is known for high-impact attacks targeting important organizations, including Microsoft.
TeamViewer’s confirmation that APT29 appears to be behind the attack came just as Microsoft has been alerting more customers that the group has stolen their emails as part of a recent campaign.
*APT29 is also known as ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, G0016, Grizzly Steppe, Group 100, Iron Hemlock, ITG11, Minidionis, Nobelium, SeaDuke, TA421, The Dukes, UAC-0029, and Yttrium.
Related: Microsoft Says Russian Gov Hackers Stole Source Code After Spying on Executive Emails
Related: US, Israel Provide Guidance on Securing Remote Access Software
