TeamViewer attack: investigation completed, users are not affected
Forensic investigations together with Microsoft revealed that attackers did not compromise Teamviewer's development environment or customer data.
The company headquarters of TeamViewer GmbH in Göppingen, Baden-Württemberg.
(Image: dpa, Christoph Schmidt)
A good week and a half after the suspected Russian attack on the TeamViewer remote maintenance software, the manufacturer has now published the results of its investigation. According to a spokesperson, the attack was limited to the company's internal IT environment – the software itself was not affected.
Microsoft had been brought on board as a service provider for the "incident response", i.e. the handling and investigation of the incident. The forensic experts found that employees' personal data was copied during the attack – possibly from a cracked Active Directory. The names, contact information and password hashes of the TeamViewer employees ended up in the hands of the intruders.
These presumably came from Russian Secret Service circles. TeamViewer claims to have identified typical behaviors (TTPs – Tactics, Techniques and Procedures) of the "Cozy Bear" group (also known as APT29). Western security experts assume that Cozy Bear is controlled by the Russian foreign intelligence service SWR.
According to the TeamViewer press release, neither the product development environment nor the cloud platform for networking the TeamViewer instances with each other was affected by the attack, nor were the attackers able to extract customer data.
According to the spokesperson, TeamViewer has hardened the login procedures for employees and implemented further protective measures. After that, there was no further suspicious activity in the company network. Microsoft also assisted with the hardening. The authorities were also informed about the data leak.
TeamViewer: No danger for users
The company emphasizes that there was never any danger to users – the software was also secure at all times during the attack. TeamViewer wants to dispel the doubts of its customers, who feared that the remote maintenance software had been infiltrated. In the heise community "heise security PRO", security professionals also had a lively discussion about how to deal with the intrusion at the remote maintenance service provider.
(cku)
