TeamViewer, which is widely used for remote monitoring and management by enterprises and consumers, issued an updated statement attributing the attack to APT29, also known as Nobelium or Cozy Bear.

According to TeamViewer's investigation, the breach occurred on Wednesday, June 26, and was initiated using an employee's credentials within their Corporate IT environment. However, the company assures customers that their production environment and customer data remained untouched, as they maintain a strong segregation of servers, networks, and accounts.

While TeamViewer continues to investigate the incident, experts caution that more information may emerge as the investigation progresses, particularly considering the advanced nature of the threat actor, Midnight Blizzard. As a precautionary measure, TeamViewer advises all customers to enable multi-factor authentication, implement an allow and block list, and closely monitor their network connections and TeamViewer logs.

When contacted about further details regarding the investigation and the compromise of employee credentials, TeamViewer did not provide a response at this time.

Midnight Blizzard, also known as Cozy Bear, Nobelium, and APT29, is a highly sophisticated state-sponsored hacking group believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been involved in various cyber espionage activities, breaching government and corporate networks to stealthily steal data and monitor communications.

In 2020, Midnight Blizzard garnered attention for their involvement in the SolarWinds supply chain attack, where they added a malicious backdoor to a Windows DLL file. This backdoor was disseminated to SolarWinds customers through an automatic update platform, granting the threat actors access to high-value targets, network breaches, and data theft.

More recently, Midnight Blizzard targeted Microsoft in successful cyberattacks. In 2023, they breached Microsoft's corporate Exchange Online accounts, specifically targeting emails related to the company. In March 2024, the threat actors once again breached Microsoft's systems, this time utilizing secrets obtained from the previously stolen emails to gain access to internal systems and source code repositories.

Both incidents involving Microsoft were carried out using password spray attacks, where corporate accounts were initially breached and used as a launching point to compromise other accounts and devices within targeted systems. Microsoft had previously shared guidance for responding and investigating attacks perpetrated by Midnight Blizzard.

As the investigation into the TeamViewer breach continues, it is crucial for customers to remain vigilant and implement recommended security measures to mitigate any potential threats stemming from this incident.