TeamViewer: Network segmentation hobbled Midnight Blizzard’s attack

TeamViewer, the company developing the popular remote access/control software with the same name, has finished the investigation into the breach it detected in late June 2024, and has confirmed that it was limited to their internal corporate IT environment.

“Neither our separated product environment, nor the connectivity platform, nor any customer data has been touched,” the company says.

What did the attackers manage to do?

After the company’s security team detected anomalous activities from a standard employee account within their corporate IT environment on June 26, 2024, they moved to cut off the threat actor and discover the extent of the breach.

As the investigation progressed, the company kept the public abreast of their findings, to minimize customers’ uncertainty and allay fears.

In the days following the discovery of the intrusion, TeamViewer confirmed that the threat actor leveraged a compromised employee account to copy employee directory data (names, corporate contact information, and encrypted employee passwords) for their internal corporate IT environment, and that they believe the threat actor is Midnight Blizzard, aka APT29 (though they did not say which indicators point to their involvement).

“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the company said on June 30.

They also noted that their corporate IT network, their production environment, and the TeamViewer connectivity platform are completely segregated from one another, to help prevent unauthorized access and lateral movement.

“All immediate remediation measures that we put in place regarding our internal corporate IT environment as well as the additional protection layers that we established have proven to be very effective: there was no suspicious activity in our internal corporate IT environment after our security teams blocked the attack immediately upon detection,” they concluded on June 4.