Software firm attributes corporate network intrusion to APT29 after initial disclosure
German remote access software company TeamViewer has confirmed that a recent cyber incident targeting its internal corporate network was the work of APT29, the Russian state-sponsored hacking group also known as Cozy Bear.
In an updated statement on June 28th, TeamViewer said the breach has been attributed to APT29 after its initial disclosure of the attack on June 29th. The hackers are believed to be operating from Russia’s Foreign Intelligence Service (SVR).
Hackers Exploited Employee Credentials to Access TeamViewer’s Corporate IT Systems
According to TeamViewer, the APT29 operators were able to gain access to the company’s corporate IT environment by exploiting the credentials of a standard employee account. No customer data or product systems were impacted by the breach.
The company emphasized that its corporate IT networks are strictly segregated from other infrastructure to prevent unauthorized access and lateral movement between environments. However, questions remain around what internal systems and data the hackers were able to access.
Cozy Bear: A highly advanced and prolific threat actor
Cozy Bear is regarded as one of the world’s most formidable cyber espionage groups. The hackers have been connected to some of the largest cyberattacks in recent history, including the 2020 SolarWinds hack and the 2016 breach of the Democratic National Committee.
John Hultquist, a senior analyst at Mandiant, noted that Cozy Bear typically tries to maintain covert access but has grown bolder in carrying out supply chain compromises. The group is said to target organizations to gather intelligence supporting Russian strategic interests.
Heightened warnings issued over potential follow-on hacks
In response to the attack, cybersecurity firms like NCC Group warned customers to remove TeamViewer software as a precaution until more details emerge. Analysts advised monitoring devices running the remote access application for suspicious behavior that could point to secondary compromises.
While TeamViewer claims customer data was untouched, security professionals stress the need for continued vigilance. The full scope of what Cozy Bear targeted and accessed during its time inside the network remains uncertain.
“This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments,” the company explained.
Cyber experts say pressure is intensifying on Russian spies amid conflict in Ukraine
Hultquist observed that the Russian security agencies overseeing groups like Cozy Bear are under “enormous pressure” to aid Moscow’s war efforts through intelligence gathering.
For TeamViewer and other firms targeted, the incident serves as a potent reminder of the threats posed by sophisticated state-sponsored hacking collectives like Cozy Bear – even for companies practicing proper network segmentation. Ongoing investigations aim to shed light on the hackers’ motives and objectives.