TeamViewer attack: The trail leads to Russia
The intruders from "Cozy Bear" had apparently captured the access data of a TeamViewer employee in order to penetrate the IT infrastructure.
The company headquarters of TeamViewer GmbH in Göppingen, Baden-Württemberg.
(Image: dpa, Christoph Schmidt)
As already suspected yesterday, Russian cyber spies are probably behind the attack on TeamViewer. The company confirmed that internal and external security experts suspect the group "Cozy Bear" (also known as "Midnight Blizzard" or APT29 in Microsoft-speak) to be behind the attack. Cozy Bear is linked to Russian military intelligence.
As TeamViewer explains, the attackers obtained the access data of an employee on June 26 – whether through social engineering, phishing or other methods is left open in the announcement. "Cozy Bear" then used these credentials to infiltrate the company's IT environment. However, the hostile account takeover was quickly noticed due to suspicious behavior and triggered countermeasures.
According to TeamViewer, it does not currently appear that the attackers had access to customer data or the production environment of the remote maintenance tool. This is strictly sealed off from the rest of the company's IT any way to make it more difficult for attacks to continue. Nevertheless, it is unclear whether companies and private individuals who use TeamViewer are at risk. The company assures full transparency and updates its security warning on an ongoing basis.
The attacker group "Cozy Bear" is suspected to be operated by the Russian foreign intelligence service SWR (Служба внешней разведки) is controlled. It has been active for over 15 years and has snooped on the CDU and stolen source code from Microsoft, among other things.
(cku)
