TeamViewer attributes security incident to Russian APT group Midnight Blizzard

TeamViewer confirmed in its Trust Center on June 28 that it had experienced a cyberattack related to the credentials of a standard employee account within its internal corporate IT network.

In the security alert, TeamViewer said the attack took place on Wednesday, June 26, and was attributed to the Russian state-sponsored group Midnight Blizzard, also known as Cozy Bear and APT29.

Security experts raised their concerns because Midnight Blizzard was also in the news today, as it was confirmed that additional Microsoft customers’ emails were compromised by the group as part of an attack on emails belonging to Microsoft executives. The attacks on Microsoft accounts were reported in January, some of which resulted in unauthorized access to correspondence from U.S. government agencies.

Midnight Blizzard has been linked to several high-profile breaches since 2008, including the compromise of the Democratic National Committee in 2015 and the SolarWinds incident in 2020. Most recently, Midnight Blizzard has been credited with attacks on Microsoft and Hewlett Packard Enterprise in 2023 and 2024, where the group may have accessed and exfiltrated sensitive information from mailboxes.

The fact that Germany-based TeamViewer has a strong installed base of more than 600,000 customers worldwide also raised concerns. Companies and private individuals use the platform for remote access sessions.

TeamViewer claimed there was no evidence that the attacker gained access to its product environment or customer data. The company said TeamViewer’s corporate IT environment runs separately from its product environment.

The recent TeamViewer incident shows how well Midnight Blizzard has mastered advanced 3D phishing techniques, explained Stephen Kowski, Field CTO at SlashNext. Kowski said that by seamlessly combining carefully crafted text messages, Microsoft Teams messages and email phishing, the threat actors have shown that they can create a multi-channel attack that is incredibly difficult to detect and defend against.

Kowski added that with 3D phishing on the rise, it is critical for organizations to take a multi-layered approach to phishing, including implementing AI-powered solutions that can analyze and flag anomalies across different communication channels, conducting regular security audits, and – most importantly – investing in comprehensive employee training.

“By remaining vigilant and leveraging cutting-edge security technologies, we can better protect ourselves from these increasingly pervasive and deceptive attacks,” Kowski said. “Remember, in the face of such sophisticated threats, our best defense is a proactive, adaptive and technologically advanced security posture.”

Jason Baker, senior security advisor at GuidePoint Security, added that TeamViewer would likely not have significant value to Midnight Blizzard as a standalone intelligence gathering target.

“However, it is plausible that it is being used for reconnaissance purposes or as an attempt to compromise the supply chain of downstream customers,” Baker explained. “In the near future, we will be alert to further updates from TeamViewer that indicate access or impact to the product environment, as this would pose a greater concern for customers and clients.”