{
	"id": "6aa154fb-e54e-4706-a31e-8fa53a5f597d",
	"created_at": "2026-04-06T00:11:31.116128Z",
	"updated_at": "2026-04-10T03:37:33.127287Z",
	"deleted_at": null,
	"sha1_hash": "7947d645d89d0d3b05fa4d1702d0d2e204d636b5",
	"title": "TeamViewer's corporate network was breached in alleged APT hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 795128,
	"plain_text": "TeamViewer's corporate network was breached in alleged APT hack\r\nBy Lawrence Abrams\r\nPublished: 2024-06-27 · Archived: 2026-04-05 20:34:56 UTC\r\nUpdate: TeamViewer is now attributing the attack to the Russian state-sponsored hacking group known as Midnight\r\nBlizzard. Further updates added below.\r\nThe remote access software company TeamViewer is warning that its corporate environment was breached in a cyberattack\r\nyesterday, with a cybersecurity firm claiming it was by an APT hacking group.\r\n\"On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT\r\nenvironment,\" TeamViewer said in a post to its Trust Center.\r\nhttps://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We immediately activated our response team and procedures, started investigations together with a team of globally\r\nrenowned cyber security experts and implemented necessary remediation measures.\"\r\n\"TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no\r\nevidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary\r\nfocus remains to ensure the integrity of our systems.\"\r\nThe company says that it plans to be transparent about the breach and will continuously update the status of its investigation\r\nas more information becomes available.\r\nHowever, though they say they aim to be transparent, the \"TeamViewer IT security update\" page contains a \u003cmeta\r\nname=\"robots\" content=\"noindex\"\u003e HTML tag, which prevents the document from being indexed by search engines and\r\nthus hard to find.\r\nTeamViewer is a very popular remote access software that allows users to remotely control a computer and use it as if they\r\nwere sitting in front of the device. The company says its product is currently used by over 640,000 customers worldwide and\r\nhas been installed on over 2.5 billion devices since the company launched.\r\nWhile TeamViewer states there is no evidence that its product environment or customer data has been breached, its massive\r\nuse in both consumer and corporate environments makes any breach a significant concern as it would provide full access to\r\ninternal networks.\r\nIn 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors due to their use of the Winnti backdoor. The\r\ncompany said they did not disclose the breach at the time as data was not stolen in the attack.\r\nAlleged APT group behind attack\r\nNews of the breach was first reported on Mastodon by IT security professional Jeffrey, who shared portions of an alert\r\nshared on the Dutch Digital Trust Center, a web portal used by the government, security experts, and Dutch corporations to\r\nshare information about cybersecurity threats.\r\n\"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer\r\nremote access and support platform by an APT group,\" warns an alert from the IT security firm NCC Group.\r\n\"Due to the widespread usage of this software the following alert is being circulated securely to our customers.\"\r\nAn alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, also warned today that\r\nTeamViewer services were allegedly being actively targeted by the Russian hacking group APT29, also known as Cozy\r\nBear, NOBELIUM, and Midnight Blizzard.\r\n\"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting\r\nTeamviewer,\" reads the Health-ISAC alert shared by Jeffrey.\r\n\"Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed\r\nleveraging remote access tools. Teamviewer has been observed being exploited by threat actors associated with APT29.\"\r\nAPT29 is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The hacking\r\ngroup is known for its cyberespionage abilities and has been linked to numerous attacks over the years, including attacks on\r\nWestern diplomats and a recent breach of Microsoft's corporate email environment.\r\nWhile the alerts from both companies come today, just as TeamViewer disclosed the incident, it is unclear if they are linked\r\nas TeamViewer's and NCC's alerts address the corporate breach, while the Health-ISAC alert focuses more on targeting\r\nTeamViewer connections.\r\nBleepingComputer also contacted TeamViewer with questions about the attack but was told no further information would be\r\nshared as they investigated the incident.\r\nhttps://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/\r\nPage 3 of 4\n\nUpdate 6/27/24: NCC Group told BleepingComputer that they had nothing further to add when contacted for more\r\ninformation.\r\n\"As part of our Threat Intelligence service to our clients, we issue alerts on a regular basis based on a variety of sources and\r\nintelligence,\" NCC Group told BleepingComputer.\r\n\"At this time, we do not have anything further to add to the alert that was sent to our clients.\"\r\nUpdate 6/28/24: TeamViewer has told BleepingComputer that they have removed the noindex tag from their Trust Center\r\nand that it should be indexed soon by search engines.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/\r\nhttps://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/"
	],
	"report_names": [
		"teamviewers-corporate-network-was-breached-in-alleged-apt-hack"
	],
	"threat_actors": [
		{
			"id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba",
			"created_at": "2022-10-25T16:07:24.36191Z",
			"updated_at": "2026-04-10T02:00:04.954902Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"Dark Halo",
				"Nobelium",
				"SolarStorm",
				"StellarParticle",
				"UNC2452"
			],
			"source_name": "ETDA:UNC2452",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89",
			"created_at": "2022-10-25T15:50:23.739197Z",
			"updated_at": "2026-04-10T02:00:05.275809Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"UNC2452",
				"NOBELIUM",
				"StellarParticle",
				"Dark Halo"
			],
			"source_name": "MITRE:UNC2452",
			"tools": [
				"Sibot",
				"Mimikatz",
				"Cobalt Strike",
				"AdFind",
				"GoldMax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "70872c3a-e788-4b55-a7d6-b2df52001ad0",
			"created_at": "2023-01-06T13:46:39.18401Z",
			"updated_at": "2026-04-10T02:00:03.239111Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"DarkHalo",
				"StellarParticle",
				"NOBELIUM",
				"Solar Phoenix",
				"Midnight Blizzard"
			],
			"source_name": "MISPGALAXY:UNC2452",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775792253,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7947d645d89d0d3b05fa4d1702d0d2e204d636b5.pdf",
		"text": "https://archive.orkl.eu/7947d645d89d0d3b05fa4d1702d0d2e204d636b5.txt",
		"img": "https://archive.orkl.eu/7947d645d89d0d3b05fa4d1702d0d2e204d636b5.jpg"
	}
}