{ "id": "16a7a4bb-27fe-4340-b170-42955cff59bf", "created_at": "2026-04-06T00:10:05.661973Z", "updated_at": "2026-04-10T03:37:54.535195Z", "deleted_at": null, "sha1_hash": "b6f9158beb89f4248ff29600d0f316476fa9b3ec", "title": "TeamViewer Confirms Undisclosed Breach From 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1114585, "plain_text": "TeamViewer Confirms Undisclosed Breach From 2016\r\nBy Sergiu Gatlan\r\nPublished: 2019-05-17 · Archived: 2026-04-05 17:18:27 UTC\r\nTeamViewer confirmed today that it has been the victim of a cyber attack which was discovered during the autumn of 2016,\r\nbut was never disclosed. This attack is thought to be of Chinese origins and utilized the Winnti backdoor.\r\nThe company behind the highly popular TeamViewer remote desktop software told German publisher Der Spiegel that the\r\nattack was discovered before the threat group was capable of doing any damage, with experts and investigators failing to\r\nfind any evidence of data being stolen during the security incident.\r\nAlso, no evidence was found that the hackers were able to compromise or steal source code even though they had access to\r\nit, according to TeamViewer .\r\nhttps://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBackdoors which might have been planted during the 2016 attack have also been removed after a data center overhaul and\r\nall systems \"completely checked, cleaned up and repositioned\" at the end of 2016 according to the Der Spiegel report.\r\nWhen asked by BleepingComputer about when and how the breach was discovered, TeamViewer said they detected the\r\nattack before any major damage was done.\r\n\"Like many technology leaders, TeamViewer is frequently confronted with attacks by cybercriminals. For this reason, we\r\ncontinuously invest in the advancement of our IT security and cooperate closely with globally renowned experts and\r\ninstitutions in this field.\r\nIn autumn 2016, TeamViewer was target of a cyber-attack.  Our systems detected the suspicious activities in time to prevent\r\nany major damage.  An expert team of internal and external cyber security researchers, working together closely with the\r\nresponsible authorities, successfully fended off the attack.\"\r\nSeeing that the hackers were not able to steal any data during the attack, TeamViewer decided not to publish a security\r\nbreach notification to inform the users of the incident.\r\nRegarding the reasons behind the decision to not disclose the breach, a TeamViewer spokesperson further told\r\nBleepingComputer that based on consultation with relevant authorities and advisors, it was decided that it was not necessary\r\nto disclose the attack.\r\nIndependent experts conducted a thorough investigation using all IT forensic resources available and found no evidence that\r\nthe security of our users or their IT systems was affected in any way.\r\n  Together with the relevant authorities and our security advisors, we came to the joint conclusion that informing our users\r\nwas not necessary and would have been counterproductive to the effective prosecution of the attackers. Against this\r\nbackdrop, we decided not to disclose the incident publicly in the interest of the global fight against cybercrime and thus also\r\nin the interest of our users.\r\nAttackers have also used the Winnti malware against ThyssenKrupp in 2016 and Bayer in 2018, with ThyssenKrupp CERT\r\ninvestigators monitoring their activity and discovering that the hackers were only interested in stealing technical trade\r\nsecrets.\r\nIn the case of the attack against the largest drugmaker from Germany, investigators from the DCSO cybersecurity group —\r\nset up by Bayer with help from Allianz, BASF and Volkswagen — were also able to keep an eye on the group's activity\r\nsince the initial infiltration in early-2018 until March 2019 and also concluded that the hackers were not able to steal any\r\ndata.\r\nService outage due to DoS attack during the summer of 2016\r\nOn June 1, 2016, TeamViewer issued a press release acknowledging a service outage caused by a denial-of-service attack\r\n(DoS) which targeted the TeamViewer DNS server infrastructure. \r\nThis statement followed multiple user reports claiming that attackers took control of their computers using TeamViewer and\r\nusing their PayPal accounts to either make online purchases or steal money — a list was also created to track all the reported\r\nincidents.\r\nSome of the victims also claimed that the attackers successfully compromised their TeamViewer accounts even though they\r\nused unique very long passwords or had Two-Factor Authentication enabled, leading them to believe that TeamViewer's\r\ncomputing systems were hacked [1, 2, 3].\r\nHowever, in their press release, TeamViewer blamed the account hacks reported by its users on \"Careless use of account\r\ncredentials remains to be a key problem for all internet services. This particularly includes the use of the same password\r\nacross multiple user accounts with various internet services.\"\r\nTeamViewer also mentioned the possibility of some users having unintentionally downloaded and installed programs\r\ninfected with malware which could have allowed attackers to \"virtually do anything with that particular system – depending\r\nhttps://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nPage 3 of 5\n\non how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth.\"\r\nAfter the user uproar caused by the \"careless\" word used in the June 1 press release, Teamviewer apologized for using the\r\nword through public relation manager, Axel Schmidt.\r\nTeamViewer also stated that the hacks reported by users might have had something to do with the Backdoor.\r\nTeamViewer malware besides the initial mention of stolen password credentials.\r\nWhen asked if there is any connection between the account hacks reported in 2016 and the just disclosed\r\nbreach, TeamViewer told BleepingComputer that there is no connection.\r\nNo. The cyber-attack on TeamViewer is in no way connected to this.\r\nThe corresponding reports are presumably related to a theft of large amounts of data from popular internet services (e.g.\r\n LinkedIn) in the same year.  If affected users had been using identical passwords for third-party services, such as\r\nTeamViewer, it was possible for attackers to abuse them for unauthorized access attempts.\r\nTeamViewer generally recommends using unique passwords for different services and setting up a two-factor authentication\r\nto effectively prevent this kind of attack.\r\nThe Winnti Umbrella\r\nWhile there is no attribution for the hacking group behind the 2016 attack TeamViewer just confirmed, multiple hacking\r\ngroups collectively known by experts as the Winnti Umbrella according to ProtectWise 401 TRG, have been using the\r\nWinnti malware during their attacks.\r\nThe groups come under various names (i.e.,Winnti Group, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and\r\nGREF) but Winnti Group is the first known to have used the Winnti backdoor during their campaigns.\r\nAs Kaspersky's GReAT full report on the Winnti Group from 2013 says, \"The main objective of the group is to steal source\r\ncode of online game projects as well as digital certificates of legitimate software vendors.\"\r\nBARIUM, another Winnti Umbrella threat group, which mainly targets software and gaming companies [1, 2] and is still\r\nactive as shown by its involvement in Operation ShadowHammer could be the most probable candidate for this attack.\r\nKaspersky also found evidence that connected the methods and tools used as part of Operation ShadowHammer with the\r\nones employed in the supply chain attacks against CCleaner and NetSarang from 2017, with the threat actor behind the latter\r\nalready having been identified as BARIUM by ESET, Microsoft, and other security researchers.\r\nhttps://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nhttps://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/" ], "report_names": [ "teamviewer-confirms-undisclosed-breach-from-2016" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434205, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6f9158beb89f4248ff29600d0f316476fa9b3ec.pdf", "text": "https://archive.orkl.eu/b6f9158beb89f4248ff29600d0f316476fa9b3ec.txt", "img": "https://archive.orkl.eu/b6f9158beb89f4248ff29600d0f316476fa9b3ec.jpg" } }