TeamViewer can't bring itself to say someone broke into its network – but it happened

Updated TeamViewer on Thursday said its security team just "detected an irregularity" within one of its networks – which is a fancy way of saying someone broke in.

We're told this "irregularity" was spotted inside TeamViewer's corporate IT environment on Wednesday, and that the biz immediately called in reinforcements in the form of cyber security investigators, implemented "necessary remediation measures," and activated its incident response team and processes, according to an announcement on Thursday.

TeamViewer sells software to remotely control and manage Windows PCs and other computers as well as tools to access systems via the web, and is used the world over. The words "TeamViewer" and "security breach" will make some people's blood run cold given how pervasively it is used; a compromise of the platform could be devastating. TeamViewer says it has more than 600,000 customers.

Regardless, the software maker's disclosure attempted to downplay the intrusion – sorry, "irregularity."

"TeamViewer's internal corporate IT environment is completely independent from the product environment," it read. "There is no evidence to suggest that the product environment or customer data is affected."

But, it added, "investigations are ongoing and our primary focus remains to ensure the integrity of our systems."

TeamViewer spokesperson Maria Gordienko declined to answer The Register's specific questions about the incident – including whether it was ransomware or worse – citing the ongoing investigation. "As soon as new relevant facts become available, we will update the statement for the general public," she deflected. 

• WhisperGate suspect indicted as US offers a $10M bounty for his capture
• UK and US cops band together to tackle Qilin's ransomware shakedowns
• Batten down the hatches, it's time to patch some more MOVEit bugs
• If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

It appears top infosec house NCC Group has already tipped off its customers to the security snafu, and blamed an unnamed advanced persistent threat (APT) team.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," NCC warned in a memo, shared earlier on Mastodon by an IT security pro going by the name Jeffrey.

"Due to the widespread usage of this software the following alert is being circulated securely to our customers," the shared missive, confirmed as legit by NCC, continued. We've asked for the security group for further details for the public.

And speaking of TeamViewer and APTs, Brett Callow, threat analyst at Emsisoft, pointed to an alert Thursday by the US-based Health Information Sharing and Analysis Center (H-ISAC) to the health sector about ongoing exploitation of TeamViewer and how healthcare operators should respond.

That memo reads:

H-ISAC noted in its industry bulletin that it had been warned by a friendly intel partner that APT29 – aka Russian intelligence's Cozy Bear crew – has been "actively exploiting Teamviewer."

"TeamViewer has been observed being exploited by threat actors associated with APT29," it added.

Which could mean the Russians are separately exploiting weaknesses within TeamViewer to get into people's networks, or taking advantage of poor customer-side security to get in via the remote-desktop software. Or H-ISAC is saying the aforementioned intrusion was carried out by the Kremlin into TeamViewer's own systems.

We're seeking further details and will let you know when we hear more. ®

Updated to add

TeamViewer has confirmed it was hit by Russia's APT29 aka Cozy Bear.