Health-ISAC Issues Warning Abuse of TeamViewer Remote Connectivity Software
The Health Information Sharing and Analysis Center (Health-ISAC) has issued a warning to the healthcare and public health sector about cyber threat actors exploiting TeamViewer remote connectivity software. TeamViewer provides remote access and remote control of devices and is commonly used for remote IT support and maintenance.
Health-ISAC has received intelligence from a trusted source that a threat actor tracked as APT29, aka Cozy Bear/Midnight Blizzard, has compromised TeamViewer, and threat actors associated with APT29 are abusing TeamViewer. APT29 is a threat group that has been in operation since at least 2008 and is a Russian hacking group associated with Russia’s intelligence agencies, the Federal Security Service (FSB) and Foreign Intelligence Service (SVR). The United States believes APT29 is led by the SVR.
On Thursday, TeamViewer issued a statement confirming it had detected an irregularity in its internal network on June 26, 2024. According to its security update, “A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available.”
TeamViewer said it has implemented strong segregation of its corporate IT, production environment, and the Team Viewer connectivity platform to prevent lateral movement. The unauthorized activity involved the use of the credentials of a standard employee account to access its corporate environment, and the working theory is that APT29 is behind the attack. Currently, no evidence has been found to indicate that its product environment or customer data has been accessed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“APT29 is one of the most challenging actors we track and they are targeting tech companies of all sizes. They work very hard to stay under the radar, but despite their focus on stealth, they are not afraid to undertake these bold supply chain attacks,” said John Hultquist, Mandiant Chief Analyst, Google Cloud. ”
They are moving through tech companies in order to get to their customers, where they expect to find the intelligence that feeds decision-making in the Kremlin. Generally, they are looking for insight into foreign affairs, with a particular emphasis on support for Ukraine, and they target government and related organizations for that information.”
In light of the compromise and threat intelligence confirming remote access tools are being leveraged by cyber threat actors, Health-ISAC strongly recommends implementing 2-factor authentication and using allowlist and blocklist to control who can connect to devices via TeamViewer and other remote access tools.
