Chinese cyberspies breached TeamViewer in 2016

May 17, 2019

Chinese state-sponsored hackers breached German software maker TeamViewer in 2016, the company confirmed today to ZDNet after a report by German newspaper Der Spiegel. TeamViewer said it detected and stopped the attack before hackers could do any damage.

“In autumn 2016, TeamViewer was the target of a cyber-attack,” a TeamViewer spokesperson said via email. “Our systems detected the suspicious activities in time to prevent any major damage.”

The TeamViewer spokesperson told ZDNet that an investigation was conducted at the time, but did not find any evidence of abuse.

“An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way,” the company said in an email.


According to Der Spiegel, the hackers who breached TeamViewer’s network had used Winnti, a backdoor trojan historically known to be in the arsenal of Beijing state hackers.

The malware was first seen in 2009 and was initially used just by one group of Chinese hackers — which security researchers also started referencing as the Winnti group.

However, this changed in recent years when security researchers began to see the Winnti malware in attacks linked to multiple different Chinese-linked threat actors, according to reports from ProtectWise 401 TRG and Chronicle.

“The underlying hypothesis is that the malware itself may be shared (or sold) across a small group of actors,” the Chronicle team said in a report published earlier this week.

This makes it impossible, at least for now, to know which of the many Chinese state-sponsored hacking groups was responsible for the TeamViewer intrusion.

However, there are two Chinese hacking groups that fit this attack pattern, and they are APT 10 (a group focused on hacking cloud-based service providers) and APT17 (a group focused on supply-chain attacks).

TeamViewer is one of the world’s largest provider of remote control and desktop sharing software. Its services are used by millions of users and large corporations.

Hackers have always targeted TeamViewer because of the access the company’s service can provide, in the case of a successful breach.

When they don’t target the company directly, hackers also often brute-force their way into users accounts. Months before the successful Winnti hack in the fall of 2016, TeamViewer had faced a wave of user account hijacks, which many customers reported as originating from Chinese IP addresses.

Related Articles

EHR Vendor Slapped With HIPAA Fine

EHR Vendor Slapped With HIPAA FineInvestigation Came in Wake of Cyberattack That Affected Millions Federal regulators have smacked a cloud-based electronics health records vendor with a $100,000 HIPAA settlement in the wake of a 2015 cyberattack that affected millions...

‘BlueKeep’ Windows Remote Desktop flaw gets PoC exploits

‘BlueKeep’ Windows Remote Desktop flaw gets PoC exploitsMultiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep. Microsoft patched a...

Database with millions of Instagram influencers’ info leaked online

Database with millions of Instagram influencers’ info leaked onlineThe leaked database was discovered on Shodan on May 14th. A huge online database containing private contact information including phone numbers and email IDs of roughly 50 million Instagram profiles...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This