813-999-0631 info@tetratos.com
Chinese cyberspies breached TeamViewer in 2016

May 17, 2019

Chinese state-sponsored hackers breached German software maker TeamViewer in 2016, the company confirmed today to ZDNet after a report by German newspaper Der Spiegel. TeamViewer said it detected and stopped the attack before hackers could do any damage.

“In autumn 2016, TeamViewer was the target of a cyber-attack,” a TeamViewer spokesperson said via email. “Our systems detected the suspicious activities in time to prevent any major damage.”

The TeamViewer spokesperson told ZDNet that an investigation was conducted at the time, but did not find any evidence of abuse.

“An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way,” the company said in an email.


According to Der Spiegel, the hackers who breached TeamViewer’s network had used Winnti, a backdoor trojan historically known to be in the arsenal of Beijing state hackers.

The malware was first seen in 2009 and was initially used just by one group of Chinese hackers — which security researchers also started referencing as the Winnti group.

However, this changed in recent years when security researchers began to see the Winnti malware in attacks linked to multiple different Chinese-linked threat actors, according to reports from ProtectWise 401 TRG and Chronicle.

“The underlying hypothesis is that the malware itself may be shared (or sold) across a small group of actors,” the Chronicle team said in a report published earlier this week.

This makes it impossible, at least for now, to know which of the many Chinese state-sponsored hacking groups was responsible for the TeamViewer intrusion.

However, there are two Chinese hacking groups that fit this attack pattern, and they are APT 10 (a group focused on hacking cloud-based service providers) and APT17 (a group focused on supply-chain attacks).

TeamViewer is one of the world’s largest provider of remote control and desktop sharing software. Its services are used by millions of users and large corporations.

Hackers have always targeted TeamViewer because of the access the company’s service can provide, in the case of a successful breach.

When they don’t target the company directly, hackers also often brute-force their way into users accounts. Months before the successful Winnti hack in the fall of 2016, TeamViewer had faced a wave of user account hijacks, which many customers reported as originating from Chinese IP addresses.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This