Cyber attack on TeamViewer in 2016, Chinese suspected

[German]German developers of remote service software TeamViewer has been victim of a cyber attack in 2016. The company has confirmed this to German magazine Spiegel. However, this hack was not made public by the company. Why not? Here are some datails, what is known, and some thoughts on my part


Some preliminary remarks about TeamViewer

Many of you know the TeamViewer – a remote maintenance software. Quite easy to use and very functional – even free for private users. According to the company, more than 200 million users (many companies) used this software for web conferences and remote maintenance as early as 2014. The software is now said to be installed on 2 billion devices worldwide. The developers are the German TeamViewer GmbH from Göppingen (a small German town near Stuttgart), which was founded in 2005.

German news magazine Der Spiegel (article here behind Paywall) quotes the TeamViewer company as one of the most important 'unicorns' and startups from Germany. Well, after 14 years a company is no longer a startup (in my view). And I don't like the quote unicorn, but I need to confess, TeamViewer is a success story. But this company was silently acquired by a private equity fund – I had reported about it in the German blog post TeamViewer: 'Stille' Übernahme durch Private Equity–Fonds. The buyer was the British private equity company Permira, which took over the GmbH in an exit for a purchase price of 1.1 billion US $ (800 million Euro), without announcing that in public.

In the blog post at that time I linked some information about Permira and also asked 'how trustable can this vendor be, if they are not transparent in financial affairs'. Also I've reported about a misuse of hacked TeamViewer versions in cyber attacks. But to be fair, we can't blame the TeamViewer developers for a misuse and a distribution of infected TeamViewer software distributed by suspect third party actors. Never the less, during yesterday's research I came across the ZDNet article just published in April 2019 that hackers are again using manipulated TeamViewer versions in attacks against governments across Europe.

This was the point where I tried to avoid TeamViewer. It was just a feeling, which I developed from the numerous abuse cases and the takeover by a private equity company – without being able to provide hard evidence. 

The cyber attack on TeamViewer

German Der Spiegel now reports (Paywall), that the developer company of TeamViewer was victim of a cyber attack. The attac was based on the malware used by the Winnti hacker group, which also played a role in other attacks, for example on German Bayer AG hack (I had blogged about this within my German article Sicherheitsinfos zum Sonntag (14. April 2019 on Sunday April 14, 2019) in 2018 or at German Thyssen Krupp AG. 


(Source: Pexels Markus Spiske CC0 Lizenz)

The hacker group Winnti is supposed to operate on behalf of the Chinese state. However, the attack on TeamViewer was already discovered in 2016 – but only now has the company confirmed this to Spiegel. The magazine quotes the company as saying that the attack was "discovered in time to prevent major damage".

According to Der Spiegel, both the IT experts commissioned to conduct the investigation and the data protection authorities had "not found any evidence that customer data had been stolen" or "customer computer systems had been infected". This is why TeamViewer GmbH itself did not warn its own customers. "According to the unanimous opinion of all relevant third parties, broad information to customers was not indicated here", the Spiegel quoted the company.

Bleeping Computer reported here about a TeamViewer press release issued on June 1, 2016 confirming a service failure due to a Denial of Service (DoS) attack targeting the TeamViewer DNS server infrastructure. I wasn't aware of this until today. I was more focused in reports from people who claimed that their passwords had been stolen. The Hacker News had an article on the subject at the time. A TeamViewer spokesman always said to me, that passwords used in hacks had been stolen in other ways.  

The explosiveness of the case

At this point, the circle opened by me in the preliminary remarks will be closed. The TeamViewer as remote maintenance software is an extremely sensitive tool. If this is compromised, attackers can penetrate all computers on which the TeamViewer is used.  TeamViewer is installed on about two billion devices worldwide (often for remote maintenance). If a backdoor had been installed in the software, this would have meant 'open sesame' for an attacker. I recently reported about successful supply chain attacks on software development chains (see ShadowHammer: ASUS Live Update infected with backdoor).

Apart from the above considerations, a public confirmation of the cyber attack on the company TeamViewer would probably have meant an enormous loss of reputation at that time. Company secrets spied out, and software perhaps compromised – that seems to have been a no go fort he responsible at TeamViewer and within the private equity firm Permira. In any case, the case has been kept private. A few days ago there was a report (see German business magazine Handelsblatt) announcing that the owners of TeamViewer were planning to go public as part of an IPO in autumn 2019.

In my opinion, the Spiegel report comes at the wrong time and disturbs the beautiful IPO plans of the investors. German site writes with reference to the Spiegel article that TeamViewer GmbH has already overhauled its infrastructure in 2016. But the whole thing is sold as a 'precautionary measure', and a 'high single-digit million Euro' is said to have been invested into IT security. Just to scale that value: TeamViewer's current valuation for an IPO is four to five billion euros – so an investment of 10 million euro is may be peanuts. The comments on the company's security and data protection can be read here.

What's left? The reputation of the TeamViewer as a trustworthy and transparent company is once again scratched in my eyes. The German Cyber Security Organization (DCSO) commissioned by TeamViewer is convinced that the attack 'originated in China', but the TeamViewer developers told Der Spiegel that they "wanted to push ahead with expansion in the key Chinese market". Well further articles on the subject can still be found at Bleeping Computer and The Hacker News.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *