Chinese cyberspies breached TeamViewer in 2016

TeamViewer said it detected and stopped the attack before hackers could do any damage.
Written by Catalin Cimpanu, Contributor

Chinese state-sponsored hackers breached German software maker TeamViewer in 2016, the company confirmed today to ZDNet after a report by German newspaper Der Spiegel.

"In autumn 2016, TeamViewer was target of a cyber-attack," a TeamViewer spokesperson said via email. "Our systems detected the suspicious activities in time to prevent any major damage."

The TeamViewer spokesperson told ZDNet that an investigation was conducted at the time, but did not find any evidence of abuse.

"An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way," the company said in an email.

The company's statement is in opposition to what Der Spiegel reported, with the German newspaper claiming Chinese hackers have been present inside TeamViewer's network since 2014.

Hackers deployed Winnti malware

According to Der Spiegel, the hackers who breached TeamViewer's netwok had used Winnti, a backdoor trojan historically known to be in the arsenal of Beijing state hackers.

The malware was first seen in 2009, and was initially used just by one group of Chinese hackers -- which security researchers also started referencing as the Winnti group.

However, this changed in recent years when security researchers began to see the Winnti malware in attacks linked to multiple different Chinese-linked threat actors, according to reports from ProtectWise 401 TRG and Chronicle.

"The underlying hypothesis is that the malware itself may be shared (or sold) across a small group of actors," the Chronicle team said in a report published earlier this week.

This makes it impossible, at least for now, to know which of the many Chinese state-sponsored hacking groups was responsible for the TeamViewer intrusion.

However, there are two Chinese hacking groups that fit this attack pattern, and they are APT 10 (a group focused on hacking cloud-based service providers) and APT17 (a group focused on supply-chain attacks).

TeamViewer is one of the world's largest provider of remote control and desktop sharing software. It's services are used by millions of users and large corporations. Hackers have always targeted TeamViewer because of the access the company's service can provide, in the case of a successful breach. When they don't target the company directly, hackers also often brute-force their way into users accounts. Months before the successful Winnti hack in the fall of 2016, TeamViewer had faced a wave of user account hijacks, which many customers reported as originating from Chinese IP addresses.

TeamViewer is not the only German company that has been hacked and infected with the Winnti malware over the past three years.

German steel producer ThyssenKrupp disclosed a similar incident in 2016, and pharmaceutical giant Bayer just admitted last month to a 2018 hack during which the Winnti malware was also deployed.

These are the worst hacks, cyberattacks, and data breaches of 2018

Related malware and cybercrime coverage:

Editorial standards