Hackers from China utilized Winnti backdoor to compromise TeamViewer's network in 2016
According to the recent reports, back in 2016, TeamViewer detected and stopped the famous Chinese hackers seeking to compromise their network. However, the incident was never publicly disclosed until May 2019, when company's officials confirmed this to Der Spiegel newspaper.
According to them, the company discovered the attack on time what helped it to avoid the damage. Nevertheless, it seems that hackers used Winnti trojan malware, which has previously been used against software and gaming organizations in the US, Japan, and South Korea, to access TeamViewer's source codes.
While it is thought that Chinese hackers were the ones who managed to get into the TeamViewer' system, there is no further evidence from the investigation that took place back in 2016. The company just stated:
In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.
Winnti malware deployed in the attack
According to the Der Spiegel, the malware that was used in this attack is an infamous backdoor trojan called Winnti. Known to be one of the tools actively used by Beijing state hackers, Winnti has been known since 2009. Initially, it was used by one Chinese hacker group also dubbed Winnti. However, at the moment it is an umbrella term used to name all hacker groups utilizing the trojan in their malicious campaigns. That makes it impossible to indicate which hacker group was responsible for this TeamViewer security incident.
Based on the pattern of the TeamViewer attack, researchers have a few hypotheses. For example, some of them have reported that either APT 10 or APT17 group could be responsible. Having in mind that the first one is focused on cloud-based service attacks, and the latter has been creating campaigns geared towards supply-chain, it could be possible. However, no evidence can confirm any of these.
According to various reports, Winnti backdoor has one primary purpose of stealing source codes:
The main objective of the group is to steal source code of online game projects as well as digital certificates of legitimate software vendors.
Previously, it was used by the Chinese hacker group Wicked Panda which launched Bayer cyber attack back in April.
Another incident regarding TeamViewer company that took place in 2016
Back in 2016, TeamViewer also issued an official report stating about a service outage caused by DoS attack that targeted DNS server infrastructure. Additional user reports claimed that remote attackers took control of their devices and used various accounts to make purchases or even steal money. Other reports also indicated that the system was hacked. They reported about compromised TeamViewer accounts at the time.
However, TeamViewer, when asked, denies the relation between these two incidents and is blaming other data breaches:
The corresponding reports are presumably related to a theft of large amounts of data from popular internet services in the same year. If affected users had been using identical passwords for third-party services, such as TeamViewer, it was possible for attackers to abuse them for unauthorized access attempts.