Cyber Incident Victim: TeamViewer GmbH
Date:
Sep 2016
Location:
Germany
Summary
TeamViewer experienced a cyber attack involving the Winnti backdoor, attributed to actors of Chinese origin, which was detected before significant damage occurred. The company, after consulting authorities and forensic experts, concluded no user data or source code was stolen and chose not to disclose the breach publicly, citing operational security and prosecution efforts. Remediation included overhauling data centers, removing potential backdoors, and system sanitization. Unrelated user account compromises reported around the same time were attributed to credential reuse from third-party breaches, with no connection to the internal breach. The attackers were linked to the Winnti Umbrella groups, known for targeting software and gaming entities to steal intellectual property.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In autumn 2016, TeamViewer detected a cyber attack on its systems involving the Winnti backdoor, suspected to originate from Chinese threat actors. Forensic investigations conducted by independent experts and coordinated with authorities found no evidence of data exfiltration or compromise of user systems, though attackers accessed source code repositories. TeamViewer initiated a comprehensive data center overhaul by the end of 2016, removing potential backdoors and performing system sanitization. The company opted against public disclosure following consultations with law enforcement and security advisors, who concluded notification would impede attacker prosecution efforts. This decision aligned with similar breach responses at ThyssenKrupp (2016) and Bayer (2018), where Winnti attackers focused on technical trade secrets without confirmed data theft. TeamViewer maintained the incident caused no operational disruption beyond internal remediation efforts, contrasting it with an unrelated June 2016 denial-of-service attack that disrupted DNS infrastructure and prompted user complaints about unauthorized account access.
Earlier in 2016, TeamViewer faced public scrutiny when users reported account takeovers enabling fraudulent PayPal transactions, despite some victims claiming unique passwords and two-factor authentication. The company initially attributed these incidents to credential reuse from third-party breaches like LinkedIn's 2016 data leak, dismissing connections to their internal systems. Following backlash over communication tactics, including an apology for describing users as "careless," TeamViewer acknowledged malware like Backdoor.TeamViewer might facilitate access but maintained no infrastructure compromise. Security researchers later identified the 2016 breach perpetrators as part of the Winnti Umbrella collective—groups including BARIUM and APT17 known for targeting software companies and gaming entities. These actors historically sought source code and digital certificates, with tactics linking them to Operation ShadowHammer and supply chain attacks against CCleaner (2017) and NetSarang (2017). TeamViewer reiterated that forensic reviews found no operational impact on customer environments or evidence linking the breach to user account compromises reported during the same timeframe.