The Health Information Sharing and Analysis Center (Health-ISAC) has issued a warning to the healthcare and public health sector about cyber threat actors exploiting TeamViewer remote connectivity software. TeamViewer provides remote access and remote control of devices and is commonly used for remote IT support and maintenance.
Health-ISAC has received intelligence from a trusted source that a threat actor tracked as APT29, aka Cozy Bear/Midnight Blizzard, has compromised TeamViewer, and threat actors associated with APT29 are abusing TeamViewer. APT29 is a threat group that has been in operation since at least 2008 and is a Russian hacking group associated with Russia’s intelligence agencies, the Federal Security Service (FSB) and Foreign Intelligence Service (SVR). The United States believes APT29 is led by the SVR.
In light of the compromise and threat intelligence confirming remote access tools are being leveraged by cyber threat actors, Health-ISAC strongly recommends implementing 2-factor authentication and using allowlist and blocklist to control who can connect to devices via TeamViewer and other remote access tools.
