Security Experts:

Connect with us

Hi, what are you looking for?



TeamSpy – A Decade-long Cyber Espionage Operation Targeting Eastern Europe

On Wednesday, CrySyS Lab, the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics, after being notified by the Hungarian National Security Authority (NFB), unveiled details on a near decade-long cyber espionage operation aimed at high profile targets, mainly in Eastern European countries.

On Wednesday, CrySyS Lab, the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics, after being notified by the Hungarian National Security Authority (NFB), unveiled details on a near decade-long cyber espionage operation aimed at high profile targets, mainly in Eastern European countries.

Interestingly, the primary attack tool used is a legitimate software product designed to provide remote computer support. In their attacks, the attackers performed their intelligence gathering and surveillance partly using TeamViewer, a tool commonly used for remote administration.

TeamSpyAccording to CrySyS, the attackers install a legitimate version of TeamViewer on the victim’s PC, but then modify it using DLL hijacking to gain remote access to the target system.

“The attackers are not only able to remotely observe the infected computers, but they can also misuse TeamViewer to install other tools to obtain important information, files, and other data from the victim,” the technical report explained.

Because of the attacker’s use of TeamView, researchers have named the malicious toolkit ‘TeamSpy‘.

While not as complex as some other recently discovered cyber weapons, TeamSpy joins the ranks of other high profile cyber espionage tools such as Duqu, Flame, Gauss and Red October.

According to CrySys, the ‘TeamSpy’ attack toolkit can search systems for document types including Microsoft Word, Excel, PDFs, .rtf and, files that included the names, *saidumlo* *secret* *секрет*.* *парол*.* *. *.pgp*, and *pass*.

“This list shows the interest of the attackers in “secret” and “password” documents. In addition, the attackers’ interest in .pgp and .p12 files indicates that they were looking not only for passwords, but also for cryptographic keys, which goes beyond attacks against ordinary users,” the report explained.

The attacks appear to be part of a nation-state cyber-surveillance/espionage operation targeting high profile targets throughout Eastern European nations. While the exact targets have not been disclosed by CrySyS, some information on victims show the following organizations were hit:

• 11/2012: Hungarian high profile governmental victim.

• 03/2013: Embassy of NATO/EU state in Russia

• 04/2010: Electronics company in Middle-East, Govt. background

• 03/2013: Multiple research/educational organizations in France and Belgium

• 03/2013: Industrial manufacturer in Russia

According to analysis from Kaspersky Lab, attackers have focused on hitting a variety of targets, ranging from activists and political targets, to heavy industry and national information agencies.

TeamSpy Infection Map

Based on the samples collected so far, CrySyS believes same threat actor produced many individual malware modules over the last ten years, some created solely to steal specific office documents, as mentioned above.

Once installed, attackers can remotely control the TeamSpy malware running on victim computers using the TeamViewer application (teamviewer.exe) which runs as a legitimate process.

What’s also interesting, is that according the company’s website, TeamViewer generates a session password that changes with every software start to provide additional security against unauthorized access to a remote system.

However, it seems that the customizations and DLL hijacking by the attackers have overcome TeamViewer’s security measures.

“Also it is not possible to invisibly control a computer,” the TeamViewer website explains. “For data protection reasons the person sitting on the remote computer has to be able to detect when someone is accessing the machine.”

SecurityWeek contacted TeamView, Inc. about the topic but did not recieve a response prior to publication.

Analysis of the command-and-control infrastructure shows that at least one of the domain names was registered in 2004. Interestingly, the attacks were previously brought up by Belarussian activists in a public warning in April 2012.

“During our investigation, we uncovered a large set of malware samples that were probably utilized back in the past; hence, our analysis can also shed light on older malware campaigns and might help victims to reveal incidents that are several years old,” CrySys researchers wrote in a blog post. “Therefore, the information disclosed in this report could be used to perform a longitudinal study of targeted malware attacks.”

ESET confirmed seeing some of these malicious components around the world in very small quantities over the course of last few years. According to ESET’s data, victims were locations in Turkey, Russia, Ukraine, Italy and a few Middle-East and former USSR countries. ESET also confirmed the existence of more variants of the avicap32.dll file used with TeamViewer, noting that some were recent.

The attackers aim for important targets, the report concluded. “This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc.”

This is a developing story and will be updated as more research is uncovered and analyzed.

Additional Research: CrySys Lab (PDF)

Additional Research: Kaspersky Lab (PDF)

Additional Research: SymantecTeamSpy: Backdoor to the Viewer (Blog)

Related Podcast: Ryan Naraine talks to Dr. Boldizar Bencsath of CrySyS Lab and Costin Raiu of Kaspersky Lab about Symantec’s recent Stuxnet 0.5 discovery and the connections to the other cyber-surveillance operations like Duqu and Flame. Listen Now  

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.