Citrix is cooperating with the Federal Bureau of Investigation (FBI) to investigate a major data breach of the company’s internal network, where hackers may have accessed and downloaded business documents, though the full extent is not yet known.
Resecurity, a provider of cybersecurity and intelligence solutions, alerted the FBI in December of the data breach at Citrix. According to Resecurity, an Iranian-linked group known as IRIDIUM is responsible. The group is thought to have hit more than 200 government agencies, oil and gas companies, and technology firms, Citrix being one of them.
“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement,” Resecurity stated in a blog post.
The FBI believes the hackers initially gained entry into the network using a tactic known as password spraying. This initially gave them limited access, though once they gained a foothold, the hackers were later able to circumvent additional layers of security.
IRIDIUM is believed to possess an arsenal of proprietary hacking tools that allows them to bypass two-factor (2FA) authorization, making it possible to access virtual private network (VPN) channels and other secure areas.
Citrix somewhat refutes the full extent of the damage as reported by Resecurity, saying it has found no indication so far that the security of any Citrix product or service was compromised in the breach and have issued the following statement:
On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.
Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.
Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.
While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.