Stan Black, the chief security and information officer at Citrix, wrote that the company was contacted by the FBI last Wednesday. The FBI told Citrix that it had reason to believe there was a successful attack on the company’s network by foreign parties.
According to Black, no Citrix products or services were compromised. “It appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown,” Black wrote. He noted that the investigation into the hacks is ongoing.
In the fallout from the attack, Citrix said it has taken action by: starting a forensic investigation; hiring a cybersecurity firm to assist the company; taking steps to secure its internal network; and by continuing to cooperate with the FBI.
Black said that, while not yet confirmed, the FBI believes a technique called password spraying was used to gain access. Password spraying refers to a tactic used by hackers to exploit weak passwords. Once the hacker gains a foothold with limited access they can get around the additional layers of security.
“Citrix deeply regrets the impact this incident may have on affected customers,” wrote Black. He noted that Citrix will continue to post updates and work with law enforcement on understanding the details of the breach.
Iranian Hacker Group Could Be Behind Attack
Security research firm Resecurity International last week hinted at potentially more details on the hack. In a post on its site, the research firm said it reached out to both Citrix and the law enforcement in December, prior to the hack becoming public knowledge. According to Resecurity President Charles Yoo, Citrix was hacked once in December and again last Monday.
According to Resecurity, an Iranian-linked group known as Iridium is behind the attack. Iridium uses proprietary techniques to bypass the authorization of critical applications and services to gain access to virtual private network channels and single-sign on systems.
In the case of Citrix, the firm said that Iridium was able to access 6 terabytes of sensitive data stored in Citrix’s network. This includes emails, files in network shares, and services used for project management and procurement.
“The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions, and large enterprises involved in critical areas of economy,” the firm wrote in its post.
Resecurity said that this group has hit more than 200 government agencies, oil and gas companies, and technology companies (such as Citrix).
While Resecurity’s original post said that the attack was organized during the Christmas period, it told NBC that the group may have hacked into Citrix’s network 10 years ago. Yoo told the news group that the hackers have been “lurking inside the company’s system ever since.