Iranian backed-hackers stole over 6TB from Citrix

Enterprise VPN provider, Citrix, has said that foreign cybercriminals have hacked its internal networks, following an alert from the FBI.

According to a notice, the FBI contacted the company on March 6th, and told the cybersecurity firm that their systems had been breached, Citrix revealed in a notice last Friday (March.8th).

“Citrix has taken action to contain this incident,” said Stan Black, CISO at Citrix. “We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”

Password spraying

While it hasn’t been officially confirmed, Black said that the hacker used a tactic known as “password spraying”, a special technique that allows hackers to exploit weak passwords.

“Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” said Black, via a company statement. “Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly.

“In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

With the investigation still ongoing, based on the latest information, Black said the hackers may have accessed and stolen business documents.

“The specific documents that may have been accessed, however, are currently unknown,” Black added. “At this time, there is no indication that the security of any Citrix product or service was compromised.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”

Iranian hackers

On December 28th, the cybersecurity firm, Resecurity, contacted the company, warning them about the breach – Resecurity said in a blog post. According to Resecurity, the attackers are part of an Iranian hacking group that targeted more than 200 organisations, including government agencies, oil and gas companies, and technology firms.

The hackers accessed “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement,” Resecurity wrote.

The security firm didn’t explain how they found out about the attack, but said it “has shared the acquired intelligence with law enforcement and partners for mitigation”.


Related Posts