Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz

Updated Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets.

The enterprise software giant – which services businesses, the American military, and various US government agencies – said it was told by the FBI on Wednesday that miscreants had accessed Citrix's IT systems and exfiltrated files.

According to little-known infosec firm Resecurity, which claimed it had earlier alerted the Feds and Citrix to the cyber-intrusion, at least six terabytes of sensitive internal files were swiped from the US corporation by the Iranian-backed IRIDIUM hacker gang. The spies hit in December, and Monday this week, we're told, lifting emails, blueprints, and other documents. The hackers have ways to bypass multi-factor login systems to slip into private networks, it is claimed.

"The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy," Team Resecurity said in a statement earlier today.

The outfit's specific claims have not been independently verified, we note, so at this time, caveat lector.

"Based our recent analysis," the company continued, "the threat actors leveraged a combination of tools, techniques and procedures, allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares, and other services used for project management and procurement."

LA-based Resecurity added that IRIDIUM "has hit more than 200 government agencies, oil and gas companies, and technology companies including Citrix."

Resecurity also said it warned Citrix on December 28 that the software giant had been turned over by the hacker crew during the Christmas period. Citrix, meanwhile, said it took action – launching an internal probe and securing its networks – after hearing from the FBI earlier this week.

Ongoing

Earlier today, Citrix chief information security officer Stan Black gave his company's side of the story. He said that, as of right now, Citrix does not know exactly which documents the hackers obtained nor how they got in – the FBI thinks it was by brute-force password spraying – nor for how long they may have been camping on the corporate network. Black also described the thieves as "international cyber-criminals" rather than point the finger at any particular country.

"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents," he said. "The specific documents that may have been accessed, however, are currently unknown."

At this point, Citrix reckons the intrusion was limited to its corporate network, and thus believes customer records and data were not stolen nor touched.

Beyond that, however, it's anyone's guess as to what exactly the hackers may have lifted. As a massive provider of remote management, networking, and videoconferencing products, Citrix has a large portfolio spread across a number of sectors in the business and government IT markets. Its customers include the White House and the FBI, though it's not known at the moment whether the hack involved or menaced Uncle Sam's operations directly.

Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

READ MORE

As the investigation is in its extremely early phases, Citrix said it will provide customers with regular updates as it gets more details. For now, Citrix said it is planning to cooperate fully with the FBI probe, and has also brought in an outside security firm to help investigate the intrusion and make sure that hackers will not be able to get back in to the network.

"Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly," Black said.

"In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information." ®

Update

This story was revised after publication to include Resecurity's version of events. A spokesperson for Citrix confirmed "Stan’s blog refers to the same incident" described by Resecurity, adding: "We have no further comment at this time, but as promised, we will provide updates when we have what we believe is credible and actionable information." Resecurity declined to comment further.

So, was it the Iranians, or not? What data was stolen? Is it too early to tell? On the one hand, Resecurity previously claimed the Iran-linked IRIDIUM team attacked the Australian parliament's computers, yet sources close to the Oz government reckoned it appeared to be the work of China, though it could be another nation state masquerading as the Chinese.

On the other hand, Microsoft this week said hundreds of companies have been hacked by Iranian miscreants over the past two years. The plot thickens.