American multinational software company, Citrix has disclosed they have been hit with a massive data breach of their internal network by “international cyber criminals”. Citrix provides popular software to companies around the world, including some high profile entities with high security such as the US military, the FBI and various US government agencies and corporations.
On Wednesday 6 March FBI warned Citrix of foreign hackers compromising its systems and stealing documents. What documents have been taken is not yet known. In a blog post on their website, Citrix said:
While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
The FBI believes that the bad actors likely used a “password spraying” attack. A password spraying attack is almost like a different spin or the reverse of a brute force attack. In a brute force attack, a hacker will repeatedly use common password combinations against one username, continuing in the hope of compromising the account. With a password spraying attack, the hacker will use one, or only a few common passwords and target multiple user IDs in the hope that one user will have chosen a simple password. Attackers will gain the user IDs using social engineering and phishing campaigns.
Later in the blog post, they said:
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.
Citrix are keeping details about the breach close to their chest while the investigation is ongoing, however, cybersecurity firm Resecurity claims they alerted Citrix and the FBI of the breach at an earlier date. They have shed more details.
Resecurity have disclosed that an Iranian hacked group called IRIDIUM is behind the attack. They claim that the group hit Citrix in December of 2018, and again last week, stealing 6 terabytes of sensitive data. This data is said to include internal emails, files, and blueprints among other documents.
IRIDIUM has been behind high profile attacks against over 200 government agencies from around the world, including the US, UK, and Australia. They also conduct attacks on technology companies, oil and gas companies, and others.
We expect that Citrix will disclose more information about the breach once the investigation has concluded, as for how long that will take, we can’t be sure at this time.