VPN Provider Citrix Hacked, About 6 TB Data Accessed
Software maker and enterprise VPN provider Citrix has suffered a hack, which might have led to the hackers accessing about 6 TB of sensitive data, as per reports.
The FBI had contacted Citrix last week intimating the company of a data breach that had possibly impacted its internal network. Following this, Citrix investigated and confirmed the hack.
In a blog post authored by Citrix CSIO Stan Black and published on March 8, 2019, the company confirms the hack. The blog post says, “On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network…Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”
The blog post further says, “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown.”
Meanwhile Los Angeles-based security firm Resecurity, in a blog post, claims to have warned Citrix about the possibility of the hack; the hack, according to Resecurity, has been conducted by an Iranian-linked group. The Resecurity blog post says, “The Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix Systems, Inc…Resecurity has shared the acquired intelligence with law enforcement and partners for mitigation.”
The blog post states that on December 28, 2018, Resecurity had shared with Citrix early warning notification about targeted attack and data breach. It’s also stated that an analysis of the timing and further dynamics of the attack shows that it was planned and organized specifically during the Christmas period.
The Resecurity researchers have inferred that the Citrix breach is part of a sophisticated cyberespionage campaign and that nation-state players are involved. This inference is based on observations related to the nature of the campaign and the organizations targeted. (It’s mostly government, military-industrial complex, energy companies, financial institutions and enterprises involved in critical areas of an economy that are targeted).
The threat actors behind the intrusion might have accessed around 6 TB of data, as per Resecurity researchers. The blog post says, “Based on our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
Citrix, which serves over 400,000 organizations, has clarified that there are no indications of any of the company’s products or services being compromised as a result of the attack. The Citrix blog post says that according to the FBI, the hackers might have used password spraying to gain initial access to the company’s network, following which they might have worked to circumvent the additional layers of security.
Kevin Jones949 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.