News just broke that hackers breached technology company Citrix on March 6th. According to security firm Resecurity, Iranian group IRIDIUM planned and organized the attack in December of last year. Citrix hasn't yet disclosed how much customer data the criminals seized, but the amount could be mind-boggling. After all, Citrix services 98% of the Fortune 500 and 400,000 business all over the world. Citrix CSIO Stan Black said, “We commenced a forensic investigation, engaged a leading cybersecurity firm to assist, took actions to secure our internal network, and continue to cooperate with the FBI."
Here's the timeline: In December, Resecurity discovered a breach within Citrix. On the 28th of that month, Resecurity notified Citrix of the attack. Circumstances escalated on March 6th when FBI officials notified Citrix that hackers had breached its internal network. (We're not sure of Citrix's activity in the months between December and March.) Since then, Citrix has been working with authorities to investigate the breach.
With 200+ strikes under its belt, IRIDIUM has been known to target government agencies, oil businesses, gas companies, and technology firms. Its M.O. is accessing virtual private networks and channels by using propriety techniques that allow its members to sidestep 2FA authorization for single-sign-on applications and services. Resecurity's blog writes, "Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures allowing them to conduct targeted network intrusion to access at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
The FBI is under the assumption that hackers bypassed Citrix security measures by spraying passwords, a strategy that reveals weak passwords and avoids password lockouts. From there, they would've found a foothold with limited access and continued to move past other security barriers.
According to Citrix, “Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.” It's not yet clear how much data hackers stole. Black said, “While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.”
The scope and status of Citrix's clients make this breach significant. It also underscores the importance of enforcing multiple layers of data security. Find out more by reading Citrix's official statement.