Citrix says its network was breached by international criminals

By Dan Goodin

The query window for username and password on a Web page can be seen on the monitor of a laptop.
Enlarge / The query window for username and password on a Web page can be seen on the monitor of a laptop.

Virtualization and software provider Citrix said its internal network was breached by international criminals who most likely exploited weak passwords to gain limited access before working to gain more privileged control.

The notice published Friday morning sent shockwaves through security circles because Citrix’s products and services are used by more than 400,000 organizations around the world, including 98 percent of the Fortune 500. Citrix is also widely used by governments and militaries. An intrusion by overseas hackers carries the risk of exposing technical information that could compromise the networks of customers.

Citrix said it still doesn’t know what specific data was stolen, but an initial investigation appears to show the attackers may have obtained business documents. For now, company officials said, there’s no indication that the security of any Citrix product or service was compromised. The company has commenced a forensic investigation and engaged a security firm to assist. Citrix has also taken unspecified actions to better secure it internal network.

Citrix said it was contacted by the FBI on Wednesday and that the bureau said it had reason to believe the Citrix network was breached.

“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Friday’s statement read. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”

Friday’s advisory came the same day that NBC News, citing a firm called Resecurity, reported Iranian hackers stole at least 6 terabytes of data from Citrix over the past two months. Ars was unable to confirm that reporting, and in an interview, the Resecurity President Charles Yoo declined to provide details that would help outside researchers corroborate the report.

Citrix said its inquiry into the intrusion is “moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly.” Until more details are available, it’s too early to know the scope of the breach or its effect on customers.