Updated Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets.
The enterprise software giant – which services businesses, the American military, and various US government agencies – said it was told by the FBI on Wednesday that miscreants had accessed Citrix's IT systems and exfiltrated a significant amount of data.
According to infosec firm Resecurity, which had earlier alerted the Feds and Citrix to the cyber-intrusion, at least six terabytes of sensitive internal files were swiped from the US corporation by the Iranian-backed IRIDIUM hacker gang. The spies hit in December, and Monday this week, we're told, lifting emails, blueprints, and other documents, after bypassing multi-factor login systems and slipping into Citrix's VPNs.
"The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy," Team Resecurity said in a statement earlier today.
"Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures, allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares, and other services used for project management and procurement."
LA-based Resecurity added that IRIDIUM "has hit more than 200 government agencies, oil and gas companies, and technology companies including Citrix."
Resecurity also said it warned Citrix on December 28 that the software giant had been turned over by the hacker crew during the Christmas period. Citrix, meanwhile, said it took action – launching an internal probe and securing its networks – after hearing from the FBI earlier this week.
Earlier today, Citrix chief information security officer Stan Black gave his company's side of the story. He said that, as of right now, Citrix does not know exactly which documents the hackers obtained nor how they got in – the FBI thinks it was by brute-forcing weak passwords – nor for how long they may have been camping on the corporate network.
"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents," Black said. "The specific documents that may have been accessed, however, are currently unknown."
At this point, Citrix reckons the intrusion was limited to its corporate network, and thus believes customer records and data were not stolen nor touched.
Beyond that, however, it's anyone's guess as to what exactly the hackers may have lifted. As a massive provider of remote management, networking, and videoconferencing products, Citrix has an extremely large portfolio spread across a number of sectors in the enterprise IT market. Its customers include the White House and the FBI, though it's not known at the moment whether the hack involved or menaced Uncle Sam's operations directly.
As the investigation is in its extremely early phases, Citrix said it will provide customers with regular updates as it gets more details. For now, Citrix said it is planning to cooperate fully with the FBI probe, and has also brought in an outside security firm to help investigate the intrusion and make sure that hackers will not be able to get back in to the network.
"Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly," Black said.
"In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information." ®
Editor's note: This story was revised after publication to include Resecurity's version of events. A spokesperson for Citrix confirmed "Stan’s blog refers to the same incident" described by Resecurity, adding: "We have no further comment at this time, but as promised, we will provide updates when we have what we believe is credible and actionable information." Resecurity declined to comment further.
Sponsored: Becoming a Pragmatic Security Leader