Iranian hackers raid Citrix's enterprise network

Remote access software house Citrix has alerted customers that it was hacked, after it was advised of the intrusion by the United States Federal Bureau of Investigation.

Citrix CSIO Stan Black.

US security firm Resecurity said the Citrix hack was part of a larger wave of attacks against hundreds of government agencies, as well as technology and oil and gas companies.

Resecurity attributed the attacks to the Iran-linked Iridium group, and said the hackers had accessed "at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement."

The security vendor said Iridium uses proprietary hacking techniques to bypass two-factor authentication to gain unauthorised access to virtual private networks and single-sign on for applications and services.

Resecurity said it had alerted law enforcement and Citrix to the hack.

Citrix chief security officer Stan Black confirmed the hack and said the company had reason to believe "international cyber criminals" were behind the attack.

Black said the FBI advised Citrix that the hackers likely exploited weak passwords across multiple accounts, a technique known as passphrase spraying, to gain access to the company's internal network.

Citrix did not say how many accounts were compromised in the attack but said it "regrets the impact the incident may have on affected customers."

Initial investigation by the company and an unnamed cyber security firm points to the hackers having accessed and downloaded business documents.

However, Black said Citrix does not know at this stage which specific documents were accessed.

Currently there is no indication that the security of Citrix products and services was compromised, he added.

Resecurity said it had shared intelligence with the Australian Signals Directorate, Cyber Security Centre and Electoral Commission that Iridium was behind the recent attack on Parliament.

ASD was told by Resecurity that two unnamed Australian government resources were compromised by Iridium on December 23 last year.

Further analysis by Resecurity of indicators of compromise (IOCs) in the first stage of Iridium's campaign showed that the attacks were oriented towards Windows servers.

The second stage attack in February leveraged targetted email compromise attacks and dumping of a Global Access List (GAL).

Resecurity said it had been able to acquire the GAL file stolen in February and posted excerpts from it on its blog.

Iridium was behind a hack on the British parliament as well, in June 2017, Resecurity said.

The attack on Citrix is the second in recent times against the remote access software developer.

In December last year, Citrix reset user passwords after a credentials stuffing attack against its ShareFile service took place.