Citrix found out from the FBI on March 6, 2019, about a security breach into its internal network which led to the cybercriminals behind the attack being able to access and steal a set of business documents. No Citrix products or services were impacted by the attack.
Stan Black, the Chief Security Information Officer (CSIO) of Citrix, said in a blog statement on the company’s website that the internal network has been secured and a cybersecurity firm has been contacted and hired to assist with a forensic investigation of the breach.
Black also stated that the attackers were able to access only a limited set of business documents while they infiltrated the Citrix’s internal network:
While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.
Furthermore, although not yet confirmed by the FBI, the attackers who managed to infiltrate the Citrix internal network could be part of an international hacking group.
“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” said Black.
The CSIO of Citrix also said that the company will come with more updates regarding the cyber incident when new information is available following the ongoing investigation:
Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information. [..]
Black also stated that “Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”
American companies have been breached in the past by hacking groups, the most recent proof being the indictment of two members of the APT10 cyber espionage group in December by the US District Court for the Southern District of New York.
According to the indictment, the hacking group — also known as CVNX, Red Apollo, Cloud Hopper, Stone Panda, MenuPass, and Potassium — and linked with China’s intelligence and security agency stole secrets since at least 2006 from various organizations in at least 12 countries.
Update March 08 2019 15:07 EST: A report by NBC News says that Iranian-backed hackers were behind this breach and that they managed to steal between 6-10 TB of documents. We have not yet confirmed this but have contacted ReSecurity and Citrix for more information.
Update March 08 2019 16:40 EST: A Citrix spokesperson told internetnewsblog that:
Our Chief Security and Information Officer Stan Black published the following blog confirming the facts related to the incident as we know them at this time. We have no further comment beyond this at this time. https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/
Update March 08 2019 17:17 EST: ReSecurity also got back with an answer but refused to provide any other info, stating that:
Available public information is at Resecurity’s blog and today’s NBC article.