Citrix Systems Breached ‘for 10 Years by Iran,’ Claims Unknown Infosec Firm

Citrix Systems’ networks were infested with hackers, who stole terabytes of data. So says a security service provider that nobody’s heard of—and which seems to have popped out of nowhere.

It was Iran, alleges the dubitable company. And so the mainstream media rush to parrot the unfound finding. But where’s the evidence?

Neither Citrix nor the FBI are saying. In today’s SB Blogwatch, we feel like useful idiots.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: moving pictures.

Iran? Says Who?

What’s the craic? Dan de Luce and Courtney Kube report—hackers stole data from … software giant Citrix:

Iranian-backed hackers have stolen vast amounts of data from a major software company that handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many American corporations.

Employing brute force attacks … the assault was carried out by the Iranian-linked hacking group known as Iridium, which was also behind recent cyberattacks against numerous government agencies, oil and gas companies and other targets, Charles Yoo, Resecurity’s president, said. … The attackers gained access to Citrix through several compromised employee accounts.

Citrix [said] the FBI had informed the company … that it had come under attack … and that it was taking action “to contain this incident. … It appears that the hackers may have accessed and downloaded business documents. … At this time, there is no indication that the security of any Citrix product or service was compromised. … Citrix deeply regrets the impact this incident may have on affected customers.”

[Resecurity’s] analysis of the cyberattack indicated the hackers were focused in particular on FBI-related projects, NASA and aerospace contracts and work with … Saudi Arabia’s state oil company. … The hackers [had] access to private communication with government agencies about various sensitive information technology projects involving the FBI, the Missile Defense Agency, the Defense Logistics Agency, the White House communications agency, the Defense Information Systems Agency (DISA) and others.

[Resecurity] has reason to believe that Iridium broke its way into Citrix’s network about 10 years ago, and has been lurking inside the company’s system ever since.

Ten years? Shaun Nichols registers his take—”Iranian-backed hackers ransacked Citrix”:

Foreign hackers romped through [Citrix’s] internal company network and stole corporate secrets. … At least six terabytes of sensitive internal files were swiped.

The spies hit in December, and [last] week, we’re told, lifting emails, blueprints, and other documents. The hackers have ways to bypass multi-factor login systems to slip into private networks, it is claimed. [But the] specific claims have not been independently verified, we note, so at this time, caveat lector.

So, was it the Iranians, or not? What data was stolen? Is it too early to tell?

A spokesperson for Citrix [said] “We have no further comment at this time, but as promised, we will provide updates when we have what we believe is credible and actionable information.”

But why finger Iran? Resecurity president Charles Yoo says the supply chain is the major target of cyberespionage:

The Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix. [We] reached out to Citrix and shared early warning notification about targeted attack and data breach.

The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state. … We forecast a continued growth of targeted cyber-attacks on supply chains of government and large enterprises organized by state-actors and sophisticated cyberespionage groups.

But no actual evidence of Iranian involvement? Citrix CISO Stan Black is a tad more circumspect—unauthorized access to internal network:

On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.

Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. … Details matter, and we are committed to communicating appropriately when we have … credible and actionable information.

The FBI has advised that the hackers likely used a tactic known as password spraying.

So who are these Resecurity people? salimmadjd digs deeper:

There are some odd stuff about [Resecurity].

1 – their CEO has no real linkedIn history
2 – their revenue and employment went off the chart just in 2 quarters
3 – very unclear how they came to this assessment.

I look at these evidence with some skepticism.

And eikxyz deeper still:

Resecurity’s WordPress site has directory listing turned on. Most content on the website seems to have been uploaded in February.

Looks like a fish, smells like a fish.

But mcintyre1994 offers a, “slightly less cynical explanation”:

Could it be a parallel construction type thing? Something like: The FBI (or whoever) have espionage on whichever groups and heard data from Citrix being discussed, but they don’t want to reveal that espionage so they reveal it through Resecurity.

Enough shooting the messenger. Nasrudith cuts to the chase:

Brute forcing weak passwords? Someone is doing something horribly wrong here on several levels. At the very least [it] should have rate limits if not locking for repeated password attempts. For servers themselves allowing password logins is inexcusably bad.

OK, bad for Citrix, but how big of a deal otherwise? This Anonymous Coward swears it’s big:

Citrix does a whole fleet of products that this breach is very problematic for:

GoToMyPC
GoToMeeting
GoToWebinar
Citrix Hypervisor(XenServer)
Citrix Netscaler Gateway
Citrix Web App Firewall …
Citrix Virtual Apps and Desktop (formerly XenApp, formerly Citrix terminal server).

A Citrix breach is a big ****ing deal, especially when it wasn’t self-discovered and they don’t even know what was accessed yet.

Meanwhile, werks works it out:

If the FBI are the ones telling you you’ve been breached and not your own internal SOC it’s all over.

And Finally:

Justin “Drivel Sieve” Mason made these postcards move


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Citrix Systems (cc:by)

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 54 posts and counting.See all posts by richi