Citrix discloses security breach of internal network

Citrix learned of the hack from the FBI. Hackers stole business documents.

Citrix

Images: Citrix // Composition: ZDNet

American software company Citrix disclosed today a security breach during which hackers accessed the company's internal network.

In a short statement posted on its blog, Citrix Chief Security Information Officer Stan Black said Citrix found out about the hack from the FBI earlier this week.

"On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network," Black said.

"While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security," the Citrix exec added.

Black said hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had been stolen at the time of his announcement today.

The Citrix exec said that there is no evidence to suggest that hackers might have tampered with Citrix official software or other products.

The hack is still under investigation, and Black promised more updates on the incident as they learn more.

An NBC report published today shortly before the Citrix announcement and citing a source with Resecurity claimed that a group of Iranian state hackers called "Iridium" might be behind this hack. Resecurity said that Iridium breached Citrix's network during the Christmas 2018 holiday.

Resecurity said hackers used techniques to bypass two-factor authentication and gain access to Citrix's internal network from where they accessed roughly 6TB of information.

A Citrix spokesperson declined to comment on the NBC report and Resecurity blog post --which convey substantially different information from the company's data breach announcement-- when ZDNet reached out earlier today. Resecurity's findings have been questioned in the past.

In December 2018, Citrix reset passwords for some users of the Citrix ShareFile service after it detected a credentials stuffing attack against its customers. However, this attack is unrelated to today's data breach announcement as this targeted Citrix's customer network and customer accounts, and not its internal network and employee accounts.

Article updated with information about the NBC report, the Resecurity blog post, the December 2018 attack, and the Citrix refusal to comment.

More data breach coverage: