Citrix, a major software company that handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many US corporations, announced in that it has become a victim of “international cyber criminals”. They were contacted by FBI with information they had obtained by Resecurity, a cybersecurity firm, about the hacking of their internal network.
According to Resecurity the breach was conducted by Iranian hacking group, known as Iridium. Iridium is responsible for a number of other recent cyberattacks as well – against numerous government agencies, oil and gas companies and other targets. Charles Yoo, Resecurity's president, claims that Citrix Systems Inc. has suffered a data breach earlier as well – in December 2018. The second attack is said to result in at least six terabytes of data.
Although it is too early to know details, it is easy to suggest that the incident could have tremendous consequences. Citrix provides virtual private network access and credentials to 400 000 companies and other organizations worldwide. Furthermore, almost all of the Fortune 500 are among the company’s customers. Most worrying is the hint about leak of business documents, mentioned in the statement:
“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.”
Despite the minute information given in the statement, the most probable reason for the breach is mentioned. One might think that the cybersecurity holes are at a higher level with huge companies. Unfortunately, that’s not the case. It seems attackers gained access to Citrix through several compromised employee accounts.
“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”
With “password spraying” lists of a small number of common passwords are used to brute force large numbers of accounts. Lyubomir Tulev, cybersecurity expert at AMATAS, commented on the case:
“This type of attacks is always successful due to the fact that there are dozens of thousands of people around the world who still use less complex passwords, usually easy guessable, and many times those passwords are already in somebody’s dictionary files so that the chance to brute-force a particular account with passwords and account names is high. Furthermore, this attack usually does not rise any Intrusion Detection Prevention system’s alarms because those security solutions often are configured to look for the whole picture of the network intrusion instead of each account monitoring."
The investigation is ongoing and details will follow, but there are signs for a scandalous case of a mega prolonged cybercrime. According to Resecurity some clues indicate that Iridium hacked Citrix's network about ten years ago, and has been lurking inside the company's system ever since.
Charles Yoo also added that the focus of the hackers’ attack was put on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company.
“Once an attacker goes into an environment and compromises one account, that's just the first stage. And what we uncovered and through our own analysis is a very sophisticated campaign,” he said.