Citrix hackers may have stolen six terabytes worth of files

Firm blames “international cyber criminals”. Security firm blames Iranian-linked hackers.

Citrix hack

Three days ago, at the end of last week, Citrix made the kind of announcement that no company wants to make.

“On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.”

Citrix blog

Sign up to our free newsletter.
Security news, advice, and tips.

In a statement posted on the Citrix blog, Chief Security Information Officer Stan Black admitted that the hackers may have accessed and downloaded some business documents – but it didn’t currently know which specific documents.

Black went on to say that no indication had been discovered that the security of any Citrix services or products had been compromised by the security breach.

And how had the breach occurred? Citrix said it hadn’t confirmed the mechanisms used by the attackers yet, but that the FBI suspected that the hackers had used a technique known as “password spraying”.

Password spraying sees attackers throw a relatively small number of common passwords at a large number of accounts. The theory is that given enough users, someone is likely to have made the mistake of using one of the common passwords.

Such tactics can be successful at sidestepping some of the mechanisms (such as rate-limiting) organisations put in place to deter hackers from trying to brute force their way into a specific account by throwing a large number of passwords at it.

Once a hacker has managed to gain limited access to an organisation’s infrastructure, they can then begin to use that as a foothold to try to dig deeper into the company’s network.

In its statement Citrix doesn’t name who it believes is responsible for the hack, preferring to label them as “international cyber criminals.” It’s perfectly possible, of course, that the company simply doesn’t have a clue as to who might have broken into its systems.

An NBC News report, however, has repeated claims of a security firm Resecurity that an Iranian-linked hacking gang known as Iridium was responsible for the attack.

Resecurity says it first alerted Citrix way back on December 28 2018 that it was being targeted by the Iridium group – a gang that is being blamed for attacks against hundreds of government agencies, oil and gas companies, as well as technology firms.

Clearly that wasn’t enough to stop the problem if Citrix had to be alerted by the FBI to continuing concerns last week.

Other recent victims of the Iridium group include the Australian parliament.

If Resecurity is to be believed, the Iridium hacking gang accessed “at least six terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares, and other services used for project management and procurement.”

There is no mention made on Citrix’s blog as to whether multi-factor authentication was enforced on user accounts, which might have provided an additional hurdle for any wannabe hacker. However, Resecurity’s researchers note that Iridium has “proprietary techniques allowing [it] to bypass 2FA authorisation.”

Citrix is declining to comment further about the incident, or Resecurity’s claims, preferring at the moment to point customers to its blog post instead.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Citrix hackers may have stolen six terabytes worth of files”

  1. omega42

    ".. Iridium has “proprietary techniques allowing [it] to bypass 2FA authorisation.”
    The concept is puzzling; the fact (if it so be) is devastating
    If someone has techniques to bypass 2FA, what is the point of using it

    1. Graham CluleyGraham Cluley · in reply to omega42

      It's unclear what they're referring to, but it could be a tool like Modlishka.

      https://grahamcluley.com/automated-phishing-attack-tool-bypasses-2fa-protection/

      Yes, those kind of reverse proxy tools can help hackers get past 2FA but it certainly doesn't mean any of us should give up on using 2FA! You're better off with multi-factor authentication than without.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.