On Friday afternoon, Citrix said that it was investigating a compromise of their internal network. Here’s what we know and don’t know, plus my thoughts and observations.
What we know
Citrix chief information security officer Stan Black confirmed the following details on the Citrix blog on Friday, March 8:
- On Wednesday, March 6, the FBI contacted Citrix, with reason to believe that international cyber criminals had gained access to the internal Citrix network.
- According to the FBI, the attack was likely via password spraying.
- The breach appears to be limited to internal business documents, however they don’t know the specifics.
- They have no indication that Citrix products or services were affected.
- Citrix has started a forensic investigation; taken steps to secure their network; brought in an outside security firm to assist; and stated their commitment to transparency.
What else we might know
Also last Friday, March 8, a Los Angeles-based cyber security firm called Resecurity said that they warned Citrix about the breach back on December 28.
Citrix has not confirmed any of these details, but here’s what Resecurity is saying:
- Resecurity identified the attackers as the Iranian-back Iridium group, which has supposedly carried out targeted attacks on over 200 other organizations in government, technology, energy, and similar verticals.
- Iridium stole six terabytes of data, including files, emails, and data from product management and procurement platforms.
- Iridium used proprietary techniques to bypass two-factor authentication.
In an interview with NBC News, Resecurity president Charles Yoo added the following details:
- The attack took place through several compromised employee accounts.
- The data could be up to 10 terabytes.
- The initial attack was around the holidays, but there was also an attack last Monday.
- Resecurity believes Iridium may have been inside Citrix’s network for 10 years.
- Iridium’s ultimate goal was to target the US government, and the breached emails may have included correspondence with Citrix’s government customers and contacts.
What we don’t know
Again, neither Citrix nor the FBI or anybody else has confirmed the details from Resecurity. It’s not unusual for small, low-profile security firms to be the ones that sound the alarm on these types of attacks. On the other hand, The Register pointed out that Resecurity might not have the best track record on this, and Resecurity isn't exactly a household name.
Here's what we don't know:
- We don’t know the nature of the tools and procedures that the attackers used to compromise Citrix’s authentication and access controls.
- We don’t know what was in the internal documents that were stolen.
Thoughts and observations
News of Citrix’s breach dropped on Friday afternoon, and as of this writing (on Sunday) it looks like the response from the Citrix community has been fairly quiet. Except for those of us on the US west coast, many were probably out for the weekend and will be first learning about this Monday morning. There were some stronger reactions from some tech and general media outlets, but we can take this with the appropriate caution.
Of course, all we can do is stay calm while we wait to learn the details. Hopefully at some point we’ll find out exactly what happened, but until then, we can at least take a few general security lessons from this. In particular, remember the threat model: We’re potentially talking state-backed attackers, going after a high-value target. This model is likely very different than the model faced by you and me. Also, it’s not uncommon for companies to learn about their own breaches from third parties.
News of another breach is all too common. While stock prices and reputations may take a hit, six or 12 months down the line, a lot of them fade from mind. On the other hand, Citrix getting compromised is different. I can’t recall too many similar incidents involving vendors in our space (though if you can think of something, drop it in the comments). So, this is certainly a bit shocking and definitely hits close to home.
I’m hesitant to write about speculative scenarios, because I don’t want to contribute to any uncertainty, so take this with the appropriate disclaimer. Personally, one similar incident that does come to mind is the CIA Vault 7 leak. However, the outcome here all depends on the intent of the attackers. Probably they were just going after communications with the government, and maybe they just ended up with a bunch of random docs from the P: drive, but the worst case is they could have gotten vulnerabilities that could be exploited against customers, leading to more serious consequences.
Also, as a colleague reminded me, Citrix Files (ShareFile) also experienced a password-related attack last December. In that case, it was a password stuffing attack, which prompted Citrix to reset user passwords. There's nothing indicating that the two sets of attacks are related, but the similar element and timing is worth noting for the sake of having as much context as possible. Again, take these thoughts with the appropriate intention and disclaimer that they are only hypothetical.
The last word
We’ll try to keep calm, avoid jumping to conclusions, and wait until we know more. We can also use this as a reminder of various security lessons—including the lesson that this can happen to anybody. To all our friends at Citrix, we’re hoping everything is resolved quickly and smoothly.
Updated at 9:00am PDT to include a mention of the password stuffing attack against ShareFile.