Iranian hackers steal 6TB of sensitive data

Blogs

Iranian hackers steal 6TB of sensitive data

A team of Iranian hackers has stolen 6 terabytes of highly sensitive data from multi-national software company Citrix by finding a commonly used password to unlock the firm’s security system.

Proving how vital good password management is, the group calling themselves Iridium are believed to have used a password spraying technique to bombard Citrix until they found a commonly used password which gave them entry to the system. Once inside they were able to find a way through the firm’s online security until hitting the data jackpot.

Targets
The password spraying technique differs from a brute force attack which targets a single account with a barrage of passwords. Instead the hackers spray multiple targets with commonly used passwords to see if any of them work.

In a statement Citrix admitted that the cyber criminals had ‘accessed and downloaded business documents’. The firm went on to say the specific data accessed was unknown at that time, but it is believed they could have included emails, blueprints and other business documents.

Multinational
Based in Fort Lauderdale, Florida, Citrix Systems Inc. is a multinational software company that provides server, application and desktop virtualization, networking and cloud computing technologies to companies worldwide. It also works for American government and military departments.

They were notified of the breach by the FBI who had been notified by security firm Resecurity. Citrix were quick to release an initial statement after their investigation started with CISO Stan Black saying: “Citrix has taken action to contain this incident. We commenced a forensic investigation, engaged a leading cyber security firm to assist, took actions to secure our internal network and continue to cooperate with the FBI.

Complex and dynamic
“Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.

“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.”

Speculation
There is some speculation that the attackers did not come from Iran, but Microsoft has also recently warned about the possible connection, claiming Iranian hackers had ‘targeted hundreds of thousands of people at more than 200 companies over the last two years’.

The international nature of the problem was further highlighted by the news that Citrix has a number of European customers which will be raising red flags under GDPR and could lead to a substantial fine if any of the leaked data involves EU citizens or companies.

Massive breach
Charlotte Riley of CSS said: “This is a massive breach and is a good example of how problems experienced by a company based on the other side of the Atlantic can impact individuals and companies based in the UK and the rest of Europe. Hacking is international and the mindset for firms who are potential targets should be international too.

“But the most important lesson to be learned from this incident is the vital importance of strong password management. This whole attack could have been enabled by a single member of staff using a common, insecure password. Once the hackers had breached the account they had a foothold in the system and were able to work their way around the additional layers of security in place.”

Sources: https://www.itpro.co.uk/security/33189/citrix-security-breach-sees-6tb-of-sensitive-data-stolen https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/a> https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/