To be honest, I’m surprised this story has been so little mentioned by mainstream media. It just may be a case of cybersecurity-breach overload. The average person has simply become immune to stories of breaches exposing the personal information of millions of individuals. Unless they are included in the breach, most people don’t see its relevance to their everyday lives. The Citrix breach has this problem. Most people have never even heard of Citrix. That being the case, they ignore the details where, it is said, the devil lurks. The fact is that the fallout from this hack may have far-reaching effects that could eventually involve every person living in the U.S. and many abroad. It is this aspect of the attack that is either being intentionally side-stepped or completely ignored.
Here are the details that have been made public. At some point during the 2018 holiday season, government-supported Iranian hackers penetrated Citrix’s cybersecurity defenses. By the time they were discovered in the network earlier this month, the group had made off with an incredible 6 terabytes of data and, possibly, as much as 10TB. The data included email correspondence, blueprints, business documents, shared files, and, no doubt, much more. It is even possible they got the company’s crown jewels; its software code.
Very little about this cyber attack is being made public so I’ve pieced together the following scenario from what is available. It seems that a little-known cybersecurity firm, Resecurity, somehow detected a cyber espionage campaign with “strong targeting against government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy.” From their analysis of past behavior, Resecurity tagged the attackers as members of an Iranian hacking group. They named this group, Iridium. Among those targeted were Citrix. It is not clear how they detected this except that, in an update, Resecurity claimed they discovered a cyber attack on Citrix as early as October, 2018 and showed a list of Citrix employee data that they had somehow obtained.
Apparently, Resecurity notified Citrix as early as December, but, their warnings went unheeded until March. According to Resecurity president, Charles Yoo, the Iranian hackers were focused on getting information from the FBI, NASA, Saudi Aramco, and numerous government agencies, including, the White House. Yoo also claims that these hackers were in Citrix’s network for over 10 years. Citrix does not mention Resecurity in its press release. It only claims that it was contacted by the F.B.I. This could have been done simply to hide the fact that they ignored Resecurity’s previous warnings. They may have taken such warnings as an attempt to get some sort of bug bounty or they simply believed their own security was too good to be penetrated; never a healthy attitude in today’s cyber environment.
The claim that a sophisticated attack group could remain hidden in a network for years is not specious. In fact, it is highly likely that a state-sponsored hacker group would lurk for years in a corporate network before they begin their attack. I have written on these business process compromise (BPC) attacks and they all include a high degree of patience. The hackers just sit back and watch how a network operates, gather all the appropriate information and then, when they feel comfortable that they will not be exposing themselves, start uploading whatever data they need. They must have done a good job at hiding their uploading, after all, how long does it take to upload 10TB of data?
Citrix’s technologies are used by numerous companies and organizations. According to their website, “Citrix solutions are in use by more than 400,000 organizations including 99 percent of the Fortune 100 and 98 percent of the Fortune 500.” What this means is that all of these connected organizations could have been infiltrated through Citrix. As expected, Citrix has said very little about the attack. They only say that “the hackers may have accessed and downloaded business documents”. Whew! That’s a relief. They just got a few boring reports. Nothing to see here. They also state that, “at this time, there is no indication that the security of any Citrix product or service was compromised.” Such disclaimers are common when first reporting a cyber attack. Although they claimed that “Citrix is committed to updating customers with more information as the investigation proceeds”, so far, nothing has been forthcoming.
Some have cast doubts on Resecurity’s claim that Iranian hackers were behind the attack on Citrix. Resecurity, however, has doubled down by releasing information they say exposes the hackers.
Resecurity, no doubt, uses algorithms to detect unusual patterns in a network. According to Yoo, they make use of an extensive “meta database of over 300 million Dark Web records, 8 billion compromised credentials, 9 million threat actors and over 30 million indicators of compromise.” So their credibility is dependent on the validity of their algorithm.
Although they brushed aside Resecurity’s allegations, Citrix does, apparently, agree with them in that they were compromised by a technique known as, ‘password spraying’. However, they claim this information was supplied by the F.B.I., not Resecurity. To simplify the concept of password spraying, think of it as sending the most common passwords to a list of accounts at the same time. Send the most common password to thousands of accounts and see if one opens. Then go onto the next most common password and so on. Iridium hackers infiltrated a few accounts in this manner, bypassed 2fa with some standard techniques, got a list of Citrix customers with their email addresses, ‘password sprayed’ them, and, over time, penetrated the network to gain whatever information they could get from customers in numerous companies and organizations.
It should be noted that Citrix relies heavily on supplying cloud services to its customers. In fact, they market themselves as a company that gives companies the ability “to realize the agility of cloud without complexity and security slowing you down.” Their reliance on the cloud is shown in this diagram.
Unfortunately, if their technology is easy for users to use, it is equally easy for hackers to use. Too many individuals and enterprises have the false belief that security in the cloud is somehow safer than security in the enterprise. True, it does transfer the responsibility of security from the enterprise’s IT department to the cloud service provider’s domain, but there is no guarantee of a concomitant upgrading of cyber safety in the process.
Because of Citrix’s extensive network and its connections to so many companies and government agencies, all future cyber breaches will be, and should be, looked at as a by-product of this particular breach. If this hack really did come from the Iranian government, we should expect some attacks on key U.S. government agencies in the future. Financial institutions will be another main target as Iran searches for money to get itself around recent sanctions. It is quite likely that they are already in these networks and are simply waiting for the right moment to begin their attacks. Stay tuned. This could be an interesting year in cybersecurity.