On March 6th, Citrix alerted the world to unauthorized access of its internal network—through brute force tactics known as password spraying—but details are still fuzzy about what actual data was breached.
A security research firm says it has further information, boldly claiming that Iranian threat actors have persisted in the Citrix network for 10 years.
According to the official disclosure announcement written by Stan Black, CSIO of Citrix, the company notified the FBI that "international cyber criminals" accessed the company's internal network via a password spraying attack wherein malicious actors brute force logins with commonly used passwords.
"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown," Black wrote in a blog post. "At this time, there is no indication that the security of any Citrix product or service was compromised."
Beyond it being unclear what documents were affected in the Citrix data breach, the company did not mention how long the attackers had access to the Citrix internal network.
A Los Angeles-based cybersecurity research company called Resecurity claimed to have more information on the Citrix data breach and said the attackers gained access to somewhere between six and 10 TB worth of sensitive information, "including e-mail correspondence, files in network shares and other services used for project management and procurement."