Citrix data breach report raises more questions

The FBI alerted Citrix to an incident involving attackers gaining unauthorized access to the company's internal network, but details beyond that are hard to pin down.

According to the official disclosure announcement written by Stan Black, CSIO of Citrix, the company was notified by the FBI that "international cyber criminals" accessed the company's internal network via a password spraying attack wherein malicious actors brute force logins with commonly used passwords.

"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown," Black wrote in a blog post. "At this time, there is no indication that the security of any Citrix product or service was compromised."

Beyond it being unclear what documents were affected in the Citrix data breach, the company did not mention how long the attackers had access to the Citrix internal network. In December, Citrix also forced many ShareFile users to reset passwords, noting the "constant increase in internet-account credential theft and the risk of credential stuffing attacks." However, Citrix said the company itself was not breached.

A Los Angeles-based cybersecurity research company called Resecurity claimed to have more information on the Citrix data breach and said the attackers gained access to somewhere between six and 10 TB worth of sensitive information, "including e-mail correspondence, files in network shares and other services used for project management and procurement."

According to Resecurity, the attack was carried out by an Iranian threat group known for targeting government agencies and oil and gas companies. Resecurity claimed in a blog post that it reached out to Citrix in December to share an "early warning notification" about the attack, but in an interview with NBC News, Resecurity president Charles Yoo also said the threat group originally accessed Citrix's network 10 years ago and persisted ever since.

These details about the Citrix data breach could not be verified in any way. Initially, Resecurity's blog post on the incident did not contain any technical evidence, nor did the company respond to requests for comment. Resecurity updated its post Monday with additional information and claims, including IP addresses supposedly from Iran, as well as darkened screenshots that appeared to show a list of email accounts and other information, including partially visible names, for approximately two dozen Citrix employees.

Citrix refused to comment on the claims made by Resecurity or if there was any relationship between the two companies.

"As disclosed on Friday, we have launched a comprehensive forensic investigation into the incident with the help of leading third-party experts and will communicate additional details when we have credible, actionable information," a Citrix spokesperson said in a statement. "We have no comment on Resecurity's claims at this time."

Resecurity was incorporated in 2015 by Andrei Komarov, former CIO of InfoArmor, according to public documents discovered by Twitter user "Deacon Blues." The company's web presence is fairly thin; the Resecurity website includes just two blog posts and a handful of news posts dating back to Sept. 1. The website contains no information about products, services or research.

The company page doesn't list any of the employees beyond a news post about Ian Cook, director at Corbels Security Services, based in East Sussex, U.K., being named a strategic advisor. LinkedIn lists eight employees of Resecurity, though Komarov is not one of them. Of those eight employees, only three are listed as being in the L.A. area -- Resecurity doesn't mention any other offices -- and Yoo's profile includes no information beyond his position at Resecurity.

Komarov has been connected to a questionable breach report in the past with the 2013 Yahoo mega breach. InfoArmor saw data from the Yahoo breach being sold on the deep web in August 2016, published information about the data and supplied the data to law enforcement three months before Yahoo disclosed the 2013 breach. Komarov and InfoArmor never directly contacted Yahoo about the data.

George Avetisov, CEO and co-founder of identity and access management vendor HYPR, expressed concern about how much faith to put into the Resecurity claims.

"I have no knowledge of Resecurity, but it looks pretty suspicious. They have a very short history to be working with a software company as prominent as Citrix, they have minimal background in this space, the founder has no visible online presence, and industry insiders have been questioning the legitimacy of the company," Avetisov said. "Simply put -- nobody has heard of them."