On Friday afternoon whilst attempting to simultaneously eat a Chinese takeaway and subdue a hyperactive toddler, I received a call from a colleague who told me to check the news. Still reeling from the death of Keith Flint, my stomach sank as I questioned which of my teenage celebrity idols might have been next to meet their fate. Not finding anything of major note on the BBC website, I proceeded to check my email, at which point my eyes nearly popped out – an official email from Citrix to its partners titled “Unauthorized Access to Citrix Internal Network”. Whilst the official details from Citrix were, at least in the first instance a little vague, there were details emerging online about the nature of the attack and, suffice to say, it does not look pretty.

Citrix build a large part of their identity around security – indeed, the very first section on the front page of their website reads “Address cybersecurity threats with a people-centric approach” with “Modernize IT security” right underneath it, which leads to a whole corner of the site dedicated to boasting about Citrix’s innate security. Citrix sells to its millions of enterprise customers worldwide under the premise of intrinsic and absolute security, and this news can’t be seen as anything less than catastrophic for the firm.

Shortly after the partner announcement, Stan Black, Citrix’s chief security officer posted on the blog giving some details about the attack. Further details then started to emerge across third party media outlets and the story seems to be that the network was compromised around Christmas time by an Iranian hacker group known as Iridium. Iridium seem to concentrate their efforts on large US conglomerates and in particular firms with any tech pedigree. Apparently, the FBI informed Citrix that their network had been compromised back in December, and again on Monday of last week. A technique known as ‘password spraying’ which in a nutshell is the opposite of a brute force attack – the intruder users a small number of passwords but attempts logins using different users’ details. My initial thought was, “so what? Citrix would enforce MFA usage on their own network” but most troubling of all is that it’s being reported that the hacking group were able to ‘circumvent’ the initial MFA login and then force entry through several addition layers of security.

I have no idea how Citrix customers will react to the news, but considering their client base consists of many of the world’s largest and most security-conscious financial firms, it can’t be good . The stock market seemed to agree with 3% of Citrix’s share value disappearing in a matter of minutes. It will be interesting to see how the story unfolds, and we’ll certainly be keeping a keen ear to the ground. An excerpt from Stan Black’s blog post seems to sum up the mood from the Citrix camp:

Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.

It’s worth noting that whilst this will undoubtedly do some damge to Citrix’s reputation, it’s unlikely to invalidate Citrix’s credentials as a secure provider of workspace solutions. Official comment is still awaited around the MFA circumvention, but I strongly suspect that the most likely culprit is the user. This would not excuse Citrix from any wrongdoing, certainly not yet anyway, but in our mind Citrix’s product portfolio will still come away from this with its customer base relatively unscathed.

More details, including the official announcement can be found here:

https://www.forbes.com/sites/kateoflahertyuk/2019/03/10/citrix-data-breach-heres-what-to-do-next
https://www.engadget.com/2019/03/09/iranian-hackers-target-citrix/
https://www.cnbc.com/2019/03/08/citrix-tumbles-on-report-of-unauthorized-access-fbi-investigation.html
https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/