Iranian-backed hackers stole data from major US government firms


Breaking News Emails

Get interrupted news alerts and special reports. The news and stories that matter, delivered everyday morning.

By Dan De Luce and Courtney Kube

Iranian-backed hackers has stolen huge amounts of data from a major software company that handles sensitive computer projects for the White House communications agency, the US military, the FBI, and many US companies, a cyber security company that told NBC News.

Citrix Systems Inc. was attacked twice, once in December and again Monday, according to Resecurity, who notified the company and law enforcement authorities.

Attacks of brutal force attacks guessing passwords were assaulted by the Iranian-linked hacking group known as Iridium, who was also behind recent cyber attacks against several government agencies, oil and gas companies, and other targets, Charles Yoo, Resecurity's president. said.

The hackers took at least six terabytes of data and possibly up to 10 terabytes in the attack on Citrix, Yoo said. The attacks got access to Citrix through several compromised employee accounts, he said.

"So it's a pretty deep break-in, with more employee compromises and remote access to internal resources," he said.

While there is no evidence that the attacks directly penetrated US government networks, the offense poses a potential risk for the hackers to eventually find their way into sensitive government networks, experts said.

Citrix issued a statement on Friday that said the FBI had informed the company on Wednesday that it had been attacked by "international cyber criminals" and that it was about to act "to contain this incident."

"While our investigation is ongoing, based on what we know to date, the hackers seem to have accessed and downloaded business documents," it said.

"At present, there is no indication that the security of any Citrix product or service has been compromised."

The company did not specify in what period it had come during the cyber attack, how many employee accounts could have been compromised or other details. Citrix's statement came in response to a NBC News comment comment late Thursday.

"Citrix deeply regrets the impact this incident may have on affected customers," it said.

The FBI rejected comment.

Resecurity informed Citrix leaders of the first cyber attack in a December 28 email, Yoo said.

An analysis of the cyber attack showed that the hackers were particularly focused on FBI-related projects, NASA and aviation contracts, and working with Saudi Aramco, Saudi Arabia's state oil company, according to Yoo.

Yoo said his company, which has tracked the Iranian-related group for years, has reason to believe that Iridium broke its way into Citrix's network about 10 years ago and has since been lurking in the company's system.

"When an attacker enters an environment and compromises an account, it's just the first phase. And what we uncovered and through our own analysis is a very sophisticated campaign," he said.

Citrix sells workplace software to public authorities and businesses worldwide, enabling employees to work remotely from their own desktops or mobile devices from a central data center.

Suzanne Spaulding, a former senior official at the Department of Homeland Security, said hacking government firms are providing a potential attack path to US government files. She cited the 2015 cyber attack on the Federal Personnel Management Office, where private records of millions of people were compromised.

"Public contractors often have sensitive information. Keep in mind that the" OPM violation "involved violations of contractors who conducted background surveys for OPM and kept very sensitive information about people who sought or clarified," she said.

In the case of Citrix, although hack did not gain access to the company's operations, it is possible that opponents could gain insight into the company's network configuration and defense from the public authorities, Spaulding said. And that would make hacking for the public authorities easier, she said.

The breach of the Citrix computer network gave the hackers access to private communications with public authorities on various sensitive information technology projects involving the FBI, the Missile Defense Agency, the Defense Logistics Agency, the White House Communications Agency, the Defense Information Agency (DISA) and others, Yoo said.

DISA provides technical and communication support for the president, vice president, defense secretary and senior commanders. The White House communication agency is tasked with providing secure communication to the president and is staffed by US military personnel.

Iridium targeted Citrix to come to the company's government customers, Resecurity experts said. "It's an ideal scenario to attack customers in different verticals, including the government and the military," Yoo said.

The goal is to get into sensitive US government systems, he said. "We believe they will be targeted."

Resecurity says the Iranian-backed Iridium is the same group that stole personal data on Australian lawmakers and attacked the British Parliament in 2017 as NBC News reported former.

Federal Prosecutors last month charged former US Air Force counterintelligence agent Monica Elfriede Witt with espionage on behalf of Iran. Prosecutors said Witt had access to highly classified information in his work as opposed to and defective to Iran in 2013. US authorities also accused four Iranians – Behzad Mesri, Mojtaba Masoumpour, Hossein Parva and Mohamad Paryar – allegedly using information she had given to help them target their former colleagues and perform other cyber espionage.

Resecurity experts also said that an Iran-linked group of ties to Iridium was suspected in an attempt to hack into Israel's missile warning system more than a year ago.

Israel Defense Forces' cyber defense division successfully rejected cyberassault on the system, giving early warning to incoming rockets and missiles, an IDF commander told Israel Hayom's weekend magazine.