Iranian-backed hackers stole data from major U.S. government contractor

Image: Citrix Systems Strategic Headquarters
The strategic headquarters of Citrix Systems in Santa Clara, California. Copyright Kris Tripplaar Sipa USA/AP file
By Dan De Luce and Courtney Kube with NBC News Politics
Share this articleComments
Share this articleClose Button

The hackers are believed to have penetrated the software giant Citrix years ago and have remained inside the company's computer network ever since.


Iranian-backed hackers have stolen vast amounts of data from a major software company that handles sensitive computer projects for the White House communications agency, the U.S. military, the F.B.I. and many American corporations, a cybersecurity firm told NBC News.

Citrix Systems Inc. came under attack twice, once in December and again on Monday of this week, according to Resecurity, which notified the firm and law enforcement authorities.

Employing brute force attacks that guess passwords, the assault was carried out by the Iranian-linked hacking group known as Iridium, which was also behind recent cyber hits against numerous government agencies, oil-and-gas companies and other targets, said Charles Yoo, Resecurity's president.

The hackers extracted at least six terabytes of data and possibly up to 10 terabytes in the assault on Citrix, Yoo said. The attackers gained access to Citrix through several compromised employee accounts, he said.

"So it's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources," Yoo said.

While there is no evidence the attacks directly penetrated U.S. government networks, the breach carries a potential risk that the hackers could eventually find their way into sensitive government networks, experts said.

Citrix issued a statement Friday saying the FBI had informed them on Wednesday it had come under attack from "international cyber criminals" and that it was taking action "to contain this incident."

"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents," it said in a statement.

"At this time, there is no indication that the security of any Citrix product or service was compromised."

The company did not specify over what time period it had come under cyber attack, how many employee accounts may have been compromised or other details. Citrix issued the statement Friday after NBC asked the firm for comment late on Thursday.

"Citrix deeply regrets the impact this incident may have on affected customers," it said.

The FBI did not respond to requests for comment.

Resecurity informed Citrix executives of the first cyber attack in a December 28 email, Yoo told NBC News.

An analysis of the cyber attack indicated the hackers were focused in particular on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company, according to Yoo.

Yoo said his firm, which has been tracking the Iranian-linked group for years, has reason to believe that Iridium broke its way into Citrix's network about 10 years ago, and has been lurking inside the company's system ever since.

"Once an attacker goes into an environment and compromises one account that's just the first stage. And what we uncovered and through our own analysis is a very sophisticated campaign," said Yoo.

Citrix sells workplace software to government agencies and corporations around the world that allow employees to work remotely from their own desktops or mobile devices off a centralized data center.

The breach of Citrix's computer network gave the hackers access to private communication with government agencies about various sensitive IT projects involving the FBI, the Missile Defense Agency, the Defense Logistics Agency, the White House communications agency, the Defense Information Systems Agency (DISA) and others, Yoo said.


DISA provides technical and communications support to the president, the vice president, the secretary of defense and top commanders. The White House communications agency is assigned the task of providing secure communications for the president and manned by U.S. military personnel.

Iridium targeted Citrix to get at the company's government clients, Resecurity experts said. "It's an ideal scenario to attack customers in various verticals including the government and military," Yoo said.

The goal is to hack into sensitive US government systems, Yoo said. "We do believe that they are being targeted."

Resecurity says Iranian-backed Iridium is the same group that stole personal data on Australian lawmakers and attacked the British Parliament in 2017, as NBC News reported previously.

Last month, federal prosecutors charged former U.S. Air Force counterintelligence agentMonica Elfriede Witt with espionage on behalf of Iran. Prosecutors said Witt had access to highly classified information in her work in counterintelligence and defected to Iran in 2013. U.S. authorities also charged four Iranians — Behzad Mesri, Mojtaba Masoumpour, Hossein Parva, and Mohamad Paryar — with allegedly using information she had provided to help them target her former colleagues and conduct other cyberespionage.


Resecurity experts also said an Iranian-linked group with ties to Iridium was suspected in an attempted hack into Israel's missile alert system more than a year ago.

Israel Defense Forces' cyber defense division successfully repelled the cyber assault on the system, which provides early-warning for incoming rockets and missiles, an IDF commander told Israel Hayom's weekend magazine.

Share this articleComments

You might also like

Dark money flows between Russia and Iran show how vital EU sanctions are against both ǀ View