Hackers used password spraying to breach Citrix, investigation confirms

The unsophisticated technique gave the intruders access to two corporate drives for a “limited number of days,” Citrix's president says.
(Getty Images)

The hackers who breached corporate VPN service provider Citrix last year used an unsophisticated technique that throws commonly used, weak passwords at a system until one works, the company’s investigators has confirmed.

The “password spraying” ploy allowed the hackers to steal business files from a Citrix network drive along with a drive linked with its consulting practice, Citrix President David Henshall wrote in a blog post last week. The attackers had access to the drives for a “limited number of days,” between October 2018 and March 2019, he said.

Henshall did not say who carried out the hack or what their ultimate objective was. VPN providers could be an enticing target for any set of hackers looking for a foothold in a corporation’s network.

“The cybercriminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications,” Henshall added.


A Citrix spokesperson declined to comment when asked what those “internal applications” were and what they did.

The Florida-based company, which says it provides its services to more than 400,000 companies worldwide, is still reviewing what documents were accessed by the hackers and is in the process of notifying the “limited number of customers’” who might need to take “additional protective steps,” Henshall said.

In announcing the breach in March, Citrix said that password spraying was the likely, if unconfirmed, technique used by the attackers. But the company has now highlighted what it did to respond. It reset all passwords and shored up how it manages those credentials, is more closely monitoring data that leaves its networks, and has cut out internal access to its data for “non-essential” web services, according to Henshall.

To help with the clean-up, Citrix hired FireEye’s incident response unit, Mandiant, to remediate the breach. The FBI also investigated the breach.

With the investigation behind him, Henshall said he is focused on “fostering a security culture at Citrix that prioritizes prevention and also ensures that we detect and respond effectively to any future incidents.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts