{ "id": "f1c47094-08e7-4c45-b436-44f9496400c1", "created_at": "2026-04-06T00:11:03.273322Z", "updated_at": "2026-04-10T13:11:44.076219Z", "deleted_at": null, "sha1_hash": "4f5ad88d331ba56a64a40d1a2cd3b6b8a2773d4d", "title": "Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46035, "plain_text": "Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix\r\nBy Tara Seals\r\nPublished: 2019-03-11 · Archived: 2026-04-05 13:34:09 UTC\r\nIRIDIUM is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications,\r\naccording to security firm Resecurity.\r\nA researcher has attributed a recently publicized attack on Citrix’ internal network to the Iranian-linked group\r\nknown as IRIDIUM – and said that the data heist involved 6 terabytes of sensitive data.\r\nResecurity posted a blog on Friday indicating that it detected a targeted attack and data breach late last year, and\r\nthat it alerted the company to the situation on Friday, December 28 at 10:25 a.m. Researchers also they “shared the\r\nacquired intelligence with law enforcement and partners for mitigation.”\r\nThe culprit is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications\r\nand services for further unauthorized access to virtual private networks and single sign-on systems, according to\r\nResecurity.\r\n“[IRIDIUM] has hit more than 200 government agencies, oil and gas companies and technology companies,\r\nincluding Citrix Systems Inc.,” they said. Threatpost has reached out for further details as to how the firm is\r\nlinking the APT to the attack and will update this post accordingly.\r\nCitrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it\r\nwouldn’t confirm the other details in Resecurity’s post, including the attribution.\r\n“As disclosed on Friday, we have launched a comprehensive forensic investigation into the incident with the help\r\nof leading third-party experts and will communicate additional details once this investigation is complete,” a\r\nCitrix spokesperson said. “We have no comment on the Resecurity report.”\r\nResecurity identifies the incident “as a part of a sophisticated cyberespionage campaign supported by [a] nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions\r\nand large enterprises involved in critical areas of economy.”\r\nThe password-spraying on Citrix employee accounts allowed the adversaries to access the company’s Global\r\nAccess List (GAL) of employee contact information, according to Resecurity, which included 31,738 records.\r\n“The threat actors leveraged it for further reconnaissance and accounts compromise,” according to the firm.\r\n“Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol\r\nor other means) within the network, and perform mass data exfiltration. As a result, threat actors conducted\r\nnetwork intrusion to access data in Citrix infrastructure remotely.”\r\nhttps://threatpost.com/ranian-apt-6tb-data-citrix/142688/\r\nPage 1 of 2\n\nIntriguingly, the firm claimed that the attackers made off with a host of Citrix enterprise network data, including e-mail correspondence, files in network shares and other services used for project management and procurement.\r\nPraveen Jain, CTO at Cavirin, told Threatpost that the scant details available so far indicate that Citrix could have\r\ndone more on the protection front.\r\n“Given that the attack vector was weak password control, Citrix probably did not implement industry best\r\npractices to protect their cyber posture,” he said. “These lapses span people – training, processes – checks for\r\nproper password hygiene and technology – lack of automated checks for proper password complexity.”\r\nChris Morales, head of security analytics at Vectra, told Threatpost that the attack appears to follow the same\r\nsequence of events that occurs in almost every major breach including Marriott and Equifax: Command and\r\ncontrol, reconnaissance, lateral movement and data exfiltration.\r\n“The attackers most likely compromised a weak password on a non-critical system, such as a desktop user or a\r\nprinter,” he said. “That is unknown at this point. Once the attackers established a foothold, they would have\r\nenabled external remote access to load tools on the network and move laterally across systems until they first\r\nacquired administrative level access and second found servers with large caches of data.”\r\nCircumventing additional layers of security generally means bypassing firewalls and VPN access using approved\r\ntraffic for remote communication and data exfiltration, such as HTTPS.\r\n“Based on previous experience, I’m speculating this attack leveraged several manual techniques including\r\nPowerShell that already existed inside the Citrix environment,” Morales said.\r\nTorsten George, cybersecurity evangelist at Centrify, told Threatpost that the use of VPNs has often been taunted\r\nas a proper counter-measure but, “in reality, leveraging VPN connections opens access to an entire network\r\nsegment, allowing cyber-adversaries to make easy lateral movements by compromising the VPN credentials,\r\nwhich are often the same as the main user credentials.”\r\nSource: https://threatpost.com/ranian-apt-6tb-data-citrix/142688/\r\nhttps://threatpost.com/ranian-apt-6tb-data-citrix/142688/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/ranian-apt-6tb-data-citrix/142688/" ], "report_names": [ "142688" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434263, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f5ad88d331ba56a64a40d1a2cd3b6b8a2773d4d.pdf", "text": "https://archive.orkl.eu/4f5ad88d331ba56a64a40d1a2cd3b6b8a2773d4d.txt", "img": "https://archive.orkl.eu/4f5ad88d331ba56a64a40d1a2cd3b6b8a2773d4d.jpg" } }