{ "id": "f0805cba-e7db-499d-83b3-723000feb8fd", "created_at": "2026-04-06T00:07:17.783434Z", "updated_at": "2026-04-10T03:37:08.888063Z", "deleted_at": null, "sha1_hash": "56eb40f37d8cc5e228a7eaeaa2f88689139cd51d", "title": "Iranian-backed hackers stole data from U.S. government contractor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 528568, "plain_text": "Iranian-backed hackers stole data from U.S. government\r\ncontractor\r\nBy By Dan De Luce and Courtney Kube\r\nPublished: 2019-03-08 · Archived: 2026-04-05 17:48:07 UTC\r\nIranian-backed hackers have stolen vast amounts of data from a major software company that handles sensitive\r\ncomputer projects for the White House communications agency, the U.S. military, the FBI and many American\r\ncorporations, a cybersecurity firm told NBC News.\r\nCitrix Systems Inc. came under attack twice, once in December and again Monday, according to Resecurity, which\r\nnotified the firm and law enforcement authorities.\r\nEmploying brute force attacks that guess passwords, the assault was carried out by the Iranian-linked hacking\r\ngroup known as Iridium, which was also behind recent cyberattacks against numerous government agencies, oil\r\nand gas companies and other targets, Charles Yoo, Resecurity's president, said.\r\nThe hackers extracted at least six terabytes of data and possibly up to 10 terabytes in the assault on Citrix, Yoo\r\nsaid. The attackers gained access to Citrix through several compromised employee accounts, he said.\r\n\"So it's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources,\" he\r\nsaid.\r\nhttps://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986\r\nPage 1 of 3\n\nWhile there is no evidence the attacks directly penetrated U.S. government networks, the breach carries a potential\r\nrisk that the hackers could eventually find their way into sensitive government networks, experts said.\r\nCitrix issued a statement Friday saying the FBI had informed the company Wednesday that it had come under\r\nattack from \"international cybercriminals\" and that it was taking action \"to contain this incident.\"\r\n\"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have\r\naccessed and downloaded business documents,\" it said.\r\n\"At this time, there is no indication that the security of any Citrix product or service was compromised.\"\r\nThe company did not specify over what time period it had come under the cyberattack, how many employee\r\naccounts may have been compromised or other details. Citrix's statement came in response to an NBC News\r\nrequest for comment late Thursday.\r\n\"Citrix deeply regrets the impact this incident may have on affected customers,\" it said.\r\nThe FBI declined comment.\r\nResecurity informed Citrix executives of the first cyberattack in a Dec. 28 email, Yoo said.\r\nAn analysis of the cyberattack indicated the hackers were focused in particular on FBI-related projects, NASA and\r\naerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company, according to Yoo.\r\nYoo said his firm, which has been tracking the Iranian-linked group for years, has reason to believe that Iridium\r\nbroke its way into Citrix's network about 10 years ago, and has been lurking inside the company's system ever\r\nsince.\r\n\"Once an attacker goes into an environment and compromises one account, that's just the first stage. And what we\r\nuncovered and through our own analysis is a very sophisticated campaign,\" he said.\r\nCitrix sells workplace software to government agencies and corporations around the world that allow employees\r\nto work remotely from their own desktops or mobile devices off a centralized data center.\r\nSuzanne Spaulding, a former senior official at the Department of Homeland Security, said hacking government\r\ncontractors provides a potential attack pathway into U.S. government files. She cited the 2015 cyber attack on the\r\nfederal Office of Personnel Management in which private records on millions of individuals were compromised.\r\n“Government contractors often hold sensitive information. Remember that the ‘OPM breach’ included breaches of\r\ncontractors who were conducting background investigations for OPM and were holding very sensitive information\r\nabout individuals seeking or holding clearances,” she said.\r\nIn the case of Citrix, even if the hack did not gain access to company operations, it’s possible that adversaries\r\ncould gain insights into the company’s network configuration and the defenses of the government agencies,\r\nSpaulding said. And that would make hacking those government agencies easier, she said.\r\nThe breach of Citrix's computer network gave the hackers access to private communication with government\r\nagencies about various sensitive information technology projects involving the FBI, the Missile Defense Agency,\r\nhttps://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986\r\nPage 2 of 3\n\nthe Defense Logistics Agency, the White House communications agency, the Defense Information Systems\r\nAgency (DISA) and others, Yoo said.\r\nDISA provides technical and communications support to the president, the vice president, the secretary of defense\r\nand top commanders. The White House communications agency is assigned the task of providing secure\r\ncommunications for the president and is manned by U.S. military personnel.\r\nIridium targeted Citrix to get at the company’s government clients, Resecurity experts said. \"It's an ideal scenario\r\nto attack customers in various verticals including the government and military,\" Yoo said.\r\nThe goal is to hack into sensitive U.S. government systems, he said. \"We do believe that they are being targeted.\"\r\nResecurity says the Iranian-backed Iridium is the same group that stole personal data on Australian lawmakers and\r\nattacked the British Parliament in 2017, as NBC News reported previously.\r\nLast month, federal prosecutors charged former U.S. Air Force counterintelligence agent Monica Elfriede Witt\r\nwith espionage on behalf of Iran. Prosecutors said Witt had access to highly classified information in her work in\r\ncounterintelligence and defected to Iran in 2013. U.S. authorities also charged four Iranians — Behzad Mesri,\r\nMojtaba Masoumpour, Hossein Parva and Mohamad Paryar — with allegedly using information she had provided\r\nto help them target her former colleagues and conduct other cyberespionage.\r\nResecurity experts also said an Iranian-linked group with ties to Iridium was suspected in an attempted hack into\r\nIsrael's missile alert system more than a year ago.\r\nIsrael Defense Forces’ cyberdefense division successfully repelled the cyberassault on the system, which provides\r\nearly warning for incoming rockets and missiles, an IDF commander told Israel Hayom’s weekend magazine.\r\nSource: https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986\r\nhttps://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986" ], "report_names": [ "iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56eb40f37d8cc5e228a7eaeaa2f88689139cd51d.pdf", "text": "https://archive.orkl.eu/56eb40f37d8cc5e228a7eaeaa2f88689139cd51d.txt", "img": "https://archive.orkl.eu/56eb40f37d8cc5e228a7eaeaa2f88689139cd51d.jpg" } }