{ "id": "642d6b69-7eb1-4b9f-a107-082f343319e1", "created_at": "2026-04-06T00:08:28.442739Z", "updated_at": "2026-04-10T03:37:08.516117Z", "deleted_at": null, "sha1_hash": "df67314b3e92cb858087be051df1731fb268aafe", "title": "Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1100497, "plain_text": "Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+\r\ngovernment agencies, oil and gas companies, and technology\r\ncompanies also targeted.\r\nBy Melisha Dsouza\r\nArchived: 2026-04-02 12:30:40 UTC\r\nLearning Hub \u003e Tech News \u003e\r\nResecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and\r\ntechnology companies also targeted.\r\nRead more\r\nLast week, Citrix, the American cloud computing company, disclosed that it suffered a data breach on its internal\r\nnetwork. They were informed of this attack through the FBI. In a statement posted on Citrix’s official blog, the\r\ncompany’s Chief Security Information Officer Stan Black said, “the FBI contacted Citrix to advise they had\r\nreason to believe that international cybercriminals gained access to the internal Citrix network. It appears that\r\nhttps://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/\r\nPage 1 of 3\n\nhackers may have accessed and downloaded business documents. The specific documents that may have been\r\naccessed, however, are currently unknown.”\r\nThe FBI informed Citrix that the hackers likely used a tactic known as password spraying to exploit weak\r\npasswords. The blog further states that “Once they gained a foothold with limited access, they worked to\r\ncircumvent additional layers of security”.\r\nIn wake of these events, a security firm Resecurity reached out to NBC news and claimed that they had reasons to\r\nbelieve that the attacks were carried out by Iranian-linked group known as IRIDIUM.  Resecurity says that\r\nIRIDIUM \"has hit more than 200 government agencies, oil and gas companies, and technology companies\r\nincluding Citrix.\"\r\nResecurity claims that IRIDIUM breached Citrix's network during December 2018. Charles Yoo, Resecurity's\r\npresident, said that the hackers extracted at least six terabytes of data and possibly up to 10 terabytes of sensitive\r\ndata stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other\r\nservices used for project management and procurement. “It's a pretty deep intrusion, with multiple employee\r\ncompromises and remote access to internal resources.\"\r\nYoo further added that his firm has been tracking the Iranian-linked group for years, and has reasons to believe\r\nthat Iridium broke its way into Citrix's network about 10 years ago, and has been “lurking inside the company's\r\nsystem ever since.”\r\nThere is no evidence to prove that the attacks directly penetrated U.S. government networks. However, the breach\r\ncarries a potential risk that the hackers could eventually enter into sensitive government networks. According to\r\nBlack, “At this time, there is no indication that the security of any Citrix product or service was compromised.”\r\nResecurity said that it first reached out to Citrix on December 28, 2018, to share an early warning about “a\r\ntargeted attack and data breach”. According to Yoo, an analysis of the indicated that the hackers were focused in\r\nparticular on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's\r\nstate oil company. “Based on the timing and further dynamics, the attack was planned and organized specifically\r\nduring Christmas period,” Resecurity says in a blog.\r\nA spokesperson for Citrix confirmed to The Register that \"Stan’s blog refers to the same incident\" described by\r\nResecurity. “At this time, there is no indication that the security of any Citrix product or service was\r\ncompromised,” says Black\r\nTwitter was abuzz with users expressing their confusion over the timeline of events and wondering about the\r\nconsequences if IRIDIUM was truly lurking in Citrix’s network for 10 years:\r\n“Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas\r\nperiod,” Resecurity says in a blog.\r\nhttps://twitter.com/dcallahan2/status/1104301320255754241\r\nhttps://twitter.com/MalwareYoda/status/1104170906740350977\r\nhttps://twitter.com/Maliciouslink/status/1104375001715798016\r\nhttps://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/\r\nPage 2 of 3\n\nThe data breach is worrisome, considering that Citrix sells workplace software to government agencies and\r\nhandles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and\r\nmany American corporations.\r\nU.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches\r\nInternal memo reveals NASA suffered a data breach compromising employees social security numbers\r\nEquifax data breach could have been “entirely preventable”, says House oversight and government reform\r\ncommittee staff report\r\nSource: https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-t\r\nechnology-companies-also-targeted/\r\nhttps://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/" ], "report_names": [ "resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434108, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df67314b3e92cb858087be051df1731fb268aafe.pdf", "text": "https://archive.orkl.eu/df67314b3e92cb858087be051df1731fb268aafe.txt", "img": "https://archive.orkl.eu/df67314b3e92cb858087be051df1731fb268aafe.jpg" } }