Resecurity understood that hackers from Iridium, an Iran-linked group, stole data in December 2018 and again on March 4th. They made off with at least 6TB of documents and as much as 10TB, and they seemed to be focused on project data for the aerospace industry, the FBI, NASA and Saudi Arabia's state-owned oil company. The intruders may have been lurking for a long time, too. Resecurity's Charles Yoo said that Iridium broke into Citrix's network roughly 10 years ago and had been hiding since then.
The researchers said they'd told Citrix about the first attack on December 28th. It's not clear if Citrix addressed the issue then, although it took a number of steps after the FBI got in touch on March 6th. The company said it launched a "forensic investigation" with the help of an unnamed security firm and took "actions" to lock down its network.
Citrix stressed there was "no indication" that the intruders compromised its products or services. However, that's not the major concern here. As a government contractor that focuses on networking and the cloud, Citrix could hold sensitive data on other companies. It may be aware of their network layouts and security measures, for instance. Like the OPM hack, the consequences could reach well beyond the initial target.