On March 8, Citrix disclosed that international cyber criminals had gained access to the internal Citrix network.

Since our last update, we have substantially progressed our investigation of this incident. We are working with leading cyber breach response experts, including FireEye Mandiant, to thoroughly investigate and remediate this incident, monitor our network amidst the ever-evolving threat landscape, and plan long-term security enhancements. We are keeping the FBI updated on our findings, and thank them for a sustained dialogue over the course of our investigation and remediation efforts.

We are devoting significant resources to investigate and remediate this incident. At this point in our investigation, we have confirmed the scope of the incident, uncovered the means of attack used by the cyber criminals, and deployed FireEye’s endpoint agent technology across our systems, which allows us to monitor and conduct comprehensive scans of our systems for evidence of intrusion activity.

Based on where we are in the investigation at this point, our understanding remains consistent with our earlier update:

  • We have expelled the threat actors from our systems.
  • We identified password spraying, a technique that exploits weak passwords, as the method by which the cyber criminals entered our network, and have performed a password reset and improved our internal password management.
  • Importantly, we have found no indication that the threat actors discovered or exploited any vulnerabilities in our products or services to gain entry.
  • There is no indication that the security of any Citrix product or customer cloud service was compromised.
  • In particular, we have seen no evidence of compromise of our customer cloud service environments.

We have made good progress, and through today, our investigation continues to show that the cyber criminals intermittently accessed and, over a limited number of days, principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice. We have commenced a substantial discovery process to review the documents and files stolen from the shared network drive and the drive associated with the web-based tool. The cyber criminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications.

Our investigation is ongoing, and it is a complex and dynamic process. We are committed to taking all the steps necessary to conduct a thorough assessment and defend against future incidents. We are committed to providing updates as soon as we have meaningful and accurate information to share.