An Iranian-linked hacking group has stolen terabytes of corporate data from Citrix as part of a major campaign against tech, oil and gas, and government organizations, according to a security vendor.

LA-based security firm Resecurity said on Friday it has shared details with law enforcement of a Christmas 2018 attack on the tech giant by the IRIDIUM group.

“The incident has been identified as a part of a sophisticated cyber-espionage campaign supported by nation state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy,” it wrote in a blog post on Friday.

“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”

These TTPs included “proprietary techniques” designed to bypass two-factor authentication systems, and methods to access VPNs and single sign-on (SSO), it added.

Citrix CISO, Stan Black, confirmed the attack in a brief blog post, revealing that the firm was contacted by the FBI on March 6 with details of the raid.

He said the hackers had downloaded unspecified “business documents,” adding that there’s currently no sign that any Citrix products or services have been compromised.

“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Black revealed. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”

Ojas Rege, chief strategy officer at MobileIron, argued that it’s time firms eliminated passwords altogether.

“Biometric authentication is the starting point because the end user now no longer has to remember passwords,” he added. “The back-end credential into enterprise systems can then be made much stronger to mitigate password spraying and similar attacks, all without creating pain for the end user.”