Citrix was hacked twice, once in December and again Monday, according to Resecurity, which notified the firm and law enforcement authorities.
The attacks were not particularly sophisticated, the hackers just used brute force attacks and guess the passwords. The attack was carried out by the Iranian hacking group Iridium, which was also behind recent cyberattacks against numerous government agencies, oil and gas companies and other targets.
Charles Yoo, Resecurity's president, said the hackers nicked between six and 10 TB of datathrough several compromised employee accounts.
"So it's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources", he said.
While there is no evidence the attacks directly penetrated US government networks, the breach carries a potential risk that the hackers could eventually find their way into sensitive government networks, experts said.
Citrix issued a statement Friday saying the FBI had informed the company Wednesday that it had come under attack from "international cybercriminals" and that it was taking action "to contain this incident".
"While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.
"At this time, there is no indication that the security of any Citrix product or service was compromised."
It appears that the hackers were particularly interested in FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company, according to Yoo.
Yoo said his firm, which has been tracking the Iranian-linked group for years, has reason to believe that Iridium broke its way into Citrix's network about 10 years ago, and has been lurking inside the company's system ever since.
"Once an attacker goes into an environment and compromises one account, that's just the first stage. And what we uncovered and through our own analysis is a very sophisticated campaign", he said.