On Wednesday, F5 Inc., a prominent enterprise technology vendor recognized for its application security and data delivery products, disclosed a security breach attributed to a nation-state actor. The attackers gained access to the company’s production environment and its engineering resource portal, taking various files in the process.
According to F5’s official statement, the breach involved a highly sophisticated threat actor that infiltrated its engineering knowledge management platforms, along with the development platform for its flagship BIG-IP product. This intrusion led to the theft of critical files, including some source code and information concerning undisclosed vulnerabilities within BIG-IP.
F5 reassured stakeholders that, to their knowledge, the vulnerabilities accessed did not encompass critical flaws or entail remote code execution. They emphasized that there are currently no indications of active exploitation of any undisclosed vulnerabilities related to their systems.
Notably, some of the stolen information related to specific configurations of F5 products utilized by a minority of its customers. Such data could potentially assist attackers in devising targeted strategies against these organizations.
F5 further revealed that the hackers possessed long-term, persistent access to its systems. The company discovered the intrusion in August but did not disclose the timeline of the initial attack. An F5 representative declined to comment further on the situation.
The U.S. government is now engaged in efforts to assess any potential breaches within federal agencies stemming from the compromise of F5 products. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal civilian agencies to urgently identify affected devices, remove certain management interfaces from public access, and implement F5’s security updates. The deadlines for these actions range from October 22 to October 31, depending on the products affected.
CISA is not currently aware of any agency breaches. During a Wednesday briefing, Nick Andersen, CISA’s Executive Assistant Director for Cybersecurity, refrained from naming the nation-state actor believed responsible for the F5 breach. The incident has been drawn into comparisons with Russia’s SolarWinds espionage campaign, where operatives compromised an IT software vendor and manipulated its code. It is suggested that by exploiting F5 products, hackers could traverse compromised networks, establish lasting access, and pilfer sensitive data like passwords and API keys.
Despite the breach, F5 stated there’s no evidence suggesting modifications to their software supply chain, including source code alterations. Two independent audits affirmed this conclusion. Nevertheless, Andersen cautioned that the potential downstream effects on F5’s clientele—both in the public and private sectors—are concerning.
Andersen indicated that the number of F5 products in use across federal agencies is substantial. CISA has briefed various agencies on its emergency directive and intends to reach out to state and local governments subsequently. The agency is also collaborating with sectors overseeing critical infrastructure to alert stakeholders regarding the ongoing situation.
Furthermore, CISA is leading the response to the F5 breach amid challenges posed by recent layoffs, reassignments, and furloughs related to the ongoing government shutdown. Nevertheless, Andersen confirmed that these operational hurdles have not hindered CISA’s ability to manage the F5 incident effectively, affirming that the impacted workforce does not include personnel involved in addressing this breach.
