‘Catastrophic’ Hacks Warning Follows Intrusion of Cyber Firm F5

The cybersecurity company F5 Inc. said nation-state hackers breached its networks, gaining “long-term, persistent access” to certain systems and stealing some source code. The breach prompted alerts from cybersecurity agencies in the US and UK, with a senior US official warning of potentially “catastrophic” compromises.

The Seattle, Washington-based company discovered on August 9 that attackers had compromised its systems, according to a filing with the US Securities and Exchange Commission on Wednesday. The intruders stole information about F5’s BIG-IP product development platform, including portions of its source code and details about some vulnerabilities the company was working on, according to the statement.

Hackers also exfiltrated some files containing information relating to the configuration or implementation of IT for a “small percentage” of F5 customers, according to the filing. The company is currently contacting those customers, it said.

“We truly regret that this incident occurred and the risk it may create for you,” F5 stated in a policy update on Wednesday. “We are committed to learning from this incident and sharing those lessons with the broader security community.”

F5’s BIG-IP products include software designed to integrate with existing applications inside customer networks and bolster their security. It offers added features, including controls on who can access customer programs as well as firewalls to keep hackers from penetrating them.

The US Cybersecurity and Infrastructure Security Agency issued an emergency directive over the breach, describing it as a “significant cyber threat targeting federal networks utilizing certain F5 devices and software.” It warned all federal agencies to update their F5 technology by October 22.

The agency warned that nation-state hackers could exploit vulnerabilities in F5 products to gain access to credentials and tools that could allow them to move through a company’s network, steal sensitive data and compromise entire information systems.

“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” CISA Acting Director Madhu Gottumukkala said in a statement. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.”

The UK’s National Cyber Security Centre also issued an alert about the breach on Wednesday, warning that hackers could use their access to F5 systems to exploit the company’s technology and to identify additional vulnerabilities. The UK government urged customers to identify all F5 products, assess whether those devices have been compromised, inform the NCSC about potential breaches and to install the latest security updates.

Last year, the cybersecurity company Sygnia linked a suspected Chinese state-sponsored group that it called Velvet Ant to attacks targeting F5’s BIG-IP appliances. The alleged Chinese group had developed malicious software that enabled attackers to steal data over a period of three years from a targeted organization that was operating outdated BIG-IP equipment, Sygnia found.

Sygnia’s report noted that F5’s BIG-IP appliances occupy a trusted position in network architecture, making them appealing targets for hackers. “By compromising such a device, attackers can exert significant control over network traffic without arousing suspicion,” the report said.

It’s not clear if those attacks are related to the breach F5 disclosed on Wednesday. A representative for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.

Cybersecurity experts said that from a hacker’s perspective, the potentially most valuable technology within F5’s BIG-IP family of products is its virtual private network, or VPN, software, which plays an essential role in protecting sensitive networks and data by helping control who’s allowed to access them. VPNs are a type of technology that’s also been heavily targeted by nation-state hackers, especially from China.

By stealing the source code and internal data about vulnerabilities for BIG-IP products, hackers got a road map to potentially exploiting multiple F5 cybersecurity technologies in ways that are unlikely to be detected, the experts said.

“Since that vulnerability information is out there, everyone using F5 should assume they’re compromised,” said Chris Woods, a former security executive with HP Inc. who is now founder of CyberQ Group Ltd., a cybersecurity services firm in the UK.

Stephan Berger, a former cybersecurity analyst with the Swiss government who’s now head of investigations for InfoGuard AG, a Swiss cybersecurity firm, said the goal of the attack was likely targeting F5’s VPNs, which he described as the technology in the BIG-IP family of products with the most direct relevance for hackers.

F5 is working with cybersecurity companies CrowdStrike Holdings Inc. and Google’s Mandiant to investigate, the company said. Cybersecurity research firms NCC Group and IOActive were called in to independently review the breach and found no evidence that the hackers had modified the company’s software supply chain, including its source code, it added.

The US Department of Justice allowed F5 to delay reporting the breach to the SEC after determining that immediate disclosure would present a risk to national security, according to the statement. F5 said it believes it has contained the breach.

F5 also released a detailed list of vulnerabilities for a number of its products, advising customers to update them as soon as possible. This includes its Access Policy Manager, a product that provides centralized access to applications and enables an organization’s single sign-on and multifactor authentication for employees.

Photograph: Fiber optic cables; photo credit: Jason Alden/Bloomberg