CISA warns of imminent risk posed by thousands of F5 products in federal agencies
Federal cyber authorities issued an emergency directive Wednesday requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.
The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.
F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.
CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.
Many federal agencies and private organizations could be impacted. CISA said there are thousands of F5 product types in use across executive branch agencies.
These attacks on widely used vendors and their customers are part of a broader campaign targeting key elements of America’s technology supply chain, extending the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at CISA, said during a media briefing.
CISA declined to name the country or specific threat groups behind the attack on F5’s systems. Generally, the broader goal of nation-state attackers is to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack, or gather sensitive information, Andersen said.
CISA’s order requires federal agencies to apply security patches F5 released in response to the attack, disconnect non-supported devices or services, and provide CISA a report including a detailed inventory of all instances of F5 products within scope of the directive.
Officials referred questions about the effectiveness of F5’s security patches back to the vendor and declined to independently verify if the software updates have fixed the vulnerabilities attackers gained information on during the breach.
Neither CISA nor F5 have explained how the attackers gained access to F5’s internal systems.
Officials repeatedly insisted that the government shutdown and multiple waves of reductions to CISA’s workforce did not negatively affect or delay the government’s ability to coordinate with partners, respond to this threat and issue the emergency directive. Andersen declined to say how many CISA employees have been dismissed with reduction-in-force orders since the federal government shut down two weeks ago.
“This is really part of getting CISA back on mission,” Andersen said.
“While, yes, this may be the third emergency directive that’s been issued since the beginning of the Trump administration, this is the core operational mission for CISA,” Andersen said. “That’s really what we should be doing, and we’re able to continue to perform that mission in collaboration with our asset partners right now.”
