F5 discloses breach tied to nation-state threat actor

F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.

According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  

Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

F5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain, including source code or build and release pipelines. The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities, nor any current exploitation linked to the breach. The company also stated that containment actions were implemented promptly and have so far been effective, with no evidence of new unauthorized activity since those efforts began.

According to the SEC form, no evidence was found of access to the company’s customer relationship management, financial, support case management, or iHealth systems. However, the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers. F5 is continuing to review these materials and is contacting customers as needed.

Investigative findings further indicated that the NGINX product development environment, as well as F5 Distributed Cloud Services and Silverline systems, remained unaffected.

The United Kingdom’s National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5’s compromised network.

F5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses. Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date. Ongoing assessments are being conducted to determine if there may be any impact on the company’s financial position or results.

F5, based in Seattle, is a major player in the application security and delivery market, serving thousands of enterprise customers worldwide, including much of the Fortune 500. The company’s primary offerings include its BIG-IP line of hardware and software products, which provide network traffic management, application security, and access control, as well as its NGINX and F5 Distributed Cloud Services platforms. F5’s technologies are used extensively by businesses, government agencies, and service providers around the world. 

Fixes rolled out

F5 released a series of updates to its BIG-IP software suite and advised customers to update their clients for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM as soon as possible. 

The company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool, which can help identify gaps in security and prioritize a proper course of action. 

F5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools. 

The vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems. F5 also added tools to better monitor, detect and respond to threats, and said it strengthened security controls in its product development environment. 

The company brought in multiple firms to assist in its response and recovery efforts, including NCC Group, IOActive and CrowdStrike. F5 said it’s working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers. 

NCC Group and IOActive both attested that they have not identified any critical-severity vulnerabilities in F5’s source code nor did they find evidence of exploited defects in the company’s critical software, products or development environment. NCC Group added that it has not found any suspicious threat activity such as malicious code injection, malware or backdoors in F5 source code during its review thus far.

“Your trust matters. We know it is earned every day, especially when things go wrong,” the company said in a blog post. “We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”

Matt Kapko contributed to this story.

This is a developing story and will be updated as information becomes available.