Government-backed hackers breached enterprise technology vendor F5, accessing its production environment and its engineering resource portal, the company said on Wednesday.
F5, which sells application security and data delivery products, said in a statement that “a highly sophisticated nation-state threat actor” stole some of the company’s files after breaking into its “engineering knowledge management platforms” and the development platform for its flagship BIG-IP platform.
The stolen files “contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP,” F5 said. It added that, as far as it was aware, none of the vulnerabilities consisted of critical flaws or involved remote code execution. F5 also said it was not aware of “active exploitation of any undisclosed F5 vulnerabilities.”
Some of the files stolen from the knowledge management platform contained information about how “a small percentage of customers” had configured their F5 products, which could help hackers plan attacks on those organizations.
F5 said the hackers had “long-term, persistent access” to its systems. It said it discovered the attack in August but did not disclose when it began. An F5 spokesperson declined to answer questions about the intrusion.
The U.S. government is scrambling to determine if hackers have breached any federal agencies by compromising their F5 products. The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered federal civilian agencies to immediately identify all affected devices, remove certain products’ management interfaces from the public internet and apply F5’s security updates. Agencies have until Oct. 22 to patch most of the affected products and until Oct. 31 to patch the rest. CISA ordered agencies to disconnect any end-of-life devices, with an exception for mission-critical needs.
CISA is not yet aware of any agency breaches, Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters during a briefing on Wednesday. He declined to identify the nation-state actor responsible for breaching F5.
The incident immediately drew comparisons to Russia’s SolarWinds espionage campaign, in which the Kremlin’s operatives penetrated the IT software vendor and tampered with its code. By exploiting vulnerabilities in F5’s products, hackers could move across compromised organizations’ networks, establish persistent access and steal sensitive data, including passwords and API keys.
F5 said it had no evidence of “modification to our software supply chain, including our source code and our build and release pipelines.” The company said two independent audits confirmed that finding.
Still, Andersen said, the potential “downstream effects” on F5’s government and private-sector customers are highly worrisome.
“This is part of a broader strategic campaign that’s affecting our supply chain,” he said.
There are thousands of F5 products across the federal government, Andersen told reporters. CISA briefed other agencies on its emergency directive earlier on Wednesday and planned to brief state and local governments later in the day. Andersen said CISA is working with the agencies responsible for overseeing critical infrastructure sectors to warn members of those industries.
CISA is coordinating the response to the F5 breach as it struggles with layoffs, forced reassignments and furloughs related to the ongoing government shutdown. Andersen said the shutdown and the recent expiration of a key information-sharing law have not impeded CISA’s ability to address the F5 situation.
“The impacted staff does not include people who would be working on this” incident, Andersen told reporters.
Source link
