F5, a provider of security and application delivery solutions, disclosed that it suffered a cyberattack orchestrated by state-sponsored threat actors. The company revealed in an SEC filing on August 9, 2023, that hackers gained long-term access to its systems, which included those associated with its flagship BIG-IP platform. During the breach, some sensitive files were exfiltrated, including source code and information on undisclosed vulnerabilities.
In its filing, F5 stated that it is not aware of any critical non-public vulnerabilities that could allow remote code execution. The company also reported that there is no evidence of ongoing exploitation of undisclosed flaws. “We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” F5 noted. The company further asserted that there was no indication that the hackers accessed or altered the NGINX source code or its associated development environments.
The attack’s implications may be serious, but F5 emphasized that its operational integrity remains largely intact. The company confirmed that no data was accessed from its customer relationship management (CRM), financial, iHealth, or support case management systems. Some files taken from an engineering knowledge management platform contained configuration and implementation data affecting a “small percentage” of customers. F5 is currently reviewing these files and will notify customers directly if necessary.
According to F5, it detected the cyberattack on August 9 but was permitted by the U.S. Justice Department to delay public disclosure. Publicly traded companies are required to report significant cybersecurity incidents within four business days unless granted an extension. The filing indicated that the incident has not materially impacted F5’s operations, although the company continues to evaluate any potential effects on its financial condition.
While F5 did not specify the identity of the attackers, the nature of the breach suggests a link to Chinese state-sponsored hackers. This group has a history of targeting major software companies in search of undisclosed vulnerabilities. In a recent instance, Chinese cyberspies were implicated in the exploitation of SharePoint servers, prompting Microsoft to launch an investigation to assess whether information on these vulnerabilities was accessed from companies in its Microsoft Active Protections Program (MAPP).
Further insight from Google’s Threat Intelligence Group and Mandiant indicates that the recent campaign attributed to Chinese hackers has focused on the software-as-a-service (SaaS) and technology sectors. The attackers appear to be seeking to steal source code to analyze for potential zero-day vulnerabilities. F5’s BIG-IP appliances have previously been targeted in similar attacks, raising concerns about the ongoing threats posed by state-sponsored hacking groups.
As the investigation unfolds, F5 maintains a commitment to transparency with its customers and stakeholders regarding the breach and any necessary responses.
