CISA warns of ‘significant’ threat to federal networks after nation-state hackers stole F5 source code, undisclosed bug info

The federal government has issued an emergency directive ordering all civilian agencies to update products from F5 after the security company said a nation-state actor had long-term persistent access to source code and information about undisclosed vulnerabilities during a breach discovered in August.

The Cybersecurity and Infrastructure Security Agency (CISA) said it “has identified a significant cyber threat targeting federal networks utilizing certain F5 devices and software.” 

“A nation-state cyber threat actor poses an imminent risk, with the potential to exploit vulnerabilities in F5 products to gain unauthorized access to embedded credentials and Application Programming Interface (API) keys,” the agency said. 

“Such exploitation could allow the threat actor to move laterally within an organization’s network, exfiltrate sensitive data, and establish persistent system access, potentially leading to a full compromise of targeted information systems.”

The emergency directive orders all agencies to apply the latest updates for all at-risk F5 virtual and physical devices and downloaded software by October 22. All federal agencies need to report back to CISA about their F5 deployments by October 29. 

On a press call, CISA officials declined to say what nation-state was behind the incident and said it is “not aware of any potential data compromise” within the federal government. 

“I don't have any federal agencies at this time that confirmed a compromise as a result of these vulnerabilities. Hopefully the emergency directive is going to help us better understand the scope and any potential compromises across the federal government,” said Nick Andersen, executive assistant director of cybersecurity at CISA.

He added that there are thousands of F5 devices across federal networks. CISA will be holding informational calls about the F5 issue with government agencies at the local and state level as well as the private sector throughout Wednesday. 

F5 and CISA warned that the hackers gained access to troves of information about BIG-IP — a suite of products from the company that manage traffic at organizations and provide firewalls, load balancing, access controls and more. 

CISA told federal civilian agencies that the threat actor's access to F5’s proprietary source code could provide that threat actor with “a technical advantage to exploit F5 devices and software.”

“The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits,” CISA explained. 

CISA Acting Director Madhu Gottumukkala added that the “alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies.”

He urged organizations outside of the federal government to also update their F5 systems in light of the company’s disclosures, explaining that the information obtained by the nation-state actors could lead to “catastrophic compromise of critical information systems.”

SEC disclosure

F5 filed reports about the incident with the Securities and Exchange Commission (SEC) on Wednesday and noted that the U.S. Justice Department decided to delay the public disclosure of the breach by one month — one of the first times a company has publicly acknowledged DOJ intervention in SEC cybersecurity disclosures. 

In an 8-K report signed by CEO François Locoh-Donou, F5 said it learned of the “highly sophisticated” nation-state attack on August 9 and began an investigation alongside cybersecurity experts from CrowdStrike, Mandiant and others. Federal law enforcement and unnamed “government partners” are working with F5 on the investigation. 

“During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform,” the company explained. 

“Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.”

The company did not say what nation-state it believed was behind the attack when reached for comment. 

F5 noted that some of the exfiltrated files from its knowledge management platform “contained configuration or implementation information for a small percentage of customers.” 

“The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate,” F5 said.

The company found no evidence of any modifications to its software supply chain, source code or release pipelines. Outside cybersecurity research firms NCC Group and IOActive have validated this, the company said in the report. 

F5 said it is not aware of any undisclosed critical or remote code vulnerabilities and is “not aware of active exploitation of any undisclosed F5 vulnerabilities.” 

F5 published a separate statement about the incident and urged customers to install recent updates to BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Attached to the statement are attestation forms from NCC Group and IOActive validating F5’s assessment of the situation. 

Since discovering the incident, F5 believes it has removed the threat actors and claims it has not seen any evidence of new activity related to the breach. 

The company said that in response to the incident, it has rotated credentials and deployed a range of new cybersecurity measures focused on patch management automation and threat detection. 

F5 is also continuing to conduct code reviews and penetration tests of its products with the help of NCC Group and IOActive. The company noted that F5 will provide all supported customers with a free CrowdStrike Falcon EDR subscription.

CISA’s Gottumukkala noted that the agency was continuing to share this threat information in spite of the government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015. 

Last year, Mandiant published a report showing that contractors for China's Ministry of State Security (MSS) were exploiting CVE-2023-46747 — a vulnerability discovered in late October affecting F5 BIG-IP. U.S. agencies confirmed that the bug was being exploited.

“China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP…to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits,” Mandiant said at the time.