F5 admits nation-state actor stole BIG-IP source code

F5 response and customer actions

In its disclosure, F5 assured customers that its investigation, supported by CrowdStrike and Mandiant, has found no evidence that the threat actor modified its software supply chain, source code, or build and release pipelines. This assessment was independently validated by NCC Group and IOActive.

The company also stated it has no evidence of compromise to its customer relationship management, financial, or support case management systems. However, it did confirm that some exfiltrated files contained “configuration or implementation information for a small percentage of customers”, and that it will be communicating with those affected directly.

In response, F5 has released urgent security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM clients, urging customers to update to these new releases as soon as possible.

F5 is also taking steps to help customers secure their environments, including providing a threat hunting guide to strengthen detection and monitoring; adding automated hardening checks to the F5 iHealth diagnostic tool; and offering an early access version of CrowdStrike’s Falcon EDR sensors for BIG-IP, with a free subscription for all supported customers.

The cyber disclosure is particularly fraught, coming during a US government shutdown that has impacted federal cyber security readiness.

“This would be a shocking revelation on a good day,” said Huber. “But it comes as a government shutdown and associated staffing impacts have left federal cyber security operations at reduced capacity. The reality is that our national defenders are operating with one hand tied behind their back, right when a major threat has emerged.”

Despite the gravity of the situation, Huber credited F5 for its handling of the incident. “This is a time for the entire cyber security industry to pull together, get proactive and pay close attention to remediation guidance,” he said. “F5 should get credit for their transparency and how they’ve handled this incident so far.”

For now, the focus for thousands of organisations globally is on patching, hardening and hunting for any signs of compromise. The full impact of the stolen data may not be known for months or even years, but the immediate risk is clear.

“The attackers have a map to our most sensitive environments,” said Huber. “Our only defence is to eliminate every possible path before they choose to strike.”

The UK's National Cyber Security Centre (NCSC) warned that users of any F5 device that has reached end of support may be vulnerable, along with the supplier's BIG-IP iSeries and rSeries devices.

"Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and application programming interface (API) keys, move laterally within an organisation’s network, exfiltrate data, and establish persistent system access," said the NCSC in a statement.

The NCSC advised organisations to identify all F5 products in use, and that if an exposed management interface is found, a compromise assessment should be undertaken.