F5 has confirmed that state-sponsored hackers successfully infiltrated its systems, stealing sensitive information, including source code and vulnerability data associated with its flagship BIG-IP platform. The security and application delivery solutions provider disclosed this information in an SEC filing on September 13, 2023. According to the company, the hackers maintained persistent access to its systems, allowing them to exfiltrate files containing critical technical details.
The attack, which F5 detected on August 9, 2023, prompted the company to notify the US Justice Department, which granted it permission to delay public disclosure of the incident. F5 stated that it has no evidence of any critical non-public vulnerabilities being exploited, nor has it identified any active exploitation of undisclosed flaws. The company reassured stakeholders by indicating that there is no sign of tampering with its software supply chain, including its source code and build processes.
In its filing, F5 emphasized, “We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.” Furthermore, F5 noted that there was no indication that customer data from its CRM, financial systems, or support case management systems was compromised.
Some files that were exfiltrated contained configuration and implementation data related to a “small percentage” of customers. These files are currently under review, and F5 plans to notify any affected customers directly if necessary.
The nature of the attack aligns with tactics often employed by state-sponsored actors, particularly those linked to China. Although F5 did not specify the attackers, the profile suggests a potential connection to Chinese cyberspies, who have a history of targeting major software companies to uncover undisclosed vulnerabilities.
Recent reports from Google’s Threat Intelligence Group and Mandiant highlighted a broader campaign attributed to Chinese hackers, focusing on software-as-a-service (SaaS) and technology industries. Their objective may include the theft of source code for analysis in search of zero-day vulnerabilities. This trend follows other high-profile incidents, such as the ToolShell attacks targeting SharePoint servers, which prompted Microsoft to investigate potential breaches involving its Microsoft Active Protections Program (MAPP).
Despite the attack, F5 maintains that the incident has not materially impacted its operations. The company is currently assessing whether its financial condition or operational results will be influenced by the breach. As the investigation continues, F5 remains committed to ensuring the security of its systems and protecting customer data from future threats.