F5 was recently targeted by state-sponsored threat actors who managed to steal sensitive information from the company’s systems.
The security and application delivery solutions provider revealed in an SEC filing on Wednesday that the hackers maintained long-term and persistent access to some of its systems, including ones associated with the development of the company’s BIG-IP flagship platform.
The attackers managed to exfiltrate some files, including ones containing BIG-IP source code and information on undisclosed vulnerabilities. However, F5 says it’s not aware of any non-public vulnerabilities that are critical or allow remote code execution, and it’s also not aware of any active exploitation of undisclosed flaws.
“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” F5 said, adding “We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.”
The company also pointed out that there is no evidence the hackers accessed or stole data from its CRM, financial, iHealth, or support case management systems.
Some files exfiltrated from an engineering knowledge management platform contained configuration and implementation data pertaining to a “small percentage” of customers. Those files are being reviewed and customers will be directly notified if needed.
According to F5, it detected the attack on August 9, but it was given permission by the US Justice Department to delay disclosure.
Public companies are required to disclose any material cybersecurity incident within four business days unless granted a delay by the Justice Department. F5’s Wednesday filing indicates that the incident has not had a material impact on its operations and it’s still in the process of determining whether its financial condition or results of operations will be affected.
F5 has not shared any additional information on the perpetrator, but the attack profile points to China as the potential threat actor.
Chinese state-sponsored hackers are known for targeting major software companies to find undisclosed vulnerabilities.
For instance, following the recent ToolShell attacks targeting SharePoint servers, Microsoft reportedly launched an investigation to determine whether Chinese nation-state threat actors had obtained information on the exploited SharePoint vulnerabilities from companies enrolled in its Microsoft Active Protections Program (MAPP), through which vendors receive information about critical flaws ahead of the general public.
Google’s Threat Intelligence Group and Mandiant reported recently that a campaign attributed to Chinese cyberspies targeted software-as-a-service (SaaS) and technology industries, and one of the attackers’ goals may have been to steal source code that they could analyze in search for zero-day vulnerabilities.
In addition, Chinese hackers are known to have targeted BIG-IP appliances in their attacks.
UPDATE: More information has come to light: the attack has been linked to China, F5 has released patches for BIG-IP products, and governments have issued warnings.
Related: Chinese Cyberspies Hacked US Defense Contractors
Related: Chinese Silk Typhoon Hackers Targeting Multiple Industries in North America
Related: Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker
