F5 Discovers Long-Term Compromise by Nation-State Actor
In a recent SEC filing, F5 Networks, a prominent security and application delivery vendor, disclosed that a sophisticated nation-state threat actor had maintained long-term access to some of its most critical systems. This alarming revelation was made public only after the U.S. Department of Justice advised a delay in disclosure.
Details of the Intrusion
F5’s SEC 8-K filing highlighted that the breach was detected on August 9 but was not announced until now. The delay allowed the company to coordinate its response along with law enforcement. Upon discovery of the intrusion, F5 promptly initiated its incident response plan and implemented extensive containment measures.
The investigation revealed that the attacker had ongoing access to various F5 systems, including the BIG-IP product development environment and an engineering knowledge management platform. During this time, specific files were exfiltrated, which included parts of the BIG-IP source code and information related to undisclosed vulnerabilities that F5 was actively addressing.
Despite the breach, F5 reassured stakeholders that it appears to have fully contained the incident. In their filing, they stated, “We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.” Additionally, the company emphasized that there’s no indication of alterations to any software supply chains, including their source code and build pipelines. This assessment has been supported by independent reviews conducted by reputable cybersecurity firms.
Following the news, F5 shares experienced a notable decline, falling approximately 4% in recent trading, after an even steeper drop earlier in the day.
CISA Steps In with Guidance
On the same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive aimed at federal civilian agencies. This directive urged agencies to bolster the security of their F5 environments, underlining the potential threat associated with the unauthorized access to F5’s proprietary source code, which could give rise to exploitation risks of F5 devices and software.
Ryan Dewhurst, who heads Proactive Threat Intelligence at watchTowr, noted that signs of a serious issue became apparent when F5 discreetly rotated signing certificates and cryptographic keys on October 13. Dewhurst remarked that this kind of action usually points to significant underlying problems, confirming suspicions when F5 officially acknowledged the breach.
Dewhurst warned that older software signed with the prior keys might need closer examination, stating, “For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust.” He highlighted that if those signing keys had indeed been compromised, it might result in unauthorized software updates impersonating legitimate F5 updates.
F5 clarified that there is no evidence indicating unauthorized access to data from their CRM, financial, or support case management systems, nor their NGINX, F5 Distributed Cloud Services, and Silverline environments. Some exfiltrated files contained configuration information relevant to a small group of customers, and the company is currently assessing these files and intends to communicate directly with any affected clients.
Proactive Measures and Customer Guidance
F5 has communicated several proactive measures they are implementing to safeguard their customers and enhance cybersecurity across their platforms. They have enlisted the expertise of leading cybersecurity firms such as CrowdStrike and Mandiant in the wake of this incident. The company is also collaborating with law enforcement and government agencies to address these security challenges effectively.
Alongside the proactive measures, F5 released critical updates for multiple products, including BIG-IP and F5OS, recommending immediate installation of these updates. They have also introduced a threat hunting guide and hardening guidelines, along with monitoring tools aimed at enhancing overall security posture.
To improve their defenses, F5 has made significant adjustments, including a rotation of credentials and strengthened access controls, alongside efforts to enhance inventory and patch management automation. The firm has worked on improving detection and response capabilities, reinforcing its network security architecture, and making modifications to the product development environment.
Further measures include ongoing code reviews, penetration testing, and deploying advanced security solutions like CrowdStrike Falcon EDR sensors. As an additional step for BIG-IP customers, F5 is providing a complimentary Falcon EDR subscription valid until October 14, 2026.
In closing, F5 acknowledged the impact of this incident on their customers and expressed a commitment to learning from it. They emphasized that building and maintaining trust is an ongoing effort, especially in times of crisis.
