‘highly Sophisticated’ Government Goons Hacked F5, Stole Source Code Andundisclosed Bug Details

Security shop F5 today said “highly sophisticated nation-state” hackers broke into its network and stole BIG-IP source code, undisclosed vulnerability details, and customer configuration data belonging to a “small percentage” of its users.

“The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate,” F5 said in a US Securities and Exchange Commission filing.

While F5 didn’t name the suspected nation-state in any of its disclosures, the feds and private security researchers have recently accused both Russia and China of breaking into critical networks and stealing sensitive information.

The company said that it discovered the network intruders in early August, and during its investigation determined that they had maintained long-term access to its BIG-IP product development and engineering platforms.

“We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the firm said.

There’s “no evidence” that the government-backed goons poisoned its software supply chain, including source code and build and release pipeline, it added. Third-party security researchers at NCC Group [PDF] and IOActive [PDF] verified these findings in subsequent documents.

The stolen files appear to be limited to F5’s BIG-IP application delivery controller, and the company said that the attackers didn’t access or modify the NGINX source code or product development environment, or its F5 Distributed Cloud Services and Silverline systems.

The US Justice Department allowed F5 to delay the disclosure, which underscores the seriousness of the breach. This only happens if public disclosure poses a substantial risk to national security or public safety.

In addition to working with NGG and IOActive, F5 also hired CrowdStrike and Google’s Mandiant to respond to the intrusions, and engaged law enforcement and government agencies to help boot the snoops off of its systems.

“We have taken extensive actions to contain the threat actor,” F5 said in a security incident alert on its website. “Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”

It also released patches for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, and “strongly” advises customers to update to the new releases as soon as possible.

On Monday, two days before filing with the SEC and alerting the public about the breach, F5 rotated its signing certificates and cryptographic keys, which is significant because these are used to prove that F5-produced software is legitimate and untampered.

“Older software signed with the previous keys may now warrant closer scrutiny,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told The Register. “For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust. If those compromised keys were stolen, and F5 hasn’t ruled that out, malicious software updates signed by ‘F5’ could be indistinguishable from the real thing.” ®

Original Source