Chinese-linked hackers infiltrated F5’s systems in late 2023

Hackers linked to China’s state-backed cyber units infiltrated F5’s internal networks in late 2023 and stayed hidden until this August, according to Bloomberg. The Seattle-based cybersecurity company admitted in filings that its systems had been compromised for nearly two years, allowing attackers “long-term, persistent access” to its internal infrastructure.

The breach reportedly exposed source code, sensitive configuration data, and information about undisclosed software vulnerabilities in its BIG-IP platform, a technology that powers the networks of 85% of Fortune 500 companies and many US federal agencies.

The hackers broke in through F5’s own software, which had been left exposed online after employees failed to follow internal security policies. The attackers exploited that weak point to enter and roam freely inside systems that should have been locked down.

F5 company told customers that the oversight directly violated the same cyber guidelines the company teaches its clients to follow. When the news broke, F5’s shares fell more than 10% on October 16, wiping out millions in market value.

“Since that vulnerability information is out there, everyone using F5 should assume they’re compromised,” said Chris Woods, a former security executive with HP who is now founder of CyberQ Group Ltd., a cybersecurity services firm in the UK.

Hackers used F5’s own technology to maintain stealth and control

F5 sent customers on Wednesday a threat hunting guide for a type of malware called Brickstorm used by Chinese state-backed hackers, according to Bloomberg.

Mandiant, which was hired by F5, confirmed that Brickstorm allowed hackers to move quietly through VMware virtual machines and deeper infrastructure. After securing their foothold, the intruders stayed inactive for over a year, an old but effective tactic meant to outwait the company’s security log retention period.

Logs, which record every digital trace, are often deleted after 12 months to save costs. Once those logs were gone, the hackers reactivated and pulled data from BIG-IP, including source code and vulnerability reports.

F5 said that while some customer data was accessed, it has no real evidence that hackers changed its source code or used the stolen information to exploit clients.

F5’s BIG-IP platform handles load balancing and network security, routing digital traffic and shielding systems from intrusion.

US and UK governments issue emergency warnings

The US Cybersecurity and Infrastructure Security Agency (CISA) called the incident a “significant cyber threat targeting federal networks.” In an emergency directive issued on Wednesday, CISA ordered all federal agencies to identify and update their F5 products by October 22.

The UK’s National Cyber Security Centre also issued an alert about the breach on Wednesday, warning that hackers could use their access to F5 systems to exploit the company’s technology and to identify additional vulnerabilities.

Following the disclosure, F5 CEO Francois Locoh-Donou held briefings with customers to explain the scope of the breach. Francois confirmed that the company had called in CrowdStrike and Google’s Mandiant to assist alongside law enforcement and government investigators.

Officials familiar with the probe allegedly told Bloomberg that the Chinese government was behind the attack. But a Chinese spokesperson dismissed the accusation as “groundless and made without evidence.”

Ilia Rabinovich, Sygnia’s vice president of cybersecurity consulting, said that in the case Sygnia disclosed last year, hackers hid inside F5’s appliances and used them as a “command and control” base to infiltrate victim networks undetected. “There is a potential for it to evolve into something that is massive, because numerous organizations deploy those devices,” he said.

If you're reading this, you’re already ahead. Stay there with our newsletter.