The Seattle-based company reported the breach in a SEC filing early Wednesday, saying the attacker maintained “long-term, persistent access” to some of its product development and engineering systems before the breach was contained.
Bloomberg reported late Wednesday that state-based hackers from China were responsible for the breach. The hackers were in F5’s systems for at least a year, according to Bloomberg, which cited sources familiar with the matter.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive Wednesday related to the breach, saying that a “nation-state cyber threat actor poses an imminent risk, with the potential to exploit vulnerabilities in F5 products to gain unauthorized access to embedded credentials and Application Programming Interface (API) keys.”
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” CISA Acting Director Madhu Gottumukkala said in a statement. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems.”
F5 said it learned of the intrusion on Aug. 9, and that the U.S. Department of Justice authorized a delay in public disclosure. It released software updates for several products, including BIG-IP, F5OS, and BIG-IP Next, urging customers to patch immediately.
The company said it believes its containment efforts have been successful and that it has seen no new unauthorized activity.
F5’s market capitalization fell by more than $2 billion since the breach disclosure.
F5 is one of Seattle’s largest public tech companies, with thousands of enterprise customers worldwide, including 80% of the Fortune Global 500. Its hardware and software sit in the middle of much of the world’s internet traffic, providing load-balancing, application delivery, and security services for major corporations and government agencies.
Cybersecurity experts say the breach reflects increasing exploitation of vulnerabilities against network edge devices. “Attackers target these devices because they are exposed, ignored, and under-protected,” John Loucaides, senior vice president of strategy at Portland startup Eclypsium, said in an emailed statement.
John Fokker, vice president of threat intelligence strategy at Trellix, said edge infrastructure and security vendors remain prime targets for state-linked threat actors.
“Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks,” he said in a statement. “Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community.”
