Year-long F5 hack exposes broad risks

A year-long digital intrusion into cybersecurity company F5 has sent shockwaves through the industry, leaving widespread unease among corporate customers and triggering a scramble to identify potential vulnerabilities in their networks.

The breach, which was publicly disclosed last week, is blamed on Chinese spies and is believed to have stolen sensitive information about software vulnerabilities from F5's source code. While the company has released fixes for previously vulnerable products, its stock price plummeted 12% in a single day, highlighting the severity of the situation.

But the impact of the hack goes far beyond F5 itself. The company serves more than four in five Fortune 500 companies in some capacity, and US officials have warned that federal networks were among those targeted in the aftermath of the breach. This extensive presence has triggered a sense of unease among corporate customers, who are now left wondering if they too may be at risk.

The hack is being compared to the SolarWinds breach discovered in December 2020, which saw around a dozen government departments breached after the company's Orion software was tampered with. Like F5, SolarWinds is a tech equipment and services provider that typically plays a critical role in directing, managing, and filtering internet traffic.

"I'm not equating this to the SolarWinds attack, but I'm equating it to the fact that people never hear of it, but it's in everybody's network," said Michael Sikorski, chief technology officer at Palo Alto Networks' threat intelligence-focused Unit 42. "When we're talking about 80 percent of the Fortune 500, we're talking about banks, law firms, tech companies, you name it."

Sikorski noted that the F5 hackers stole source code and undisclosed vulnerability information, potentially giving them the ability to develop tools for cyberespionage in a tight time frame. He also warned that more disclosures are likely to come, as the lack of information about the breach is only adding to the sense of unease.

"We're waiting for the other shoe to drop," said Bob Huber, chief security officer of Tenable. "As of right now, this is not SolarWinds, but F5 has said it had 'no evidence of modification to our software supply chain.' Still, there were signs that more unwelcome disclosures lie ahead, given the paucity of information about the breach and the urgency with which the government was moving to remediate it."

Huber noted that while no other victims of the F5 breach have been publicly identified, Greynoise Intelligence has detected hints that an unknown actor was searching out F5 devices on the internet starting about a month ago. This suggests that someone or something knew more about the breach than they're letting on.

"That implies someone somewhere knew something," said Glenn Thorpe, senior director of security research and detection engineering at Greynoise Intelligence. "It's clear that this is not an isolated incident, but part of a larger pattern of behavior."