Year-long F5 hack exposes broad risks, triggers widespread unease among corporate customers
A more than year-long digital intrusion into cybersecurity company F5 has sent shockwaves through the industry, leaving defenders scrambling to identify potential vulnerabilities in the many corporate networks that rely on its products. The breach, which was publicly disclosed last week and attributed to Chinese spies, has raised concerns about the scope of the attack and whether more disclosures are imminent.
F5's extensive presence in the market has triggered widespread unease, with US officials urging immediate action after federal networks were targeted in the hack's aftermath. The company's website claims that it serves more than four in five Fortune 500 companies in some capacity, making it a critical component of many organizations' internet infrastructure.
The breach has drawn comparisons to the SolarWinds hacking incident discovered in December 2020, which saw the software company's source code tampered with, allowing hackers to gain access to highly sensitive networks. Around a dozen government departments were eventually breached in the wide-ranging spy operation, highlighting the devastating impact of such attacks.
"I'm not equating this to the SolarWinds attack, but I'm equating it to the fact that people never hear of it, but it's in everybody's network," said Michael Sikorski, chief technology officer at Palo Alto Networks' threat intelligence-focused Unit 42. "When we're talking about 80 percent of the Fortune 500, we're talking about banks, law firms, tech companies, you name it."
The F5 hackers are believed to have stolen source code and undisclosed vulnerability information, potentially giving them the ability to develop tools for cyberespionage in a tight time frame. Bob Huber, chief security officer of Tenable, noted that while the breach was not identical to SolarWinds, there were signs that more unwelcome disclosures lie ahead.
"As of right now, this is not SolarWinds," Huber said, "but we're waiting for the other shoe to drop." He added that the paucity of information about the breach and the urgency with which the government was moving to remediate it via an October 15 emergency directive and a public warning that unnamed federal networks were being targeted by a "nation-state cyber threat actor" suggested that more disclosures are on the horizon.
While no other victims of the F5 breach have been publicly identified, Greynoise Intelligence has found hints that an unknown actor was searching out F5 devices on the internet starting about a month ago. The company's senior director of security research and detection engineering, Glenn Thorpe, noted that this suggested someone somewhere knew something.
"That implies someone somewhere knew something," Thorpe said. "It's a wake-up call for organizations to take a closer look at their own networks and ensure they have adequate defenses in place."