Application security firm F5 Inc. disclosed in a filing with the U.S. Securities and Exchange Commission today that a sophisticated nation-state threat actor had gained unauthorized access to internal systems and stolen portions of the source code for its BIG-IP platform along with undisclosed vulnerability information.

According to today’s filing, the breach was detected on Aug. 9, and F5 engaged leading external cybersecurity experts and subsequently informed federal law enforcement and government partners about the incident.

The investigation into the breach found that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. During the time the threat actor had access, certain files were exfiltrated, some of which contained certain portions of the company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.

The BIG-IP platform is widely used by enterprises and government agencies for load balancing, traffic management and security functions, meaning any compromise of its underlying code or internal vulnerability data could have broad downstream implications.

F5 went on to say in the filing that it’s not aware of any undisclosed critical or remote code vulnerabilities, or active exploitation of any undisclosed F5 vulnerabilities. It also said it has no evidence of modification to its software supply chain, including source code and build and release pipelines, nor evidence of access to, or exfiltration of, data from its CRM, financial, support case management or iHealth systems.

But the company did add in the filing, “However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers.”

Whether or not the breach was simply limited to exfiltrated files, the fact that the threat actor had access to internal systems has been enough to cause deep concern, including from regulatory bodies.

The U.S. Cybersecurity & Infrastructure Agency has issued an emergency directive directing Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply updates from F5.

“Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and application programming interface keys, move laterally within an organization’s network, exfiltrate data and establish persistent system access. This could potentially lead to a full compromise of target information systems,” CISA wrote in the directive.

Across the pond, the U.K. National Cyber Security Center also issued a similar warning, advising organizations to identify all F5 products and make sure that management interfaces are not exposed to the internet.

F5 is advising users to take immediate steps to strengthen and secure their environments following the breach.

The company has released updates across multiple product lines, including BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM clients and strongly recommends that all users apply these updates as soon as possible.

F5 has also published new threat intelligence and operational resources designed to enhance detection, monitoring and system resilience. A threat-hunting guide is available through F5 support, while updated hardening guidance is now integrated into the F5 iHealth Diagnostic Tool to automatically identify security gaps and link to remediation steps.

“This is another reminder that the modern attack surface extends deep into the software development lifecycle,” Will Baxter, field chief technology officer at cyberthreat hunting intelligence firm Team Cymru Inc., told SiliconANGLE via email. “Threat groups targeting source code repositories and build environments are seeking long-term intelligence value — understanding how security controls operate from the inside.”

Baxter added that “visibility into outbound connections, threat actor command-and-control infrastructure and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.”

Image: SiliconANGLE/Ideogram