A potentially “catastrophic” breach of a major US-based cybersecurity provider has been blamed on state-backed hackers from China, according to people familiar with the matter.
Seattle-based F5 Inc. disclosed on Wednesday morning in a regulatory filing that nation-state hackers had breached its networks and gained “long-term, persistent access” to certain systems.
The intruders stole files, including portions of source code from the company’s BIG-IP suite of application services, which are widely used by Fortune 500 companies and government agencies, as well as details about some flaws that could be used to target the company’s customers.
Representatives for F5 have told customers that the hackers were in the company’s network for at least 12 months, according to the people, who asked not to be named as they aren’t authorised to speak publicly about the incident.
One of the people said F5 Chief Executive Officer François Locoh-Donou is personally briefing customers about the timeline and the China-linked hackers. F5 didn’t respond to messages seeking comment.
China’s Foreign Ministry and the Chinese Embassy in Washington didn’t immediately respond to requests for comment.
F5’s BIG-IP products are an integral part of many large organisations’ IT systems. They perform many functions, including “load balancing,” which refers to directing traffic to the appropriate systems so that applications run smoothly, and wrapping those software programs in security features such as access control mechanisms and firewalls to prevent hackers from accessing them.
Cybersecurity experts said the main concern about the hack of the BIG-IP source code is that the hackers could have found ways to infiltrate those systems to surveil and potentially manipulate the traffic and access sensitive data that would be difficult to detect.
F5 sent customers on Wednesday a threat hunting guide for a type of malware called Brickstorm used by a Chinese state-backed hacking group, according to people familiar with the matter.
The hackers behind Brickstorm are known for stealing source code from popular technology providers to hunt for software bugs, according to Mandiant, Google’s threat intelligence arm. They then use those bugs to break into the customers of the technology provider, according to a Mandiant report published earlier this year about the cyber campaign.
Mandiant described the hackers behind Brickstorm as “UNC5221” and a “China-nexus espionage actor” that they have observed targeting organisations since 2023.
The breach of the cybersecurity company prompted warnings from authorities in the US and UK.
The US Cybersecurity and Infrastructure Security Agency issued an emergency directive on Wednesday, describing it as a “significant cyber threat targeting federal networks utilising certain F5 devices and software.” It warned all federal agencies to update their F5 technology by October 22.
The agency warned that nation-state hackers could exploit vulnerabilities in F5 products to gain access to credentials and tools that could allow them to move through a company’s network, steal sensitive data and compromise entire information systems.
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” CISA Acting Director Madhu Gottumukkala said in a statement.
“These same risks extend to any organisation using this technology, potentially leading to a catastrophic compromise of critical information systems.”
The UK’s National Cyber Security Centre also issued an alert about the breach on Wednesday, warning that hackers could use their access to F5 systems to exploit the company’s technology and to identify additional vulnerabilities.
The UK government urged customers to identify all F5 products, assess whether those devices have been compromised, inform the NCSC about potential breaches and to install the latest security updates.
