Cybersecurity and application development giant F5 has disclosed that an August breach exposed source code and customer data to what it calls “nation-state hackers.” The company has not made an official attribution, but third-party security researcher sources are linking the attack to China’s UNC5221. The group is famous for its exploitation of zero-day vulnerabilities in Ivanti products and deployment of the BRICKSTORM backdoor.
The UK’s NCSC and the US CISA are recommending that users of any and all F5 products determine that management interfaces are not exposed to the public web. CrowdStrike and Mandiant have reviewed BIG-IP releases and validated their safety, but theft of the source code has raised concerns about future attacks.
F5 security breach may have exposed downstream customers, but “no evidence” of private data being leaked yet
Though the security breach was announced in August and reportedly discovered on the 9th of that month, F5 reports that its investigation has revealed the attackers had “long-term” access to the company’s BIG-IP development environment and engineering knowledge management platform, to include theft of source code. BIG-IP is one of the company’s central product lines, encompassing security as well as load balancing / application and data delivery services.
F5 is not exactly a household name, unless your household happens to be in the Fortune 500 (or unusually well-versed in cloud management). The company is itself in the prestigious club, and 48 of the Fortune 50 use its services. It has some 23,000 customers in total across about 170 countries, and its product line is generally well-regarded and widely used by large enterprise businesses.
In addition to BIG-IP product source code, the attackers are confirmed to have lifted vulnerability data and configuration and implementation details for what they describe as a “limited amount” of customers. It remains unclear exactly who those customers are or how many are impacted, but all of those using BIG-IP services are being advised to verify that management interfaces have not been left open to the public web.
Though there are not yet reports of customer data leaks, alarm is high as F5 has confirmed that the attackers had access to undisclosed BIG-IP vulnerabilities that the company was working on patches for internally. F5 also says that it has no evidence of supply chain exposure due to the security breach, nor are other platforms managed by the company impacted. And though source code was exfiltrated, there is no indication of any product code being modified.
Source code theft typical of UNC5221 operations
Still, concern is obviously high with any theft of source code; this is compounded by the seemingly long dwell time and the fact that it looks to be an advanced persistent threat actor. There is potential for similar long-term fallout as seen in the SolarWinds security breach, where new vulnerabilities were discovered and exploited off of the initial theft of internal data.
Given that the best available attribution is to a Chinese state-backed team and that data and ransom demands have not started appearing, the purpose of the attack was very likely espionage and mapping out means of future attacks and disruptions. This is in keeping with the general direction of China’s state-sponsored threat actors in recent years, but UNC5221 has a particular focus on this type of operation. The group has been seen in the wild since at least 2023 and has exploited multiple zero-day vulnerabilities, many of these in Ivanti Connect Secure and VPN appliances. The group averages a little over a year of dwell time per security breach, and much of its success has been chalked up to targeting commonly neglected Linux and BSD-based appliances before pivoting to VMware systems. The group has been called the current “most prevalent” of China’s APT teams by Mandiant and also quite possibly its most advanced, and seems to spend all of its time targeting either US or European organizations of espionage interest to the Chinese government. The Chinese Embassy in the US, as it always does, has denied the country’s involvement.
F5 says that it has taken additional hardening measures in the wake of the security breach such as adding monitoring and improving access controls. The company has also contracted with NCC Group and IOActive to perform source code reviews and CrowdStrike to provide additional security coverage to the BIG-IP platform, and impacted customers will reportedly be offered a free Falcon EDR subscription. F5 has also updated BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and its APM clients to cut off the attackers’ known methods of access.
Directly impacted customers are being contacted about the security breach, but F5 has said that it is still reviewing accounts to determine which had configuration or implementation details exposed and some victims may not have been contacted yet. All F5 customers are advised to ensure they have all the latest updates installed for the aforementioned products and to refer to the company’s recently-issued threat hunting guide for more detailed information.
Tom Kellermann, VP of Cyber Risk at HITRUST, provides some additional advice: “This is the first stage of a supply chain campaign designed to compromise trust in digital infrastructure. Rogue nation-state actors consistently show us how successful and well-resourced they are. Once adversaries gain access at the application layer, they’re not just stealing data but embedding themselves for command and control. F5 customers must immediately enhance detection and response at the application layer through ADR. Supply chain attacks have become the preferred tactic of modern cyber warfare. We need to start treating third-party risk as a national security issue.”
Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, adds: “Generally, if an attacker steals source code it takes time to find exploitable issues. In this case, they also stole information on undisclosed vulnerabilities that F5 was actively working to patch. This provides the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation. The disclosure of 45 vulnerabilities in this quarter vs. just 6 last quarter suggests F5 is moving as fast as they can to actively patch these stolen flaws before the threat actors can exploit them. F5’s prompt disclosure and mitigation guidance are crucial first steps. The top priority for any organization using F5 BIG-IP is to implement mitigation and hardening guidance without delay and begin threat hunting activities immediately. This underscores the need for a defense-in-depth strategy in the face of unknown, emerging and previously-identified vulnerabilities.”
