CISA orders government to patch F5 products after ‘nation-state’ cyber intrusion

The Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies on Wednesday to catalog and patch a suite of products offered by application security and cloud management company F5.

CISA said a “nation-state affiliated cyber threat actor” compromised F5 systems, including source code tied to the company’s BIG-IP traffic management product that helps organizations filter out malicious web traffic should it enter their networks, according to the directive.

Seattle-based F5 provides application delivery and security technologies used by hundreds of private companies and government agencies worldwide. An SEC filing released Wednesday said F5 detected the intrusion on Aug. 9 and engaged external cybersecurity experts to contain the breach. The Justice Department approved F5’s request to delay disclosure under a national security exemption. 

Much of the U.S. federal enterprise uses F5 products, including the departments of Agriculture, Justice, Homeland Security and Veterans Affairs, according to GovTribe, a federal market intelligence platform owned by Nextgov/FCW parent company GovExec. Defense elements, including the Marine Corps and Naval Surface Warfare Center, also have contracts for their products, which a company webpage notes are used in all 15 U.S. presidential cabinet executive agencies.

“This cyber threat actor presents an imminent threat to federal networks using F5 devices and software,” CISA’s directive says. “Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.”

F5 confirmed in a Wednesday blog post that hackers extracted files from the BIG-IP development environment and other platforms. 

“These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the company said.

No federal agencies are known to have been compromised at this time, Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters. He also declined to name the affiliation of the hackers that breached the company. 

That said, thousands of instances of the vulnerable F5 products exist on federal networks, he added. CISA, in its directive, ordered agencies to secure and update all exposed F5 systems and apply vendor patches by Oct. 22. All remaining updates must be completed by the end of the month, and agencies must also disconnect unsupported devices and submit a full inventory report by Dec. 3.

Michael Sikorski, the chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks, said “the top priority for any organization using F5 BIG-IP is to implement mitigation and hardening guidance without delay and begin threat hunting activities immediately.”

“Generally, if an attacker steals source code it takes time to find exploitable issues,” he added. “In this case, they also stole information on undisclosed vulnerabilities that F5 was actively working to patch. This provides the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation.”

F5 software flaws were previously the subject of a 2023 CISA alert. At the time, China-linked hackers exploited one of those vulnerabilities, a Mandiant analysis concluded.

CISA has been operating with a significantly reduced workforce, following rounds of terminations and other incentive programs designed to refocus the agency on its “core” mission set in Trump 2.0.

As recently as last week, some CISA staffers were handed additional termination notices or transferred to roles in DHS that are more aligned with Trump-era immigration and mass deportation policies. Asked about whether CISA now faces capacity constraints from those changes, Andersen acknowledged the shifts but said the cyber agency can still operate optimally.

CISA is able to perform its “core operational mission” and “we’re able to continue to perform that mission and collaboration with our [federal civilian executive branch] partners right now,” he said.

Amid the ongoing government shutdown, the section of CISA’s workforce that has been furloughed “does not include people who would be working on this directive,” Andersen added. The recent lapse of a bedrock cybersecurity information-sharing law has also not affected the agency’s ability to coordinate with F5, he said. 

Editor's note: This article has been updated to include comment from Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks.