Cyber giant F5 Networks says government hackers had ‘long-term’ access to its systems, stole code and customer data

F5 Networks, a prominent cybersecurity firm, has revealed that hackers linked to a government entity maintained extensive access to its systems, resulting in the theft of sensitive source code and customer data. In a recent filing with the U.S. Securities and Exchange Commission, the Seattle-based company disclosed that it discovered the breach on August 9 and believes it has since successfully contained the threat. The company, which provides application security services to major corporations and government entities, reported that the intruders infiltrated its BIG-IP product development environment and knowledge management systems. This breach granted them access to not only source code but also undisclosed security vulnerabilities. F5 has stated that it found no evidence of alterations to its software during the hackers' access, nor any exploitation of the vulnerabilities at that time. To address the security risks, the company released several updates for its BIG-IP platform and urged customers to implement these patches immediately. Additionally, the hackers were able to download configurations and implementation details related to some customers' systems. This information could enable them to identify and exploit weaknesses, posing a significant risk to those customers. In its notice, F5 indicated that the U.S. Department of Justice permitted a delay in public disclosure of the breach, although the specific reasoning behind this decision was not clarified. The DOJ can allow such delays when there are concerns about national security or public safety. F5 Networks serves over 1,000 corporate clients, including more than 85% of the Fortune 500, which encompasses leading banks, technology firms, and companies providing critical infrastructure. In the wake of F5’s announcement, the U.K.’s National Cyber Security Centre cautioned that the breach could empower malicious actors to exploit F5's devices and software. The Cybersecurity and Infrastructure Security Agency (CISA) has since mandated that civilian federal agencies patch their systems by October 22, reflecting the urgent nature of the security threats posed. F5 has not publicly attributed the attack to any specific nation-state or hacking group, and questions regarding the number of affected customers and the method of initial breach entry remain unanswered.