Cybersecurity firm F5 Networks has reported that government-backed hackers gained long-term, persistent access to its internal network. This breach allowed the attackers to steal company source code and customer information.
In a filing with the U.S. Securities and Exchange Commission, F5 stated it now believes its containment actions have been successful. The company first discovered the hackers in its network on August 9.
The Seattle, Washington-based company specializes in application security and cybersecurity defenses for large companies and governments. The hackers accessed its BIG-IP product development environment and its knowledge management systems. These systems contained source code and information about undisclosed security vulnerabilities.
F5 said it is not aware of any modifications made to its software while it was under development. The company also stated it has no evidence that the undisclosed vulnerabilities were exploited. On Wednesday, the company published several updates for its BIG-IP platform to fix the security flaws and is urging all customers to apply the patches.
The hackers also downloaded configuration and implementation information related to some customer systems. These files could help attackers find and exploit potential design weaknesses, potentially leading to the compromise of those customers’ networks.
F5 noted in its disclosure that the U.S. Department of Justice allowed the company to delay its public announcement. An F5 spokesperson did not specify the reason for the delay. The Department of Justice can permit such delays if there is a substantial risk to national security or public safety.
F5 has over one thousand corporate customers and serves more than 85 percent of the Fortune 500. Its client base includes major banks, technology companies, and critical infrastructure operators.
Following F5’s disclosure, the U.K. National Cyber Security Centre warned that the stolen information could enable threat actors to exploit F5 devices and software. In the United States, the Cybersecurity and Infrastructure Security Agency issued an emergency directive ordering civilian federal agencies to patch their systems by October 22.
The company did not attribute the attack to a specific government or nation-state hacking group. F5 spokesperson Dan Sorensen declined to answer questions beyond the company’s published statement, including how many customers were affected or how the initial breach occurred.
F5 is the latest technology company to be hacked by government-backed actors in recent years. Other victims include Microsoft, which was breached by hackers from China and Russia on multiple occasions. Cloud and enterprise technology firm Hewlett Packard Enterprise was also compromised, along with several other companies caught up in the broader Russian cyberattack targeting software maker SolarWinds.