Cybersecurity experts and government officials are still determining the scope and impact of the breach of U.S. technology company F5.
But the hack, which was made public last week, highlights ongoing concerns around managing the security of technology that underpins both government networks and critical infrastructure systems.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on F5 devices last week. Agencies have until Oct. 22 to patch potentially vulnerable F5 products.
The directive came on the same day F5 revealed it had been the victim of a nation-state hack targeting both product source code and customer configuration data. Bloomberg reported that hackers had been inside F5’s systems since late 2023.
Cybersecurity firm Censys, which scans for internet-facing IT assets, reports that nearly 680,000 F5 product hosts are visible on the public internet, with most located in the United States. Those systems are not necessarily vulnerable, but should be inventoried and patched, per CISA’s guidance.
“The attack against F5 reminds us that threat actors continue to target widely used products and services in our digital world, particularly those used for security or performance that operate without traditional endpoint security detection and protection capabilities,” Erin Joe, special counsel at law firm Wiley, told Federal News Network.
Bob Huber, chief security officer at cyber firm Tenable, said the breach is a major concern given that source code and undisclosed vulnerability data was stolen by the hackers.
“While details are still emerging, it’s important to understand that this isn’t just another piece of software, but a foundational technology used to secure everything from government agencies to critical infrastructure,” Huber said in a statement. “In the hands of a hostile actor, this stolen data is a master key that could be used to launch devastating attacks, similar to the campaigns waged by Salt Typhoon and Volt Typhoon.”
So far, F5 said there’s no evidence that hackers have exploited any of the vulnerabilities or compromised its source code. But cyber experts are waiting for more information as agencies and other organizations track down potentially vulnerable devices and address them.
John Fokker, vice president of threat intelligence strategy at Trellix, said edge infrastructure and security vendors continue to be “prime targets” for nation-state connected actors.
“Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks,” Fokker said in a statement. “Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community.”
Cyber experts have largely applauded F5 for its transparency in handling the incident. The company said it discovered the breach in August. The Justice Department authorized F5 to delay disclosure of the incident due to national security concerns. DoJ guidelines, finalized in 2023, allow for delays if DoJ determines “the disclosure poses a substantial risk to national security or public safety.”
Joe, who previously was on cyber and national security issues as a senior executive at the FBI, said she has seen “numerous examples where delaying notification provided time for companies to evaluate the potential impact and ensure mitigations, such as patches, would be in place or available at or near the time of a public disclosure to reduce the impact of the compromise.”
“This is an important part of the process to ensure safety along with transparency,” she added.
The post F5 hack highlights persistent supply chain security concerns first appeared on Federal News Network.