WASHINGTON :A more than year-long digital intrusion into cybersecurity company F5, publicized last week and blamed on Chinese spies, has defenders across the industry hunting for signs of compromise among the many corporate networks that use its products.
Several worry that more disclosures are coming.
So far, little is known about the scope of the hack beyond statements from F5 that its source code and sensitive information about software vulnerabilities were stolen.
The company’s website says it serves more than four in five Fortune 500 companies in some capacity, and U.S. officials have said that federal networks were among those targeted in the hack’s aftermath and have urged immediate action.
That extensive presence alone has triggered widespread unease.
F5’s stock tumbled 12 per cent last Thursday, the day it published a host of fixes for previously vulnerable products, although it rebounded slightly by the end of the week.
Several cybersecurity executives and analysts compared the hack at F5 to the extraordinary intrusion at the software company SolarWinds discovered in December 2020.
That company, whose Orion software was used for network monitoring, became the unwitting springboard into a number of highly sensitive networks after its source code was tampered with.
Around a dozen government departments were eventually breached in the wide-ranging spy operation.
Just like SolarWinds, which was little known in the consumer market before the hack, F5 has a host of tech equipment and services – load balancers, content delivery networks and firewalls – that typically play low-profile but critical roles in directing, managing and filtering organizations’ internet traffic.
“I’m not equating this to the SolarWinds attack, but I’m equating it to the fact that people never hear of it, but it’s in everybody’s network,” said Michael Sikorski, the chief technology officer at Palo Alto Networks’ threat intelligence-focused Unit 42.
“When we’re talking about 80 per cent of the Fortune 500, we’re talking about banks, law firms, tech companies, you name it.”
Sikorski said the F5 hackers stole source code and undisclosed vulnerability information, potentially giving them the ability to develop tools for cyberespionage in a tight time frame.
Bob Huber, chief security officer of cybersecurity firm Tenable, said he too had SolarWinds in mind as he tried to make sense of what was going on at F5.
“As of right now, this is not SolarWinds,” he told Reuters, noting that F5 has said it had “no evidence of modification to our software supply chain.”
Still, Huber said there were signs that more unwelcome disclosures lie ahead, given the paucity of information about the breach and the urgency with which the government was moving to remediate it, via an October 15 emergency directive and a public warning that unnamed federal networks were being targeted by a “nation-state cyber threat actor.”
“We’re waiting for the other shoe to drop,” he said.
While no other victims of the F5 breach have been publicly identified, cybersecurity firm Greynoise Intelligence, which monitors internet scanning and attack activity, has found hints that an unknown actor was searching out F5 devices on the internet starting about a month ago.
Greynoise detected a major spike in scanning activity focused on F5 beginning in mid-September, according to Glenn Thorpe, the company’s senior director of security research and detection engineering.
“That implies someone somewhere knew something,” Thorpe said.
