On August 9, F5 discovered that multiple systems were compromised by what it is calling a "highly sophisticated nation-state threat actor" who maintained "long-term, persistent access to certain F5 systems". These included the BIG-IP product development environment and engineering knowledge management platform. That access allowed for the exfiltration of portions of F5's BIG-IP source code as well as information about undisclosed BIG-IP vulnerabilities F5 was working on.
Based on current information, we confirm there has been no exposure or impact to us or our clients. As a trusted security partner, we’re on heightened alert for our clients and partners and are monitoring for any suspicious activity. Should new information arise that alters this assessment, we will provide an update directly.
F5 did not discuss the length of the dwell time the threat actors maintained, or how long containment took. However, F5 notes several important facts:
While this compromise was discovered in early August, it wasn't publicly disclosed until October 15. F5 said the delay was requested by the US DOJ. Also, US CISA issued an emergency directive requiring agencies to inventory all F5 products as well as their current network access.
F5 users are recommended to apply any and all current updates. It's also important to note that this incident only represents potential risk. Exploitation would require the threat actors to discover a vulnerability in the source code, weaponize it, and then exploit it. Until or if that occurs, no indicators of compromise (IoCs) will be available.
To properly prepare to that potential circumstance, we recommend that organizations:
Trustwave SpiderLabs will continue to monitor this situation for any new developments.