Cybersecurity firm F5 Networks says government-backed hackers had “long-term, persistent access” to its network, which allowed them to steal the company’s source code and customer information.
In a filing with the U.S. Securities and Exchange Commission on Wednesday, F5 said it now “believes its containment actions have been successful,” after first discovering the hackers in its network on August 9.
The Seattle, Washington-based company, which specializes in providing application security and cybersecurity defenses for large companies and governments, said the hackers had access to its BIG-IP product development environment and its knowledge management systems, which included source code and undisclosed security vulnerabilities.
F5 said it wasn’t aware of any modifications to its software while in development, nor was it aware of any exploitation of the vulnerabilities. The company published several updates on Wednesday for its BIG-IP platform to fix the undisclosed security flaws and urged customers to patch them.
The company also said the hackers downloaded configurations and implementation information about some of its customers’ systems, files that could help hackers find and exploit potential design weaknesses, and potentially hack into those customers’ systems.
F5 said in the notice that the U.S. Department of Justice allowed the company to delay its public disclosure. An F5 spokesperson would not say for what reason the delay was allowed, but the DOJ can allow companies to hold off on notifying the public if there is a “substantial risk to national security or public safety.”
F5 has over 1,000 corporate customers and serves more than 85% of the Fortune 500, the largest public companies by revenue, including banks, tech companies, and critical infrastructure companies.
The U.K.’s National Cyber Security Centre warned on Wednesday, following F5’s disclosure, that hackers could “enable a threat actor to exploit F5 devices and software.”
CISA said in an email on Wednesday that it has ordered civilian federal agencies under an emergency directive to patch their systems by October 22, citing the security risks.
The company did not attribute the attacks to a particular government or nation-state-affiliated hacking group, and F5 spokesperson Dan Sorensen declined to answer TechCrunch’s questions beyond the company’s published statement, including how many customers are affected and if it was known how the hackers broke in to begin with.
F5 is the latest tech company in recent years to have been hacked by government hackers, including Microsoft — by China, and Russia, at least twice; cloud and enterprise technology firm Hewlett Packard Enterprise, and several other companies as part of the broader Russian cyberattack on the software maker SolarWinds.
