WASHINGTON :U.S. government officials said on Wednesday that federal networks are being targeted by an unidentified “nation-state cyber threat actor” that’s trying to exploit vulnerabilities in products made by the cybersecurity company F5.
In a statement and an accompanying emergency directive, the Cybersecurity and Infrastructure Security Agency said hackers had compromised F5’s systems and extracted files, including a portion of its source code and information about vulnerabilities, and could use the knowledge as a roadmap to break into F5 devices and software, something that could eventually lead to a full compromise of the targeted networks.
“The cyber threat actor presents an imminent threat to federal networks” using F5 products, CISA said.
CISA’s Executive Assistant Director for Cybersecurity Nick Andersen told reporters that government officials were being ordered to identify F5’s devices on their network and apply urgent updates. Andersen encouraged others to do the same, noting that “the risk of this vulnerability extends to every organization and sector that’s using this product.”
Andersen refused to say who the hackers were and said there had so far been no evidence of any compromise at a U.S. civilian agency.
Earlier, F5 said it had detected unauthorized access to certain company systems by a threat actor, but the breach had no impact on its operations.
The company discovered the intrusion on August 9 and took “extensive actions” to contain the threat, engaging external experts, including CrowdStrike, Mandiant, NCC Group and IOActive, to assist with the investigation, it said in a filing with the U.S. Securities and Exchange Commission. The company said it found no signs that its software development process had been tampered with. F5, which has clients across the private and public sector, said information from a few customers was involved in the breach, and it was reaching out to those affected directly.
The company continues to strengthen its security controls and infrastructure following the incident, it said, adding that the U.S. Department of Justice had approved a delay in publicly disclosing the breach until September 12, citing national security considerations.
British authorities also issued an alert urging F5 users to update their software.
