F5 Security Breach, Source Code Theft Linked to Chinese Hackers

The security breach at F5 that impacted BIG-IP and other products is likely the work of a prolific and high-level Chinese hacking team, according to an assortment of independent security researchers. The theft of source code for these products naturally brings the SolarWinds incident to mind, but thus far there is not any word of follow-on breaches on the company’s clients.

That does not mean that F5 customers can drop their guard, however. The conditions are ripe for this theft to spiral into further security breaches, with not just source code but inside information on undisclosed vulnerabilities that had yet to be patched exposed to the hackers. The Chinese team suspected of being behind it is an espionage-focused outfit that specializes in quietly penetrating organizations in the US and Europe and lurking for well over a year in some cases.

UNC5221 tagged as being behind F5 source code theft

UNC5221 is a “cluster” believed to possibly share members with Silk Typhoon among other state-backed groups. While it doesn’t have its own dramatic moniker as of yet, security researchers widely regard it as possibly the most advanced and prolific of the Chinese hacking groups over the last two to three years.

F5 has yet to make an official attribution (and may not end up doing so), but the facts of the case available thus far line up with UNC5221’s established patterns of behavior. It is also still not yet known exactly how the security breach occurred, but the group is known for deploying zero-day vulnerabilities (particularly in Ivanti products) against high-value targets and having an average dwell time of about a year and an additional month. It also likes to target Linux and BSD-based appliances that often go overlooked by cybersecurity teams.

Though CrowdStrike and Mandiant have reviewed the latest BIG-IP releases and validated their safety, product source code and unpublished vulnerabilities in the hands of such a group is a very troubling prospect. This was seen with the SolarWinds security breach, in which attackers came back months later exploiting new vulnerabilities. NCC Group and IOActive have additionally been contracted to perform source code reviews, as has CrowdStrike to provide additional security coverage to the BIG-IP platform, but only time will tell if the incident is truly over.

Security breach exposed private config data for “limited amount” of customers

The security breach was discovered by F5 on August 9, but the actual breach window remains unknown with the company only saying the hackers were in the system “long-term.” For a group that averages a little over 390 days of dwell time, that’s not good news.

While F5 is not the biggest or most recognizable company in the world, it is very commonly used by large-scale enterprise companies for load balancing and security. It has about 23,000 customers in 170 countries, including providing services to 48 of the Fortune 50 companies (and being in the Fortune 500 itself).

But at least for the moment, there is no word of supply chain breaches or any clients being hit or having private data exposed in the wake. The exposure was limited to configuration or implementation details for what F5 says is a small amount of clients, who are reportedly being contacted privately. However, the company has also said its investigation is ongoing and it has not yet reviewed its full client list for potential damage.