Chinese hackers in the F5 code? IT industry reacts to another supply chain hit
In recent days, a recording that clearly signals alarm – more than a year’s worth of unauthorised entry into the network of F5, Inc, a manufacturer of network and application-security solutions – has been on the cyber industry’s radar. The attack, which the company officially confirmed in mid-October, may have much deeper implications than have been revealed so far.
F5 operates almost in the shadow of a huge infrastructure – securing applications and network traffic for many key players. According to the company, it works with more than 80 per cent of Fortune 500 companies in some capacity.
Such a widespread presence means that compromise can transcend the boundaries of a single company and affect an entire class of devices present in thousands of production environments.
The communications show that the attackers – described as being linked to a state actor – gained persistent access to F5’s product development environment, including portions of the BIG-IP platform source code and information on previously undisclosed vulnerabilities.
While F5 says that no supply chain modification or active use of these materials has been identified, the mere possession of such files by an attacking party significantly increases the risk.
The response from state institutions left no doubt: The Cybersecurity and Infrastructure Security Agency (CISA) issued an ’emergency’ directive to US federal agencies, ordering the immediate review, inventory and patching or disabling of F5 devices. External data indicates that more than 266,000 Internet-connected BIG-IP instances may now be vulnerable – although many remain independently verified for patch status or configuration changes.
It is worth noting the analogy that experts cite: the attack on F5 is being compared to SolarWinds in late 2020 – both in terms of scale and potential supply-chain impact. In both cases, the hacking involved companies that are not themselves consumer media giants, but whose technologies lie ‘on everyone’s network’.
On the other hand, it is important not to panic – F5 stated in its filing with the US Securities Exchange Commission (SEC) that there are “no known critical or remotely exploitable vulnerabilities” resulting from the incident.
However, less disclosure about the extent of the breach and the speed of the government’s response mean that analysts expect further revelations – including victims of compromise or new hacking activity using knowledge contained in the stolen material.
For corporate network operators, this implies a specific task: checking for F5 hardware or software in the infrastructure, especially devices that have internet access or are running on older versions. It is advisable to apply best practices: reviewing access management, segregating critical segments and prioritising the implementation of patches recommended by the manufacturer.
While the subject matter may seem technical, the consequences are a full-blown strategic threat – not just to IT departments, but to entire organisations. In the context of the growing pressure of cyber warfare, the F5 incident is a reminder that chains of trust cannot be ignored.
