It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
I can't help thinking that a part of it is that the supreme court has proactively & progressively been watering down the threat of class actions (in general, not specific to tech) since the early 2010s.
Sony & many others have proved pretty comprehensively that brand reputation isn't really impacted by breaches, even in high profile consumer facing businesses. That trickles down to B2B: if your clients don't care, why should you.
That leaves legal risk as the only other motivating factor. If that's been effectively neutered, it doesn't make economic sense for companies to do due diligence with breaches.
As far as I'm aware, Yahoo were the last company to suffer any significant impact from the US legal system due to a breach.
Their customer base are enterprise, so the issue can be addressed in private channels. There's little to be gained from making this particular breach public, from their point view. If anything, it's F5 customers who should advise their own customers downstream about the risks, when risks apply. Disclosure: I'm affected by this breach downstream at several sites and we have not been informed of risks by anyone but have been fighting fires where F5 was involved, but not necessarily blamed for anything.
But you are right, at F5's size and moneys, incentives for public disclosure are not aligned in the public's favor. Damage control, in all its meanings, has taken priority lately over transparency.
Just to be clear, the attackers had access to the systems well before this date.
Sometimes when a company engages law enforcement, law enforcement can request that they not divulge that the company knows about the problem so that forensics can begin tracking the problem.
I won't speak how often or how competent law enforcement are though, but it can happen.
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later are signed with new certificates and keys
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later contain new public keys used to verify certain F5-produced objects released in October 2025 and later
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later may not be able to verify certain F5-produced objects released prior to October 2025
BIG-IP and BIG-IQ TMOS product versions released prior to October 2025 may not be able to verify certain F5-produced objects released in October 2025 and later
I wonder if there's a bet to be made on future 8K disclosures following quietly updated signing keys. A bet against F5 placed this morning would've only made 3.6%.
Not so much irony as it's a great vector to get inside an org. Security / monitoring agents that you deploy everywhere and don't suspect when you see they exfiltrate data, since you're expecting the telemetry anyway.
Every time some security compliance goon comes by telling me to install an agent on all of our servers to meet some security compliance requirement, I remind them that they are asking me to install a backdoor on our servers and handing the keys to a 3rd party.
Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties. I keep seeing it pop up again and again and it only makes sense in that context.
Its the boogyman like terrorism. We need infinite money to fight the bad guys.
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
I agree. I think what we are split on is purpose/intent.
>could not reasonably be expected to protect against.
Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.
> “get out of jail free”
This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.
> these reports get used to fund the security program
> I agree. I think what we are split on is purpose/intent.
I… don’t think so? Your original comment was that companies claim nation state attack as a way to get government funding. That has nothing to do with assessing blame for an attack.
> Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who?
If you think you as a private entity can defend against a tier 1 nation state group like the NSA or Unit 8200, you are gravely mistaken. For one thing, these groups have zero day procurement budgets bigger than most company market caps.
That’s why companies reflexively blame nation state actors. It isn’t to get government funding. It is to avoid blame for an attack by framing it as something they could not have prevented.
Maybe not feasible now, but maybe it could be feasible at some point in the future if things are built on top of seL4 , with similar techniques used to demonstrate that the programs in question also have some desired security properties, building on the security properties the kernel has been proven to have?
Of course, one might still be concerned that the hardware that the software is running on, could be compromised. (A mathematical proof that a program behaves in a particular way, only works under the assumption that the thing that executes the program works as specified.)
Maybe one could have some sort of cryptographic verification of correct execution in a way where the verifier could be a lot less computationally powerful while still providing high assurance that the computations were done correctly. And then, if the verifier can be a lot less powerful while still checking with high assurance that the computation was done correctly, then perhaps the verifier machine could be a lot simpler and easier to inspect, to confirm that it is honest?
When I went through a tech school cyber security program (10+ years ago now) we were told that the situation was "If Canada wants to hack you, it is improbable you can stop them. If the US wants to hack you, they will. Therefore we will not be focussing on strategies to counter nation state actors." It was a forgone conclusion that you would lose against them. I imagine the situation hasn't improved much in the last ten years.
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.
From the published CISA mitigation[0]:
A nation-state affiliated cyber threat actor has
compromised F5’s systems and exfiltrated files, which
included a portion of its BIG-IP source code and
vulnerability information. The threat actor’s access to
F5’s proprietary source code could provide that threat
actor with a technical advantage to exploit F5 devices and
software.
> Its the boogyman [sic] like terrorism.
Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
This cyber threat actor presents an imminent threat to
federal networks using F5 devices and software. Successful
exploitation of the impacted F5 products could enable a
threat actor to access embedded credentials and Application
Programming Interface (API) keys, move laterally within an
organization’s network, exfiltrate data, and establish
persistent system access. This could potentially lead to a
full compromise of target information systems.
This is a mean-spirited interpretation of what happens when you claim nation state.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker?
* Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X)
* Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
HN can be unnecessarily vicious when it comes to these situations. They have a very narrow slit in which they see companies because they extrapolate their understanding into the large corporation.
The attacker needs to find 1 fault in a system to start attacking a system, the company needs to plug ALL of them to be successful, continually for all updates, for all staff, for all time.
Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
> Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
Being on the defenders side, I would say it is not a losing battle.
It is a matter if convenience versus security: not using up to date libraries because it requires some code rewrites and “aint nobody got time for that”, adding too much logic to functions and scooe creep instead of segregating services, not microsegmenting workloads, using service accounts with full privileges because figuring out what you actually need takes too much time; and the list could go on.
I am not blaming all developers and engineering managers for this because they might not know about all the intricacies of building secure services - part of the blame is on the ops and security people who don’t understand them either and think they’re secure when they are not. Amd those folks should know better.
And third, hubris: we have all the security solutions that are trendy now, we’re safe. Do they actually work? No one knows.
If there was some government program I was previously unaware of that pays organizations that were compromised by nation state hackers then I’m going to be upgrading all my networking infrastructure to F5 products and start reading up on BIG-IP migrations.
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
I don't believe Equifax received money, just a long list of demands to be allowed to continue as a viable business.
That it was a nation-state actor may have allowed them some grace, as it didn't result in individuals' details being wholesale sold on the dark web, and the fallout was most-likely a national security issue.
It would definitely have helped the CCP target individuals who were vulnerable to recruitment due to their financial status. Especially when combined with the Office of Personnel Management data hack.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
Not sure why I'm downvoted. Literally quoted from their incident page.
> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.
> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".
That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.
PR statements drafted by legal are a monkey's paw. Treat them like it.
The fact that they didn't know for such a long time makes their statement completely unbelievable. Also pushing new updates? Sure, they'll say it's just a precaution but I'm willing to bet attacker did more damage than they are willing to publicly disclose
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
Because "We got hacked by the concerted efforts of China/Russia" sounds much better than "We literally never update php or linux, and John Script Kiddy Jones pwnd us".
It's a bit like copspeak's fondness for mentioning "individuals" (otherwise known as "people.") It's just a kind of shibboleth. "State actors" is just as clear and means the same thing.
Lowers the percieved incompetence on hacked side, and its hard to argue against (how do you prove it wasnt?). Stock price fall distaster mitigation via simple PR.
But I agree experts should know better when of any solid proof is lacking. Or any proof at all.
What I'm saying is they often actually mean "country", but that is less fancy sounding. A nation-state is just one specific type of polity, certainly not the only type which organize attacks.
You’re overthinking it. “Country” is simply more ambiguous when used as an adjective. “F5 announces attack from country hackers” sounds silly and confusing.
No, it's a real thing with a real meaning. Nation-state actors are, in general, very well-funded and sophisticated, and therefore much more difficult (and expensive) to defend against and clean up after. They tend to have different motivations than the normal crime groups, and therefore go after different things.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
They also provide things that are a juicy target for regular run of the mill hackers. Like centralized services to turn credit card info into tokens, while holding the actual data.
Perhaps more importantly to a non-U.S. nations is that there are a lot of military networks that touch the public Internet whose security from outside attack is more or less premised on F5's implementation of mutual TLS to CACs.
Finding a way to subvert that authentication or, better yet, bypass it entirely, could put U.S. military networks that can be reached over the public Internet at risk of remote exploitation. Those networks can often also reach other military networks not directly exposed to the public Internet.
This is why I don't understand this strong desire for security auditors to have centralized TLS decryption be important to having some high security stance. You're just creating a massive single point of failure and potentially massively weakening encryption.
> You're just creating a massive single point of failure and potentially massively weakening encryption.
It need not be a single point of failure. You can set these things up with redundancy. There's certainly an element of adding risk, your interception box is a big target to do unauthorized interception or tampering; but there's also an element of reducing risk --- you'd be potentially able to see and respond to traffic that would be opaque otherwise.
Yes, so instead of one box with the keys to decrypt all the traffic flowing through the network I'll have multiple boxes that have the ability to decrypt all the traffic. Multiple machines to update and secure and guard against those getting attacked or else everything gets broken.
It seems like its a place were there are some serious tradeoffs. You can choose to have visibility into your network traffic or can choose not to. If you choose yes, you create a single point of failure but have the ability to detect breaches elsewhere; if you choose no, you avoid the single point of failure but make it easier for an attacker to exfiltrate data undetected.
I'm down for endpoints having to report whatever metrics to whatever servers and have their transactions highly audited. I'm down for their connectivity to be highly locked down. It's important to know what's happening on your systems and where data is flowing, I agree!
But in the end of I want Alice to talk to Bob and know they and only them are talking I'd like to guarantee that. Instead companies are spending tons of money and work hours doing Eve's work for her, installing her tools and getting it all nicely configured for when she logs in.
How many times do we have to backdoor our crypto systems to realize we're not building doors for just us but for everyone else as well?
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
Yes, i raise my eyebrow too. "F5 is a Fortune 500 tech giant specializing in cybersecurity" and "the attackers had gained long-term access to its system" doesn't seem to agree with each other.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I mean, because it depends where the attack happened. Working with large companies like this in CI/CD there are a number of tools that the source code gets checked on, but not fed back into the system that could have been the source of the attack.
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
Especially considering who they are, Agreed. There's not an ounce of empathy I have for them. They are a backbone of the internet and should know better.
Yeah, I was trying to make sense of what was described here.
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
A simple search across a codebase for "TODO" will find all sorts of things left undone, but having access to source control and commit messages, who knows what you might find.
"Here be dragons" is also a good search if you're responsible for security hardening legacy code.
Yeah that’s what I’m understanding is the case. That’s why they’re harping on no known (unreleased) vulns. But it’s kinda funny, a lot of times bugs that fall under this category are constantly shuffled around/not fixed because there is no public pressure to address them.
It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
I can't help thinking that a part of it is that the supreme court has proactively & progressively been watering down the threat of class actions (in general, not specific to tech) since the early 2010s.
Sony & many others have proved pretty comprehensively that brand reputation isn't really impacted by breaches, even in high profile consumer facing businesses. That trickles down to B2B: if your clients don't care, why should you.
That leaves legal risk as the only other motivating factor. If that's been effectively neutered, it doesn't make economic sense for companies to do due diligence with breaches.
As far as I'm aware, Yahoo were the last company to suffer any significant impact from the US legal system due to a breach.
Their customer base are enterprise, so the issue can be addressed in private channels. There's little to be gained from making this particular breach public, from their point view. If anything, it's F5 customers who should advise their own customers downstream about the risks, when risks apply. Disclosure: I'm affected by this breach downstream at several sites and we have not been informed of risks by anyone but have been fighting fires where F5 was involved, but not necessarily blamed for anything.
But you are right, at F5's size and moneys, incentives for public disclosure are not aligned in the public's favor. Damage control, in all its meanings, has taken priority lately over transparency.
Just to be clear, the attackers had access to the systems well before this date.
Sometimes when a company engages law enforcement, law enforcement can request that they not divulge that the company knows about the problem so that forensics can begin tracking the problem.
I won't speak how often or how competent law enforcement are though, but it can happen.
Looks like they rotated all signings keys a day earlier:
https://my.f5.com/manage/s/article/K000157005
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
I wonder if there's a bet to be made on future 8K disclosures following quietly updated signing keys. A bet against F5 placed this morning would've only made 3.6%.
A cybersecurity company was hacked — what an irony
Not so much irony as it's a great vector to get inside an org. Security / monitoring agents that you deploy everywhere and don't suspect when you see they exfiltrate data, since you're expecting the telemetry anyway.
Every time some security compliance goon comes by telling me to install an agent on all of our servers to meet some security compliance requirement, I remind them that they are asking me to install a backdoor on our servers and handing the keys to a 3rd party.
The Crowdstrike Falcon Sensor agent (with a kernel module) establishes TLS connections to several random AWS endpoints.
I really have no idea how security people think this is a good thing aside from checkbox compliance but man-o-man do they love it.
cisa just released: ED 26-01: Mitigate Vulnerabilities in F5 Devices.
https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...
This report seems empty of useful information. It’s just “contact us under these circumstances”.
Is it just me?
It reads more like, "find, update, and prepare to decommission all of these products" to me.
>F5 disclosed that nation-state hackers
Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties. I keep seeing it pop up again and again and it only makes sense in that context.
Its the boogyman like terrorism. We need infinite money to fight the bad guys.
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
>it shifts accountability away
I agree. I think what we are split on is purpose/intent.
>could not reasonably be expected to protect against.
Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.
> “get out of jail free”
This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.
> these reports get used to fund the security program
So we agree?
> I agree. I think what we are split on is purpose/intent.
I… don’t think so? Your original comment was that companies claim nation state attack as a way to get government funding. That has nothing to do with assessing blame for an attack.
> Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who?
If you think you as a private entity can defend against a tier 1 nation state group like the NSA or Unit 8200, you are gravely mistaken. For one thing, these groups have zero day procurement budgets bigger than most company market caps.
That’s why companies reflexively blame nation state actors. It isn’t to get government funding. It is to avoid blame for an attack by framing it as something they could not have prevented.
> So we agree?
No, I don’t believe we do.
Maybe not feasible now, but maybe it could be feasible at some point in the future if things are built on top of seL4 , with similar techniques used to demonstrate that the programs in question also have some desired security properties, building on the security properties the kernel has been proven to have?
Of course, one might still be concerned that the hardware that the software is running on, could be compromised. (A mathematical proof that a program behaves in a particular way, only works under the assumption that the thing that executes the program works as specified.) Maybe one could have some sort of cryptographic verification of correct execution in a way where the verifier could be a lot less computationally powerful while still providing high assurance that the computations were done correctly. And then, if the verifier can be a lot less powerful while still checking with high assurance that the computation was done correctly, then perhaps the verifier machine could be a lot simpler and easier to inspect, to confirm that it is honest?
When I went through a tech school cyber security program (10+ years ago now) we were told that the situation was "If Canada wants to hack you, it is improbable you can stop them. If the US wants to hack you, they will. Therefore we will not be focussing on strategies to counter nation state actors." It was a forgone conclusion that you would lose against them. I imagine the situation hasn't improved much in the last ten years.
> zero day procurement budgets bigger than most company market caps
do you mean they pay companies to put backdoors into products? or you mean they just go hunting for vulnerabilities. maybe both?
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.
From the published CISA mitigation[0]:
> Its the boogyman [sic] like terrorism.Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
0 - https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...If it was a “nation-state” actor, f5 should have named it and provided irrefutable evidence to this effect.
Until this happens, its just CYA at its best to hide flaws in their systems and procedures.
This is a mean-spirited interpretation of what happens when you claim nation state.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker? * Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X) * Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
[0] -https://www.f5.com/company/news/press-releases/earnings-q2-f...
HN can be unnecessarily vicious when it comes to these situations. They have a very narrow slit in which they see companies because they extrapolate their understanding into the large corporation.
The attacker needs to find 1 fault in a system to start attacking a system, the company needs to plug ALL of them to be successful, continually for all updates, for all staff, for all time.
Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
> Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
Being on the defenders side, I would say it is not a losing battle.
It is a matter if convenience versus security: not using up to date libraries because it requires some code rewrites and “aint nobody got time for that”, adding too much logic to functions and scooe creep instead of segregating services, not microsegmenting workloads, using service accounts with full privileges because figuring out what you actually need takes too much time; and the list could go on.
I am not blaming all developers and engineering managers for this because they might not know about all the intricacies of building secure services - part of the blame is on the ops and security people who don’t understand them either and think they’re secure when they are not. Amd those folks should know better.
And third, hubris: we have all the security solutions that are trendy now, we’re safe. Do they actually work? No one knows.
So, why I say it is a loosing battle is because when I look for a weakness its not a known CVE and its not known to be exploited.
Many of these companies can keep up to date assuming their vendors report correctly, The exploits that are not publicly documented are rarely fixed.
It’s also just a fact. We don’t need a bogeyman when other nations are actually executing these attacks every day.
If there was some government program I was previously unaware of that pays organizations that were compromised by nation state hackers then I’m going to be upgrading all my networking infrastructure to F5 products and start reading up on BIG-IP migrations.
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
Is there an example of a company getting money from the government in response to a statement like this?
I don't believe Equifax received money, just a long list of demands to be allowed to continue as a viable business.
That it was a nation-state actor may have allowed them some grace, as it didn't result in individuals' details being wholesale sold on the dark web, and the fallout was most-likely a national security issue.
It would definitely have helped the CCP target individuals who were vulnerable to recruitment due to their financial status. Especially when combined with the Office of Personnel Management data hack.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
It doesn't matter who hacks me. If my job is on the line I'm going to claim it's someone impossible to defend against like a state actor.
There's a thousand things to point at that would make it plausible. I might even convince myself of it out of sheer embarrassment.
I don't lie generally but most of all about things that could precipitate FBI involvement in what you're doing.
This is a fantasy.
> I have no idea why you're incredulous about this.
I understand human nature.
You can get a lot of fat kids on a computer in a bedroom for the cost of building and maintaining a 6th Gen fighter.
[dead]
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
I am having a hard time believing that an attacker maintained long term access to their system and never used it.
It seems more likely that we do not KNOW how the access was used.
They say the attacker exfiltrated data, including source code.
They claim the vulnerabilities discovered through the exfiltration were not used though.
Not sure why I'm downvoted. Literally quoted from their incident page.
> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.
> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
https://my.f5.com/manage/s/article/K000154696
No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".
That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.
PR statements drafted by legal are a monkey's paw. Treat them like it.
Fair point, I certainly missed a word in my summary.
The fact that they didn't know for such a long time makes their statement completely unbelievable. Also pushing new updates? Sure, they'll say it's just a precaution but I'm willing to bet attacker did more damage than they are willing to publicly disclose
> Not sure why I'm downvoted.
I downvoted you for complaining about downvotes, so at least you know the reason for one of them now.
> undisclosed F5 vulnerabilities
I don’t know why, but this sounds a bit like backdoors.
[dead]
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
Because "We got hacked by the concerted efforts of China/Russia" sounds much better than "We literally never update php or linux, and John Script Kiddy Jones pwnd us".
It's a bit like copspeak's fondness for mentioning "individuals" (otherwise known as "people.") It's just a kind of shibboleth. "State actors" is just as clear and means the same thing.
Lowers the percieved incompetence on hacked side, and its hard to argue against (how do you prove it wasnt?). Stock price fall distaster mitigation via simple PR.
But I agree experts should know better when of any solid proof is lacking. Or any proof at all.
What I'm saying is they often actually mean "country", but that is less fancy sounding. A nation-state is just one specific type of polity, certainly not the only type which organize attacks.
You’re overthinking it. “Country” is simply more ambiguous when used as an adjective. “F5 announces attack from country hackers” sounds silly and confusing.
yeehaw brother
Personally, I think its worse. The whole point of employing a company like F5 is precisely to protect against those kind of "nation-state" actors.
If F5 can't do that, what is their actual value proposition?
No, it's a real thing with a real meaning. Nation-state actors are, in general, very well-funded and sophisticated, and therefore much more difficult (and expensive) to defend against and clean up after. They tend to have different motivations than the normal crime groups, and therefore go after different things.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
They also provide things that are a juicy target for regular run of the mill hackers. Like centralized services to turn credit card info into tokens, while holding the actual data.
Perhaps more importantly to a non-U.S. nations is that there are a lot of military networks that touch the public Internet whose security from outside attack is more or less premised on F5's implementation of mutual TLS to CACs.
Finding a way to subvert that authentication or, better yet, bypass it entirely, could put U.S. military networks that can be reached over the public Internet at risk of remote exploitation. Those networks can often also reach other military networks not directly exposed to the public Internet.
The same F5 responsible for the existence of the padding extension in TLS? And that still has predictable TCP sequence numbers by default.
This is why I don't understand this strong desire for security auditors to have centralized TLS decryption be important to having some high security stance. You're just creating a massive single point of failure and potentially massively weakening encryption.
> You're just creating a massive single point of failure and potentially massively weakening encryption.
It need not be a single point of failure. You can set these things up with redundancy. There's certainly an element of adding risk, your interception box is a big target to do unauthorized interception or tampering; but there's also an element of reducing risk --- you'd be potentially able to see and respond to traffic that would be opaque otherwise.
> You can set these things up with redundancy
Yes, so instead of one box with the keys to decrypt all the traffic flowing through the network I'll have multiple boxes that have the ability to decrypt all the traffic. Multiple machines to update and secure and guard against those getting attacked or else everything gets broken.
It seems like its a place were there are some serious tradeoffs. You can choose to have visibility into your network traffic or can choose not to. If you choose yes, you create a single point of failure but have the ability to detect breaches elsewhere; if you choose no, you avoid the single point of failure but make it easier for an attacker to exfiltrate data undetected.
I'm down for endpoints having to report whatever metrics to whatever servers and have their transactions highly audited. I'm down for their connectivity to be highly locked down. It's important to know what's happening on your systems and where data is flowing, I agree!
But in the end of I want Alice to talk to Bob and know they and only them are talking I'd like to guarantee that. Instead companies are spending tons of money and work hours doing Eve's work for her, installing her tools and getting it all nicely configured for when she logs in.
How many times do we have to backdoor our crypto systems to realize we're not building doors for just us but for everyone else as well?
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
BRB, changing handle to 'nation-state'. Need the resume fodder.
This def seems like corpo disaster PR copy. Not the kind of content I expected and love HN for
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
I mean the traffic came from a nation soo it must be
I'm slightly questioning the security of a cybersecurity company that has systems that allow people long term access.
Yes, i raise my eyebrow too. "F5 is a Fortune 500 tech giant specializing in cybersecurity" and "the attackers had gained long-term access to its system" doesn't seem to agree with each other.
"We have no knowledge the vulnerabilities discovered through exfiltration were not used"
Translated =>
We don't know whether they have used or are going to use our NSA-mandated backdoors.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I mean, because it depends where the attack happened. Working with large companies like this in CI/CD there are a number of tools that the source code gets checked on, but not fed back into the system that could have been the source of the attack.
oh that's handy, they can add them to the big pile of disclosed BIG-IP flaws
Source: https://my.f5.com/manage/s/article/K000154696
The NCC attestation letter is wild:
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Wonder what the bill was?
> highly sophisticated nation-state threat actor
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
Especially considering who they are, Agreed. There's not an ounce of empathy I have for them. They are a backbone of the internet and should know better.
“No one will ever find these vulns without source access! Fix deferred” oh wait…
Yeah, I was trying to make sense of what was described here.
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
If so, lol.
A simple search across a codebase for "TODO" will find all sorts of things left undone, but having access to source control and commit messages, who knows what you might find.
"Here be dragons" is also a good search if you're responsible for security hardening legacy code.
Yeah that’s what I’m understanding is the case. That’s why they’re harping on no known (unreleased) vulns. But it’s kinda funny, a lot of times bugs that fall under this category are constantly shuffled around/not fixed because there is no public pressure to address them.
Aka outsourcing work to third world countries has come back to bite us ;-)