Cybersecurity firm F5 Networks said government-backed hackers gained “long-term, persistent access” to its network and were able to steal its source code and customer information.
F5 said in a filing with the U.S. Securities and Exchange Commission on Wednesday that it now “believes its containment measures have been successful” since first discovering the hacker within its network on Aug. 9.
The Seattle, Washington-based company, which specializes in providing application security and cybersecurity defenses for large enterprises and governments, said the hackers gained access to its BIG-IP product development environment and knowledge management system, which included source code and undisclosed security vulnerabilities.
F5 said it was not aware of any changes to the software during development or that any vulnerabilities were exploited. The company on Wednesday rolled out several updates to its BIG-IP platform to fix undisclosed security flaws and urged customers to apply the patches.
The company also said the hackers downloaded configuration and implementation information about some of its customers' systems, files that could help hackers find and exploit potential design weaknesses and hack into those customers' systems.
F5 said in its notice that the U.S. Department of Justice has granted the company a delay in releasing information. An F5 spokesperson did not say why the delay was granted, but the Justice Department can allow companies to withhold notifications to the public if there is a “substantial risk to national security or public safety.”
F5 has more than 1,000 corporate customers and serves more than 85% of the largest publicly traded Fortune 500 companies by revenue, including banks, technology companies, and critical infrastructure companies.
Britain's National Cyber Security Center warned on Wednesday that the F5 revelations could allow hackers to “enable threat actors to exploit F5 devices and software.”
Citing security risks, CISA announced in an email Wednesday that an emergency directive has ordered civilian federal agencies to patch their systems by Oct. 22, citing security risks.
The company said the attack was not the work of any particular government or state-affiliated hacker group, and F5 spokesperson Dan Sorensen declined to answer TechCrunch's questions beyond the company's published statement, including how many customers were affected and whether it knew how the hackers got in in the first place.
F5 is the latest technology company to be hacked by government hackers, including Microsoft, at least twice in recent years, once by China and by Russia. Cloud and enterprise technology company Hewlett Packard Enterprise and several other companies participated as part of a broader Russian cyberattack against software maker SolarWinds.