Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties. I keep seeing it pop up again and again and it only makes sense in that context.
Its the boogyman like terrorism. We need infinite money to fight the bad guys.
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
Not sure why I'm downvoted. Literally quoted from their incident page.
> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.
> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".
That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.
PR statements drafted by legal are a monkey's paw. Treat them like it.
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
Because "We got hacked by the concerted efforts of China/Russia" sounds much better than "We literally never update php or linux, and John Script Kiddy Jones pwnd us".
No, it's a real thing with a real meaning. Nation-state actors are, in general, very well-funded and sophisticated, and therefore much more difficult (and expensive) to defend against and clean up after. They tend to have different motivations than the normal crime groups, and therefore go after different things.
Lowers the percieved incompetence on hacked side, and its hard to argue against (how do you prove it wasnt?). Stock price fall distaster mitigation via simple PR.
But I agree experts should know better when of any solid proof is lacking. Or any proof at all.
What I'm saying is they often actually mean "country", but that is less fancy sounding. A nation-state is just one specific type of polity, certainly not the only type which organize attacks.
You’re overthinking it. “Country” is simply more ambiguous when used as an adjective. “F5 announces attack from country hackers” sounds silly and confusing.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
This is why I don't understand this strong desire for security auditors to have centralized TLS decryption be important to having some high security stance. You're just creating a massive single point of failure and potentially massively weakening encryption.
It seems like its a place were there are some serious tradeoffs. You can choose to have visibility into your network traffic or can choose not to. If you choose yes, you create a single point of failure but have the ability to detect breaches elsewhere; if you choose no, you avoid the single point of failure but make it easier for an attacker to exfiltrate data undetected.
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
Especially considering who they are, Agreed. There's not an ounce of empathy I have for them. They are a backbone of the internet and should know better.
Yeah, I was trying to make sense of what was described here.
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
Yeah that’s what I’m understanding is the case. That’s why they’re harping on no known (unreleased) vulns. But it’s kinda funny, a lot of times bugs that fall under this category are constantly shuffled around/not fixed because there is no public pressure to address them.
>F5 disclosed that nation-state hackers
Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties. I keep seeing it pop up again and again and it only makes sense in that context.
Its the boogyman like terrorism. We need infinite money to fight the bad guys.
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
You can get a lot of fat kids on a computer in a bedroom for the cost of building and maintaining a 6th Gen fighter.
I am having a hard time believing that an attacker maintained long term access to their system and never used it.
It seems more likely that we do not KNOW how the access was used.
They say the attacker exfiltrated data, including source code.
They claim the vulnerabilities discovered through the exfiltration were not used though.
Not sure why I'm downvoted. Literally quoted from their incident page.
> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.
> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
https://my.f5.com/manage/s/article/K000154696
No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".
That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.
PR statements drafted by legal are a monkey's paw. Treat them like it.
> Not sure why I'm downvoted.
I downvoted you for complaining about downvotes, so at least you know the reason for one of them now.
cisa just released: ED 26-01: Mitigate Vulnerabilities in F5 Devices.
https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...
This report seems empty of useful information. It’s just “contact us under these circumstances”.
Is it just me?
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
> undisclosed F5 vulnerabilities
I don’t know why, but this sounds a bit like backdoors.
[dead]
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
Because "We got hacked by the concerted efforts of China/Russia" sounds much better than "We literally never update php or linux, and John Script Kiddy Jones pwnd us".
No, it's a real thing with a real meaning. Nation-state actors are, in general, very well-funded and sophisticated, and therefore much more difficult (and expensive) to defend against and clean up after. They tend to have different motivations than the normal crime groups, and therefore go after different things.
Lowers the percieved incompetence on hacked side, and its hard to argue against (how do you prove it wasnt?). Stock price fall distaster mitigation via simple PR.
But I agree experts should know better when of any solid proof is lacking. Or any proof at all.
What I'm saying is they often actually mean "country", but that is less fancy sounding. A nation-state is just one specific type of polity, certainly not the only type which organize attacks.
You’re overthinking it. “Country” is simply more ambiguous when used as an adjective. “F5 announces attack from country hackers” sounds silly and confusing.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
This is why I don't understand this strong desire for security auditors to have centralized TLS decryption be important to having some high security stance. You're just creating a massive single point of failure and potentially massively weakening encryption.
It seems like its a place were there are some serious tradeoffs. You can choose to have visibility into your network traffic or can choose not to. If you choose yes, you create a single point of failure but have the ability to detect breaches elsewhere; if you choose no, you avoid the single point of failure but make it easier for an attacker to exfiltrate data undetected.
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
BRB, changing handle to 'nation-state'. Need the resume fodder.
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
This def seems like corpo disaster PR copy. Not the kind of content I expected and love HN for
Source: https://my.f5.com/manage/s/article/K000154696
The NCC attestation letter is wild:
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Wonder what the bill was?
> highly sophisticated nation-state threat actor
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
Especially considering who they are, Agreed. There's not an ounce of empathy I have for them. They are a backbone of the internet and should know better.
I'm slightly questioning the security of a cybersecurity company that has systems that allow people long term access.
oh that's handy, they can add them to the big pile of disclosed BIG-IP flaws
“No one will ever find these vulns without source access! Fix deferred” oh wait…
Yeah, I was trying to make sense of what was described here.
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
If so, lol.
Yeah that’s what I’m understanding is the case. That’s why they’re harping on no known (unreleased) vulns. But it’s kinda funny, a lot of times bugs that fall under this category are constantly shuffled around/not fixed because there is no public pressure to address them.