Cybersecurity firm F5 Networks says government-backed hackers had “long-term, persistent access” to its network, which allowed them to steal the company’s source code and customer information.
In a deposit With the US Securities and Exchange Commission on Wednesday, F5 said it now “believes that its containment actions were successful” after first discovering the hackers on its network on August 9.
The Seattle, Washington-based company, which specializes in providing application security and cyber defense for large companies and governments, said the hackers had access to its BIG-IP product development environment and knowledge management systems, which included source code and publicly unknown security vulnerabilities.
F5 said it was not aware of any modifications to its software during development, nor was it aware of any exploitation of the vulnerabilities. The company posted several updates on Wednesday for its BIG-IP platform to fix the unknown security flaws and urged customers to patch them.
The company also said the hackers downloaded configuration and implementation information for some of its customers’ systems, files that could help hackers find and exploit potential design weaknesses and potentially compromise those customers’ systems.
F5 said in the release that the US Department of Justice has allowed the company to delay its public disclosure. An F5 spokesman would not say why the delay was allowed, but the Justice Department can allow companies to delay notifying the public if there is a “substantial risk to national security or public safety.”
The F5 has over 1,000 corporate customers and serves more than 85% of the Fortune 500, the largest public companies by revenue, including banks, technology companies and critical infrastructure companies.
UK National Cyber Security Centre he warned on Wednesdayafter F5 disclosed that hackers could “allow a threat actor to exploit F5 devices and software.”
CISA said in an email Wednesday that it instructed civilian federal agencies under an emergency directive to patch their systems by Oct. 22, citing security risks.
The company did not attribute the attacks to a specific government or nation-state-linked hacking group, and F5 spokesman Dan Sorensen declined to respond to TechCrunch’s questions beyond published company statementincluding the number of customers affected and whether it was known how the hackers broke in in the first place.
F5 is the latest tech company in recent years to be hacked by government hackers, including Microsoft — from China and Russia, at least twice. Cloud and enterprise technology company Hewlett Packard Enterprise and several other companies in the broader Russian cyberattack on software maker SolarWinds.
