Nation-state hackers breached cybersecurity firm F5, stole source code

• More than 80% of the Fortune Global 500 are F5 customers, including several universities, credit unions, retailers and technology providers.
• A top U.S. cyber official said that this hacking spree appears to be part of a "broader strategic campaign that's affecting our [technology] supply chain."
• Stealing source code can give hackers an advantage as they try to infiltrate F5's customers.

Driving the news: F5 said in an SEC filing that the company first learned of the intrusions on Aug. 9 and that the unidentified hackers maintained "long-term, persistent access" to the systems behind its Big-IP product suite.

• The threat actors successfully stole source code from the Big-IP product development environment and stole files that had information about undisclosed vulnerabilities in the product line. Some of the stolen files also included information about how some customers implemented F5 on their networks, the company added.
• However, F5 said it has no evidence that hackers tampered with its source code or product pipelines — or that they stole any data related to finances, support case management and its web-based diagnostic tool.
• F5 said it's working with CrowdStrike, Mandiant and other leading cybersecurity experts as it continues to investigate the scope of the breach.

The big picture: F5's BigIP products are widely used to manage traffic for enterprise applications, including data centers, cloud environments and servers.

Threat level: The U.S. Cybersecurity and Infrastructure Security Agency warned in an emergency directive that the hackers behind the intrusions present "an imminent threat to federal networks using F5 devices and software."

• Nick Andersen, the agency's top cybersecurity official, told reporters there is no evidence so far of this campaign successfully breaching any federal agency, but cautioned that the vulnerability in F5 products could allow a threat actor to move laterally within a network and steal login credentials and API keys.
• "The risk of this vulnerability extends to every organization and sector that's using this product," Andersen said.

Between the lines: F5 is a publicly traded company that is typically required to disclose cyberattacks to the public within four business days of determining they had a material impact on the business.

• But the Justice Department allowed the company to delay notification, which the department can only do for attacks that pose serious national security risks.

The intrigue: The latest cybersecurity incident hitting the federal government is coming amid shutdown-related workforce cuts at CISA.

• "Despite the challenges of the government shutdown and the lapse of the (Cybersecurity Information Sharing Act of 2015), CISA is committed to safeguarding federal networks from cyber threats," Andersen said.
• News reports suggest that the most recent batch of layoffs have been in the stakeholder engagement office and other areas in the agency.

What to watch: Both F5 and the federal government declined to say which nation-state is behind the attack. F5 just called the actor "highly sophisticated" in the SEC filing.

• CISA is holding a call with state and local government organizations later today on the threat and is coordinating with sector-risk management agencies to get the message out to the private sector, Andersen told reporters.
• Civilian federal agencies have one week to apply patches to F5 products fixing the bugs hackers used to break in.

Go deeper: U.S. agencies ordered to patch Cisco devices amid hacking spree