Chinese state hackers infiltrated the systems of cybersecurity company F5 at the end of 2023 and remained undetected until August this year. The attackers used a remarkable tactic: lying low for months to allow forensic logs to expire.
This is according to Bloomberg, based on sources. Waiting to let forensic data expire demonstrates the group’s professionalism. The hack at F5 began in late 2023, when attackers exploited a vulnerability in BIG-IP software. According to sources familiar with the incident, F5 staff failed to follow the cybersecurity guidelines that the company provides to customers.
This allowed the attackers to gain access to critical systems and then install Brickstorm malware. This malware is known for maintaining “long-term, stealthy access” to technology providers.
Patiently waiting to cover their tracks
After gaining access to F5’s VMware environment, the hackers opted for a remarkable strategy. They went virtually silent for over a year. This tactic allows attackers to let the forensic data that organizations use to reconstruct cyberattacks expire.
Cybersecurity logs provide forensic data on how hackers infiltrate organizations. However, many companies only keep these expensive logs for about a year. By waiting, attackers can effectively cover their tracks.
Broad attack on development systems
During their presence in the systems, the attackers managed to gain access to sensitive information from a “small percentage” of customers. F5 finally discovered the breach in August of this year and immediately called in CrowdStrike and Google’s Mandiant to investigate.
CEO Francois Locoh-Donou has informed customers about the incident. Law enforcement and government agencies are also assisting with the investigation.
According to F5, there is no evidence that the source code has been altered or that unknown vulnerabilities have been actively exploited. However, the company released security updates for 44 vulnerabilities after the incident.