CISA exec blames nation-state hackers and Democrats for putting America's critical systems at risk

An unidentified nation-state hacking crew targeting vulnerable F5 products to break into US government networks poses an "imminent risk" to federal agencies, American cyber officials warned on Wednesday – while also blaming Democrats for the ongoing government shutdown and insisting that the staffing cuts haven't hurt cyber defenses at all.

The US Cybersecurity and Infrastructure Agency (CISA) warning and related emergency directive followed a breach disclosure, during which security vendor F5 said government-backed spies broke into its network and stole BIG-IP source code, undisclosed vulnerability details, and customer configuration data belonging to a "small percentage" of its users. It also issued security patches for a whopping 45 bugs.

Neither F5 nor CISA has attributed the attack to a particular group or country, but Google's Mandiant threat hunters last year accused Chinese spies of exploiting a couple of critical-severity bugs in F5 BIG-IP products to sell access to compromised US defense organizations and UK government agencies.

The emergency directive requires all US federal agencies to take inventory and update instances of F5's BIG-IP hardware and software appliances by October 22. Both CISA and the UK's National Cyber Security Centre on Wednesday urged all F5 customers – not just government organizations – to apply patches immediately.

"A nation state cyber threat actor poses an imminent risk with the potential to exploit vulnerabilities in certain F5 products and to gain unauthorized access to embedded credentials and API keys," CISA's Nick Andersen, executive assistant director for cybersecurity, said on a call with reporters.

"The exploitation of the information that F5 has disclosed in partnership with us could allow the threat actor to move laterally within organizations' networks, exfiltrate sensitive data and establish some persistent system access, potentially leading to a full compromise of those targeted information systems," he said, noting that "thousands of instances" of F5 products are in use across federal agencies. 

While Andersen declined to comment on the specific goals of this particular intrusion, "the broader goals" with these types of nation-state digital break-ins are "to maintain persistent access within entities' technological infrastructure for the purposes of being able to hold that infrastructure hostage, to launch an attack at a future time and place of their choosing, or for the purpose of gathering information."

The F5 breach and subsequent targeting of agencies' vulnerable products comes as the US government enters day 15 of the shutdown, during which even more CISA employees have been cut or reassigned, and a key cyber-threat intel sharing law lapsed. 

None of these factors was lost on reporters on Wednesday's CISA call; however, the cyber agency's spokespeople continue to toe the Administration's line about putting CISA back on mission.

• 'Highly sophisticated' government goons hacked F5, stole source code and undisclosed bug details
• Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks
• CISA cuts more staff and reassigns others as government stays shut down
• Cyber threat-sharing law set to shut down, along with US government

Under the Biden administration, "CISA was focused on things that were not core mission," including "censorship and branding activities and such," Andersen said. "This is really part of getting CISA back on mission."

The lapse of CISA 2015 – CISA, in this case, means the Cybersecurity Information Sharing Act – "did not impact our ability to work with F5 in this regard and be able to turn around the emergency directive," he added.

As The Register has previously reported, CISA the cyber agency has slashed nearly 1,000 jobs this year, employing just 2,540 people as of the end of May. Of the remaining CISA staffers, only 889 – 35 percent – were cleared to continue working during the shutdown. 

When asked if government agencies have sufficient staff to manage the F5 security holes during the shutdown, Andersen blamed Congressional Democrats.

"I cannot speak for other departments and agencies. I'm unaware of their staffing levels as we continue to see the Democrats' refusal on the Hill to act," he told reporters. "The shutdown is forcing a lot of these folks to work without pay as nation states continue to intensify efforts to exploit Americans and our critical systems, and certainly think that that's an unacceptable and unnecessary strain on our nation's defenses." ®