Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Impacted CISA Navigates Major Cyber Crisis

The agency, riddled with reductions in force, deals with F5 cyber breach.
By Kimberly Underwood
In the latest major cyber breech, of F5 network devices, the Cybersecurity and Infrastructure Security Agency chose not to identify the nation-state actors believed to be involved. Credit: Montri/stock.adobe.com
In the latest major cyber breach of F5 Network devices, the Cybersecurity and Infrastructure Security Agency chooses not to identify the nation-state actors believed to be involved. Credit: Montri/stock.adobe.com

 

When the Cybersecurity and Infrastructure Security Agency (CISA) issued on October 15 its third emergency directive since January 20, it did so while facing workforce reductions and a government shutdown that has left critical cybersecurity personnel working without pay.

The significant nation-state breach of network devices from vendor F5 Networks Inc., by a nation-state actor, has left government and industry networks at great risk. In Emergency Directive 26-01, CISA officials urged networked administrators to take swift action to protect digital assets.

And in an unusual move, CISA officials chose not to reveal the suspected nation-state actor they believe is responsible.

In a rare press conference with the media on October 15, CISA’s Executive Assistant Director for Cybersecurity Nick Anderson classified the threat to federal networks as imminent, given that an unnamed nation-state actor gained “long-term persistent access to and exfiltrated files from” F5’s Internet Protocol BIG-IP development environment and management platforms.

Federal agencies have until next Wednesday, October 22, to apply vendor security patches, a tight seven-day deadline applied during the government shutdown and federal budget impasse.

Bringing politics into the mix, Anderson told reporters that Democrats were to blame for the latest strain on CISA.

“The Democrat refusal on the Hill to act in the shutdown is forcing a lot of these folks to work without pay, as nation states continue to intensify efforts to exploit Americans and our critical systems,” Anderson told reporters. “And certainly, I think that that's unacceptable and unnecessary strain on our nation's defenses.“

However, CISA has seen major cuts to its staff since President Donald Trump took office again in January.

The president has long criticized the agency, especially under former CISA Director Chris Krebs, who had certified, along with U.S. Cyber Command, National Security Administration (NSA), state election officials and other cyber leaders, that the 2020 presidential election had not been tampered with, from a digital perspective. The Trump administration had also criticized the agency’s efforts with social media outlets to identify misinformation/disinformation about the election and the pandemic. In April, Trump issued an executive order specifically targeting Krebs.

 

The administration made 176 additional personnel cuts to the agency following the September 30 government shutdown. CISA has not publicly confirmed exact reductions in force numbers seen under Trump—and didn’t respond to media inquiries at press time—but estimates cite 1,000 positions eliminated this year, which could impact the agency’s Stakeholder Enforcement Division, and the key Integrated Operations Division.

In March, Rob Joyce, the former director of cybersecurity at the NSA, in testimony before the House Select Committee on the Chinese Communist Party, warned that he had “grave concerns” about the “aggressive” cuts by the Trump Administration to eliminate cyber government employees at CISA and NSA—especially as the United States faces what Joyce considers “the most significant cybersecurity issue facing the United States: the multifaceted cyber threats emanating from the People’s Republic of China (PRC).”

In addition, Joyce had stressed that cutting probationary employees would “destroy a pipeline of top talent, essential for hunting and eradicating PRC threats.”

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Anderson stated that the shutdown and staff cuts had not impacted the CISA division that is responsible for issuing emergency directives. He also characterized the cuts as a move to return CISA to its core mission.

Meanwhile, cyber experts venture that the F5 attacks could have indeed been by the PRC.

"Nation-state threat actors from China are believed to be responsible for F5’s compromise," according to Flashpoint Analysts, in a Oct. 17 release. "Google Threat Intelligence has identified these adversaries as UNC5221."

Flashpoint Analysts recognized that the perpetrator's naming convention shared tactics, techniques and procedures seen with Salt Typhoon and Silk Typhoon.

"After gaining access to F5’s networks, UNC5221 maintained persistence for at least a year, stealing parts of the source code for the company's BIG-IP suite of services, which many large corporations and government agencies use," they said.

“Mandiant has previously seen evidence of attackers that are known to be connected to China's Ministry of State Security targeting and exploiting F5 devices,” Noelle Murata, senior security engineer at Xcape Inc., told SIGNAL Media via email correspondence.

Lydia Zhang, president and co-founder of Ridge Security Technology Inc., categorized the F5 attacks as similar to a known exploited vulnerability from 2022.

“Based on its description, it appears quite similar to CVE-2022-1388, which was exploited in 2022,” she told SIGNAL. “That vulnerability was discovered in F5 Network’s BIG-IP and allows unauthenticated actors to gain control of the system through the management port or self-IP addresses.”

 

The prior vulnerability leveraged two techniques: “an ‘admin:’ empty token authentication bypass, and the abuse of the HTTP hop-by-hop request header, which manipulates the header to enable a remote code execution attack.”

And just as in the 2022 vulnerability, where Zhang recommended network testing and application of the necessary patches, Murata also emphasized immediate action.

“Patching must be done right away, but companies should also keep a closer eye on any network activity involving F5 devices and look for indications of compromise,” Murata noted. “This is not only a federal problem; businesses in the private sector who use these items also run the same risks and need to take immediate action.”

 The Pentagon, which employs F5 Networks devices across the department, did not specify the scale of risks to its defense systems.

“We are aware of the reports regarding the F5 Networks breach,” a Pentagon official told SIGNAL Media. “While we do not comment on the status of our networks and systems as a matter of practice, ensuring security and availability of the department’s most critical warfighting assets is our highest priority.”

And while Anderson declined to explain to the media why CISA was not choosing to attribute the purported nation-state involved, experts pointed to other considerations.

 “I don't know for certain why CISA would avoid naming the threat actor, but I suspect that accusing a nation-state openly would cause unforeseen geopolitical conflicts to arise, akin to declaring war,” Murata told SIGNAL.

 

 

 

 

 

 

 

 

 

 

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content