*

F5's extensive presence in Fortune 500 companies raises

concerns

following breach

*

Some cybersecurity executives compare incident to 2020

SolarWinds disclosures

*

F5 share price fell on concerns over hack's fallout

By Raphael Satter and AJ Vicens

WASHINGTON, Oct 20 (Reuters) - A more than year-long

digital intrusion into cybersecurity company F5,

publicized last week and blamed on Chinese spies, has defenders

across the industry hunting for signs of compromise among the

many corporate networks that use its products.

Several worry that more disclosures are coming.

So far, little is known about the scope of the hack beyond

statements from F5 that its source code and sensitive

information about software vulnerabilities were stolen.

The company's website says it serves more than four in five

Fortune 500 companies in some capacity, and U.S. officials have

said that federal networks were among those targeted in the

hack's aftermath and have urged immediate action.

That extensive presence alone has triggered widespread

unease.

F5's stock tumbled 12 percent last Thursday, the day it

published a host of fixes for previously vulnerable products,

although it rebounded slightly by the end of the week.

Several cybersecurity executives and analysts compared

the hack at F5 to the extraordinary intrusion at the software

company SolarWinds discovered in December 2020.

That company, whose Orion software was used for network

monitoring, became the unwitting springboard into a number of

highly sensitive networks after its source code was tampered

with.

Around a dozen government departments were eventually

breached in the wide-ranging spy operation.

Just like SolarWinds, which was little known in the consumer

market before the hack, F5 has a host of tech equipment and

services - load balancers, content delivery networks and

firewalls - that typically play low-profile but critical roles

in directing, managing and filtering organizations' internet

traffic.

"I'm not equating this to the SolarWinds attack, but I'm

equating it to the fact that people never hear of it, but it's

in everybody's network," said Michael Sikorski, the chief

technology officer at Palo Alto Networks' ( PANW ) threat

intelligence-focused Unit 42.

"When we're talking about 80 percent of the Fortune 500,

we're talking about banks, law firms, tech companies, you name

it."

Sikorski said the F5 hackers stole source code and

undisclosed vulnerability information, potentially giving them

the ability to develop tools for cyberespionage in a tight time

frame.

Bob Huber, chief security officer of cybersecurity firm

Tenable, said he too had SolarWinds in mind as he tried to make

sense of what was going on at F5.

"As of right now, this is not SolarWinds," he told Reuters,

noting that F5 has said it had "no evidence of modification to

our software supply chain."

Still, Huber said there were signs that more unwelcome

disclosures lie ahead, given the paucity of information about

the breach and the urgency with which the government was moving

to remediate it, via an October 15 emergency directive and a

public warning that unnamed federal networks were being targeted

by a "nation-state cyber threat actor."

"We're waiting for the other shoe to drop," he said.

While no other victims of the F5 breach have been publicly

identified, cybersecurity firm Greynoise Intelligence, which

monitors internet scanning and attack activity, has found hints

that an unknown actor was searching out F5 devices on the

internet starting about a month ago.

Greynoise detected a major spike in scanning activity

focused on F5 beginning in mid-September, according to Glenn

Thorpe, the company's senior director of security research and

detection engineering.

"That implies someone somewhere knew something," Thorpe

said.