I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
Because "We got hacked by the concerted efforts of China/Russia" sounds much better than "We literally never update php or linux, and John Script Kiddy Jones pwnd us".
It's a bit like copspeak's fondness for mentioning "individuals" (otherwise known as "people.") It's just a kind of shibboleth. "State actors" is just as clear and means the same thing.
Lowers the percieved incompetence on hacked side, and its hard to argue against (how do you prove it wasnt?). Stock price fall distaster mitigation via simple PR.
But I agree experts should know better when of any solid proof is lacking. Or any proof at all.
What I'm saying is they often actually mean "country", but that is less fancy sounding. A nation-state is just one specific type of polity, certainly not the only type which organize attacks.
You’re overthinking it. “Country” is simply more ambiguous when used as an adjective. “F5 announces attack from country hackers” sounds silly and confusing.
"F5 announces hack by foreign country" (or the infinite variations of) is less silly than "F5 announces attack from nation-state hackers", you're just used to hearing the latter repeated every incident. Anyone can intentionally use a phrase poorly, pointing out a silly sounding phrasing exists adds nothing.
Not that "F5 announces attack by state sponsored hackers", "F5 announces attack by nation-state backed hackers", or "F5 announces attack from nationally backed hackers" have to be invalid, particularly since the latter is often what is actually most specifically correct anyways.
No, it's a real thing with a real meaning. Nation-state actors are, in general, very well-funded and sophisticated, and therefore much more difficult (and expensive) to defend against and clean up after. They tend to have different motivations than the normal crime groups, and therefore go after different things.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
Perhaps more importantly to a non-U.S. nations is that there are a lot of military networks that touch the public Internet whose security from outside attack is more or less premised on F5's implementation of mutual TLS to CACs.
Finding a way to subvert that authentication or, better yet, bypass it entirely, could put U.S. military networks that can be reached over the public Internet at risk of remote exploitation. Those networks can often also reach other military networks not directly exposed to the public Internet.
This is why I don't understand this strong desire for security auditors to have centralized TLS decryption be important to having some high security stance. You're just creating a massive single point of failure and potentially massively weakening encryption.
> You're just creating a massive single point of failure and potentially massively weakening encryption.
It need not be a single point of failure. You can set these things up with redundancy. There's certainly an element of adding risk, your interception box is a big target to do unauthorized interception or tampering; but there's also an element of reducing risk --- you'd be potentially able to see and respond to traffic that would be opaque otherwise.
Yes, so instead of one box with the keys to decrypt all the traffic flowing through the network I'll have multiple boxes that have the ability to decrypt all the traffic. Multiple machines to update and secure and guard against those getting attacked or else everything gets broken.
It seems like its a place were there are some serious tradeoffs. You can choose to have visibility into your network traffic or can choose not to. If you choose yes, you create a single point of failure but have the ability to detect breaches elsewhere; if you choose no, you avoid the single point of failure but make it easier for an attacker to exfiltrate data undetected.
I'm down for endpoints having to report whatever metrics to whatever servers and have their transactions highly audited. I'm down for their connectivity to be highly locked down. It's important to know what's happening on your systems and where data is flowing, I agree!
But in the end of I want Alice to talk to Bob and know they and only them are talking I'd like to guarantee that. Instead companies are spending tons of money and work hours doing Eve's work for her, installing her tools and getting it all nicely configured for when she logs in.
How many times do we have to backdoor our crypto systems to realize we're not building doors for just us but for everyone else as well?
They also provide things that are a juicy target for regular run of the mill hackers. Like centralized services to turn credit card info into tokens, while holding the actual data.
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
