F5 Breach: Nation-State Hackers Steal Source Code and Data

F5 Breach: Nation-State Hackers Expose BIG-IP Source Code

U.S. cybersecurity company F5 disclosed a breach where unidentified threat actors stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities. The company attributed the activity to a "highly sophisticated nation-state threat actor" who maintained long-term, persistent access to its network. F5 learned of the breach on August 9, 2025, according to a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC). The public disclosure was delayed at the request of the U.S. Department of Justice (DoJ).

F5 stated that they have taken "extensive actions to contain the threat actor" and believe these efforts have been successful, with no new unauthorized activity detected since beginning these activities, according to their statement. The company acknowledged that some exfiltrated files contained customer configuration or implementation information. Impacted customers will be directly notified after a review of the files. F5 has engaged Google Mandiant and CrowdStrike, rotated credentials and signing certificates, strengthened access controls, deployed tooling to monitor threats, and bolstered its product development environment.

CISA Emergency Directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, ED 26-01, requiring Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, check if networked management interfaces are publicly accessible, and apply newly released updates by October 22, 2025. CISA stated that a nation-state affiliated cyber threat actor compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information. This poses an imminent threat to federal networks using F5 devices and software.

CISA urged organizations to harden public-facing devices, disconnect end-of-life devices, and mitigate against a BIG-IP cookie leakage vulnerability. Agencies must submit a complete inventory of F5 products and actions taken to CISA by October 29, 2025, 11:59 p.m. EDT. CISA is coordinating the response to the F5 breach while dealing with layoffs and furloughs. Nick Andersen from CISA, stated that the shutdown and the recent expiration of a key information-sharing law have not impeded CISA’s ability to address the F5 situation. The Record reported that the emergency directive orders all agencies to apply the latest updates for all at-risk F5 virtual and physical devices and downloaded software by October 22.

Malware and Intrusion Details

Bloomberg reported the attackers were in F5's network for at least 12 months, using a malware family dubbed BRICKSTORM, attributed to a China-nexus cyber espionage group tracked as UNC5221. Mandiant and Google Threat Intelligence Group (GTIG) divulged that companies in the legal services, SaaS, BPOs, and technology sectors in the U.S. have been targeted by the suspected Chinese hacking group to deliver the BRICKSTORM backdoor.

Michael Sikorski from Palo Alto Networks said, "Generally, if an attacker steals source code, it takes time to find exploitable issues. In this case, they also stole information on undisclosed vulnerabilities that F5 was actively working to patch,". F5 released updates for its BIG-IP, F5OS, BIG-IQ, and APM products. CVE designations and other details are here. F5 rotated BIG-IP signing certificates.

Risks and Mitigations

Compromised customer configurations and documentation of unpatched vulnerabilities could give hackers unprecedented knowledge and the ability to exploit them in supply-chain attacks. The theft of customer configurations raises the risk that sensitive credentials can be abused. F5 said that investigations have yet to find any evidence of supply-chain attacks and attached letters from IOActive and NCC Group attesting that analyses of source code and build pipeline uncovered no signs that a “threat actor modified or introduced any vulnerabilities into the in-scope items."

F5 is providing all supported customers with a free subscription to CrowdStrike’s Falcon EDR endpoint protection service. IT and security leaders should ensure F5 servers, software, and clients have the latest patches. F5 has added automated hardening checks to the F5 iHealth Diagnostics Tool, and suggests admins refer to its threat hunting guide to strengthen monitoring, and its best practices guides for hardening F5 systems.