F5 discloses breach tied to nationstate threat actor CyberScoop
p
By
Greg Otto
pp
October 15 2025
ppF5 a company that specializes in application security and delivery technology disclosed Wednesday that it had been the target of what its calling a highly sophisticated cyberattack which it attributes to a nationstate actor The announcement follows authorization from the US Department of Justice which allowed F5 to delay public disclosure of the breach under Item 105c of Form 8K due to ongoing law enforcement considerationsppAccording to an 8K form filed with the Securities and Exchange Commission the company first became aware of unauthorized access Aug 9 and initiated standard incident response measures including enlisting external cybersecurity consultants In September the Department of Justice permitted F5 to withhold public disclosure of the breach which the government allows if a breach is determined to be a a substantial risk to national security or public safety ppInvestigators discovered that the threat actor maintained prolonged access to parts of F5s infrastructure Systems affected included the BIGIP product development environment and the companys engineering knowledge management platform The unauthorized access resulted in the exfiltration of files some of which contained segments of BIGIP source code and details regarding vulnerabilities that the company was actively addressing at the time It also said the files taken were configuration or implementation information for a small percentage of customersppF5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain including source code or build and release pipelines The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities nor any current exploitation linked to the breach The company also stated that containment actions were implemented promptly and have so far been effective with no evidence of new unauthorized activity since those efforts beganppAccording to the SEC form no evidence was found of access to the companys customer relationship management financial support case management or iHealth systems However the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers F5 is continuing to review these materials and is contacting customers as neededppInvestigative findings further indicated that the NGINX product development environment as well as F5 Distributed Cloud Services and Silverline systems remained unaffectedppThe United Kingdoms National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5s compromised networkppF5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date Ongoing assessments are being conducted to determine if there may be any impact on the companys financial position or resultsppF5 based in Seattle is a major player in the application security and delivery market serving thousands of enterprise customers worldwide including much of the Fortune 500 The companys primary offerings include its BIGIP line of hardware and software products which provide network traffic management application security and access control as well as its NGINX and F5 Distributed Cloud Services platforms F5s technologies are used extensively by businesses government agencies and service providers around the world ppF5 released a series of updates to its BIGIP software suite and advised customers to update their clients for BIGIP F5OS BIGIP Next for Kubernetes BIGIQ and APM as soon as possible ppThe company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool which can help identify gaps in security and prioritize a proper course of action ppF5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools ppThe vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems F5 also added tools to better monitor detect and respond to threats and said it strengthened security controls in its product development environment ppThe company brought in multiple firms to assist in its response and recovery efforts including NCC Group IOActive and CrowdStrike F5 said its working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers ppNCC Group and IOActive both attested that they have not identified any criticalseverity vulnerabilities in F5s source code nor did they find evidence of exploited defects in the companys critical software products or development environment NCC Group added that it has not found any suspicious threat activity such as malicious code injection malware or backdoors in F5 source code during its review thus farppYour trust matters We know it is earned every day especially when things go wrong the company said in a blog post We truly regret that this incident occurred and the risk it may create for you We are committed to learning from this incident and sharing those lessons with the broader security communityppMatt Kapko contributed to this story p
By
Greg Otto
pp
October 15 2025
ppF5 a company that specializes in application security and delivery technology disclosed Wednesday that it had been the target of what its calling a highly sophisticated cyberattack which it attributes to a nationstate actor The announcement follows authorization from the US Department of Justice which allowed F5 to delay public disclosure of the breach under Item 105c of Form 8K due to ongoing law enforcement considerationsppAccording to an 8K form filed with the Securities and Exchange Commission the company first became aware of unauthorized access Aug 9 and initiated standard incident response measures including enlisting external cybersecurity consultants In September the Department of Justice permitted F5 to withhold public disclosure of the breach which the government allows if a breach is determined to be a a substantial risk to national security or public safety ppInvestigators discovered that the threat actor maintained prolonged access to parts of F5s infrastructure Systems affected included the BIGIP product development environment and the companys engineering knowledge management platform The unauthorized access resulted in the exfiltration of files some of which contained segments of BIGIP source code and details regarding vulnerabilities that the company was actively addressing at the time It also said the files taken were configuration or implementation information for a small percentage of customersppF5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain including source code or build and release pipelines The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities nor any current exploitation linked to the breach The company also stated that containment actions were implemented promptly and have so far been effective with no evidence of new unauthorized activity since those efforts beganppAccording to the SEC form no evidence was found of access to the companys customer relationship management financial support case management or iHealth systems However the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers F5 is continuing to review these materials and is contacting customers as neededppInvestigative findings further indicated that the NGINX product development environment as well as F5 Distributed Cloud Services and Silverline systems remained unaffectedppThe United Kingdoms National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5s compromised networkppF5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date Ongoing assessments are being conducted to determine if there may be any impact on the companys financial position or resultsppF5 based in Seattle is a major player in the application security and delivery market serving thousands of enterprise customers worldwide including much of the Fortune 500 The companys primary offerings include its BIGIP line of hardware and software products which provide network traffic management application security and access control as well as its NGINX and F5 Distributed Cloud Services platforms F5s technologies are used extensively by businesses government agencies and service providers around the world ppF5 released a series of updates to its BIGIP software suite and advised customers to update their clients for BIGIP F5OS BIGIP Next for Kubernetes BIGIQ and APM as soon as possible ppThe company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool which can help identify gaps in security and prioritize a proper course of action ppF5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools ppThe vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems F5 also added tools to better monitor detect and respond to threats and said it strengthened security controls in its product development environment ppThe company brought in multiple firms to assist in its response and recovery efforts including NCC Group IOActive and CrowdStrike F5 said its working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers ppNCC Group and IOActive both attested that they have not identified any criticalseverity vulnerabilities in F5s source code nor did they find evidence of exploited defects in the companys critical software products or development environment NCC Group added that it has not found any suspicious threat activity such as malicious code injection malware or backdoors in F5 source code during its review thus farppYour trust matters We know it is earned every day especially when things go wrong the company said in a blog post We truly regret that this incident occurred and the risk it may create for you We are committed to learning from this incident and sharing those lessons with the broader security communityppMatt Kapko contributed to this story p
