F5, a Seattle-based technology vendor, suffered a sophisticated cyber intrusion by a nation-state actor who maintained long-term, persistent access to its internal systems, including the BIG-IP product development environment and engineering knowledge management platform. The attackers stole source code, embedded credentials, and API keys, along with details of unpatched vulnerabilities F5 was actively addressing. While no federal agency breaches have been confirmed yet, CISA issued an emergency directive (26-01) mandating immediate patching of F5 devices across all federal networks due to the imminent risk of credential theft, lateral network movement, and full system takeover. The breach was discovered on August 9, but public disclosure was delayed until October at the Justice Department’s request, citing national security concerns. The attack is part of a broader supply-chain campaign targeting U.S. tech infrastructure, with potential motives including intelligence gathering, future sabotage, or ransomware preparation. Experts warn the stolen source code could enable zero-day exploits before patches are available, posing risks to thousands of F5 devices in government and private-sector networks. The incident underscores vulnerabilities in critical infrastructure and the escalating threat of state-sponsored cyber espionage.
TPRM report: https://www.rankiteo.com/company/f5
"id": "f54602046101625",
"linkid": "f5",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': ['Federal Civilian Executive '
'Branch agencies (e.g., DOJ, '
'DOS, Treasury, FTC)',
'Potential state/local '
'governments and private sector '
'organizations using F5 BIG-IP'],
'industry': 'Networking/Application Delivery',
'location': 'Seattle, Washington, USA',
'name': 'F5, Inc.',
'type': 'Publicly Traded Technology Company'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'Agencies',
'type': 'Government'}],
'attack_vector': ['Long-term persistent access via internal '
'development/engineering environments',
'Exploitation of undisclosed vulnerabilities in F5 BIG-IP '
'products',
'Potential credential theft and lateral movement'],
'customer_advisories': ['F5 security advisory (expected to detail '
'vulnerabilities and patches)',
'CISA guidance for non-federal F5 BIG-IP users'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Source code files',
'Engineering documentation'],
'sensitivity_of_data': 'High (source code, undisclosed '
'vulnerabilities, credentials)',
'type_of_data_compromised': ['Source code (F5 BIG-IP)',
'Engineering knowledge '
'management data',
'Embedded credentials/API keys']},
'date_detected': '2024-08-09',
'date_publicly_disclosed': '2024-10-09',
'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
'issued Emergency Directive 26-01 after confirming that a '
'nation-state cyber actor gained unauthorized, long-term '
"access to F5's internal development and engineering "
'environments, including the BIG-IP product source code. The '
'attack, discovered in August 2024, poses risks of credential '
'theft, lateral network movement, and full system control. '
'CISA ordered federal agencies to inventory F5 BIG-IP '
'products, evaluate internet-facing exposure, and apply '
'patches by October 22, 2024. The incident highlights broader '
'supply chain targeting by nation-state actors, though no '
'federal agency breaches have been confirmed yet. The U.S. '
'government delayed public disclosure at the Justice '
"Department's request, marking one of the first uses of the "
"SEC's 2023 cybersecurity disclosure rules.",
'impact': {'brand_reputation_impact': ["Potential erosion of trust in F5's "
'supply chain security',
'First public acknowledgment of '
'DOJ-delayed disclosure under SEC '
'rules'],
'data_compromised': ['F5 BIG-IP source code',
'Engineering knowledge management platform '
'data',
'Embedded credentials/API keys'],
'operational_impact': ['Federal agencies required to inventory and '
'patch systems by 2024-10-22',
'Scoping reports due by 2024-10-29',
'CISA sustaining operations despite '
'government shutdown'],
'systems_affected': ['F5 BIG-IP product development environment',
'F5 engineering knowledge management platform',
'Potential federal agency systems using F5 '
'BIG-IP (thousands of devices)']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'F5 internal development and '
'engineering environments',
'high_value_targets': ['BIG-IP product development '
'environment',
'Engineering knowledge '
'management platform'],
'reconnaissance_period': 'Long-term (exact duration '
'undisclosed; discovered '
'2024-08-09)'},
'investigation_status': 'Ongoing (CISA, F5, CrowdStrike, Mandiant, and '
'federal law enforcement)',
'lessons_learned': ['Nation-state actors are increasingly targeting '
'technology supply chains for persistent access.',
"Delayed disclosure under SEC rules can occur at DOJ's "
'request, as demonstrated in this case.',
'Source code theft accelerates vulnerability '
'exploitation, especially when combined with stolen patch '
'development data.',
'Federal agencies must prioritize patching even during '
'government shutdowns or lapses in cybersecurity '
'legislation.'],
'motivation': ['Intelligence gathering',
'Supply chain compromise for future attacks',
'Potential infrastructure hostage scenarios'],
'post_incident_analysis': {'corrective_actions': ["CISA's patching directive "
'for federal agencies',
"F5's ongoing investigation "
'with third-party firms',
"Expected hardening of F5's "
'development environments'],
'root_causes': ['Persistent, undetected access to '
'high-value development '
'environments',
'Potential insufficient '
'segmentation or monitoring of '
'engineering systems',
"Nation-state actor's focus on "
'supply chain compromise']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['All organizations using F5 BIG-IP should immediately '
'inventory devices, evaluate internet exposure, and apply '
'patches.',
'Enhance monitoring for signs of credential abuse or '
'lateral movement, given the theft of embedded '
'credentials.',
'Review supply chain security practices, particularly for '
'vendors with access to high-value development '
'environments.',
'Prepare for potential zero-day exploits derived from '
'stolen source code and undisclosed vulnerabilities.',
'State/local governments and private sector should follow '
"CISA's mitigation steps despite the directive's federal "
'focus.'],
'references': [{'date_accessed': '2024-10-09',
'source': 'CISA Emergency Directive 26-01'},
{'date_accessed': '2024-10-09', 'source': 'F5 SEC 8-K Filing'},
{'date_accessed': '2024-10-09',
'source': "CBS News - 'CISA orders federal agencies to patch "
"F5 flaws after nation-state hack'"},
{'date_accessed': '2024-10-09',
'source': 'Palo Alto Networks Unit 42 Threat Intelligence '
'Statement'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC 8-K filing '
'(delayed per DOJ '
'request)',
'CISA Emergency '
'Directive 26-01']},
'response': {'communication_strategy': ['SEC 8-K filing (delayed per DOJ '
'request until 2024-10-09)',
'CISA public briefing and emergency '
'directive',
'Urgent advisories to '
'state/local/private sector '
'organizations'],
'containment_measures': ['CISA Emergency Directive 26-01 '
'(2024-10-09)',
'Inventory of F5 BIG-IP products in '
'federal networks',
'Evaluation of internet-facing '
'exposure'],
'incident_response_plan_activated': '2024-08-09 (F5 launched '
'investigation with '
'CrowdStrike, Mandiant, and '
'federal law enforcement)',
'law_enforcement_notified': True,
'remediation_measures': ['Patch application deadline: 2024-10-22',
'Scoping reports due: 2024-10-29'],
'third_party_assistance': ['CrowdStrike',
'Mandiant (Google Cloud)',
'Unnamed government partners']},
'stakeholder_advisories': ['CISA urging state/local/private sector to follow '
'federal patching guidance',
'F5 customers advised to monitor for unusual '
'activity'],
'threat_actor': 'Unnamed nation-state actor',
'title': "Nation-State Cyber Actor Gains Persistent Access to F5's Source "
'Code, Prompting CISA Emergency Directive',
'type': ['Supply Chain Compromise',
'Unauthorized Access',
'Source Code Theft',
'Persistent Threat'],
'vulnerability_exploited': ['Undisclosed vulnerabilities in F5 BIG-IP '
'(actively patched but stolen pre-disclosure)',
'Embedded credentials/API keys in source code']}