US-based cybersecurity vendor F5 has disclosed a breach by what it called a “highly sophisticated nation-state threat actor,” confirming unauthorised access to parts of its BIG-IP development environment and engineering knowledge platforms, as well as limited customer configuration data.
F5 said stolen files included “some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on,” adding it had “no knowledge of undisclosed critical or remote code vulnerabilities” and was not aware of active exploitation of undisclosed flaws. The company said two independent audits found “no evidence of modification to our software supply chain, including our source code and our build and release pipelines.”
The US Cybersecurity and Infrastructure Security Agency issued an emergency directive instructing federal civilian agencies to inventory affected F5 products, remove public internet exposure for management interfaces, and apply security updates by deadlines later in October. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems,” said CISA acting director Madhu Gottumukkala. CISA also warned the actor’s access to source code and vulnerability information presents “an imminent threat to federal networks.”
Multiple reports linked the intrusion to suspected China-nexus hackers. Reuters said “a breach at U.S.-based cybersecurity company F5 has been blamed on state-backed hackers from China,” citing people briefed on the investigation. Bloomberg reported that representatives told customers hackers were in the network for at least 12 months, and that F5’s chief executive officer François Locoh-Donou is personally briefing customers. Google’s Threat Intelligence Group attributed the Brickstorm malware to a suspected China-nexus group dubbed UNC5221, while Mandiant said such implants can remain undetected for an average of 393 days. F5 declined to confirm those details.
The Chinese government rejected accusations. “China always opposes and fights hacking activities in accordance with the law. And China firmly opposes spreading disinformation out of political agenda,” foreign ministry spokesman Lin Jian said, according to Bloomberg. Liu Pengyu, spokesperson for the Chinese Embassy in Washington, said “China consistently opposes and combats hacking activities,” Reuters reported.
Authorities in the UK issued parallel guidance urging customers to install security updates and continue monitoring. Cybersecurity Dive reported F5 was notifying affected customers whose configuration data was exposed. CNBC said shares fell about 10 per cent following the disclosure.
“Successful exploitation… could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access,” CISA said in its directive.
