F5 Networks Confirms Long-Term Breach and Data Theft

Bill Thompson
By Bill Thompson
News
7 Min Read

F5 Networks says a nation-state hacking group had long-term, persistent access to its corporate network and used it for reconnaissance of the company’s most sensitive information, including intellectual property. The application security giant announced the breach in a filing with the U.S. Securities and Exchange Commission, adding that the incident had been contained but also highlighting the systemic risk introduced when a fundamental infrastructure provider is breached.

The attackers were able to access the company’s BIG-IP product development environment and internal know-how systems, F5 said. The systems contained source code and information about security vulnerabilities that had not yet been disclosed publicly. F5 said it has no evidence its software builds were compromised or that the undisclosed vulnerabilities were used in the wild, but updates are available to fix the bugs and customers should apply them soon.

Table of Contents
Diagram showing a data center with a BIG-IP platform, Puppet Master , and Puppet Proxy, illustrating data flow and management components .

What was compromised in F5’s network intrusion

In addition to stealing code, the infiltrators took configuration and implementation information for a few customer environments. This documentation can expose network topologies, control plane configurations, and integration points that provide attackers a “how-to” blueprint for privilege escalation or lateral movement.

F5, which counts more than 1,000 corporate customers and says it serves over 85% of the Fortune 500, provides technology to banks as well as tech platforms and operators of critical infrastructure. It’s that ubiquity that has made F5 devices—commonly used at the edge, inside data centers, and as traffic managers—such sought-after targets. They join high-severity BIG-IP vulnerabilities from past years, like CVE-2020-5902 and CVE-2021-22986—problems that multiple national cyber authorities said could be traced back to state-linked actors.

How the intrusion unfolded inside F5’s corporate network

F5 said the incident was due to a long-term compromise by a government-backed group. The company has not disclosed the initial access vector, but intrusions in this class most often combine elements of credential theft, misuse of legitimate admin tools, and stealthy sidestepping within development and IT networks. And access to source code and build systems raises the stakes from a garden-variety breach threat to a potential supply chain event—even if they forgo any tampering with code—since attackers could rummage through code for logic flaws and secrets, or assess the strength of build pipelines.

Security architects refer to practices such as hermetic builds, rigorous management of code-signing keys, and build integrity controls aligned with SLSA that let you make post-compromise tampering provable.

F5 said that it had not discovered any alterations to the software during its development—which would have been a significant flag—but that theft of internal knowledge could shave off some time in developing an attack.

Regulatory and government responses to the breach at F5

F5 said the Department of Justice had allowed it to delay telling the public, an exception that can be granted when immediate notification would create a significant risk to national security or public safety. Deferrals of that sort are rare and indicate nervousness about follow-on targeting as mitigations deploy.

F 5 BIG-IP LTM lab topology diagram with three web servers, internal and external networks, and a management interface .

After the company announced its findings, the U.K. National Cyber Security Centre said in a warning that information compromised in the breach could be used to exploit F5 devices and software.

The Cybersecurity and Infrastructure Security Agency in the United States issued an emergency directive telling civilian agencies to install updates from vendors with all due haste, and make sure management interfaces and authentication settings are locked down.

The consequences for the software supply chain

Stealing source code does not equal a weaponized exploit, but it will greatly decrease research costs for well-resourced adversaries. Recent campaigns against enterprise vendors and cloud providers—publicly attributed by Microsoft and Hewlett Packard Enterprise to state-backed groups—illustrate how long dwell, identity-focused operations can transition from a single compromise to wide access across customers. The SolarWinds event is still the poster child for why development environments are critical infrastructure.

The stakes are higher for customer configuration data. With blueprints of how organizations roll out BIG-IP and the related tooling, attackers can customize phishing that bypasses weak security measures or chains vulnerabilities only possible in those configurations. That combination—both a look into vendor source code and at least one real-world deployment—is why this breach is strategically important.

What F5 customers can do next to reduce their risk

  • Apply the most current F5 updates immediately and verify software integrity using an available signature from a trusted source.
  • Examine access logs for management planes to restrict admin interfaces from the public internet and mandate multifactor authentication, as well as role-based least privilege on devices and orchestration tools.
  • Rotate credentials, API keys, and certificates that device configurations or F5 integrations access—just assume that if the secret was documented in internal documentation, then it may have been disclosed.
  • Augment monitoring around F5 infrastructure with endpoint detection on jump hosts, network segmentation for control traffic, and explicit allowlists for automation accounts.
  • Review F5, CISA, and NCSC advisories and indicators of compromise on the attack campaign, and verify that security teams can identify abnormal changes made to virtual servers, iRules, or authentication profiles.

For vendors and large enterprises, harden the software factory by compartmentalizing and attesting build steps, protecting code-signing keys with hardware-based access controls, tracking the pedigree of artifacts through a detailed software bill of materials (SBOM), and auditing third-party plugins and CI/CD integrations. Recovery playbooks should contain rebuild steps for tampered build agents and revocation plans for signing artifacts.

The bigger picture and what this breach means for F5

State-backed actors prefer continued access to foundational tech providers, as even a single foothold can have ripple effects through industries. As a central figure in application delivery, F5 is an obvious target, and its announcement makes evident the math we’ve alluded to—how quickly vendors and customers can coordinate patches (if necessary), rotate secrets from servers, or implement ways of segmenting traffic according to threat levels, and share telemetry before any window for cascading compromise closes.

Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News