F5 Networks, a security provider, announced in October 2025 that it had been a victim of a major security breach caused by a sophisticated state-run hacking group. This breach had been going on for over a year before it was discovered. Some news outlets attribute this breach to a sophisticated hacking group that originated from China.
Attackers established a long-term presence on F5’s internal infrastructure, including its software development, collaboration, and knowledge-sharing platforms. F5’s attackers exfiltrated confidential information, including some of F5’s BIG-IP product-source code as well as information about software vulnerabilities that had not yet been made public.
Inside the Breach: A Stealthy, Sophisticated Attack
F5 became aware of the breach in early August 2025, with a belief that it was contained by mid-October. When it was discovered, it was clear that for a long period, likely since late 2024, the attackers had been operating with constant, unseen access to the F5 system. Analysis showed that custom malware, branded as ‘BRICKSTORM,’ was being employed by the attackers in F5’s system to allow it to remain undiscovered for a remarkably long time, enabling it to steal credentials as it traversed F5’s system undetected.
This allowed the attackers to steal intellectual property of high value. F5 reported that the attackers swiped pieces of the source code for its BIG-IP product as well as information about unknown vulnerabilities contained in bug-tracking systems. With such information as a starting point, it will obviously be easier for a determined hacker to discover security flaws or develop exploits. Hackers now possess a “head start” in developing new tools for cyber-espionage in order to attack F5 products, security professionals predict.
On a slightly positive note, F5 claimed that there was no indication that the attackers had altered any of its source code or added any backdoors, as happened in that big SolarWinds-supply-chain-attack mess. Third-party audits conducted by independent security companies did not find any malicious malware being installed in F5’s software either. F5 further claimed that there was no sign that its most confidential customer information had been accessed, as only a few percent of its customers had access to some notes or configuration files related to a support case.
Why F5 Is a Cause for Alarm Across Sectors
What’s most alarming about the F5 crisis, though, is its level of prevalence at corporations and government institutions. F5 itself isn’t a consumer brand that most people know about, but its load balancers, application firewalls, and internet traffic management products are quietly at work in countless data centers across the globe.
F5, for instance, boasts on its own Web site that it’s serving more than four out of every five Fortune 500 firms. Its products may work in the background at data centers serving banks, tech firms, governments, and other concerns, but as a security expert explained, “[F5]’s products are in everybody’s environment, but nobody ever hears of F5.”
Further heightening this concern, US government officials reported that following news of F5’s compromise, malicious actors began scanning F5 devices on other networks with malicious intent. This includes government agencies that were supposedly scanned during this time, prompting warnings from US government cyber security officials.
It was noted that internet scanning for F5 products increased drastically in mid-September 2025, before the breach was public, indicating that a party was aware of an F5 product vulnerability. What happened to F5 itself serves as a reminder of just how bad this breach really is. It didn’t take long for F5’s stock price to drop a staggering 12% after news of this breach was released, as everyone panicked over its effects.
Analysts spent long days figuring out whether affected businesses were at risk as a result of the breach. Some self-proclaimed experts go as far as to say that this breach, as serious as it is, threatens as much as it did during the 2020 SolarWinds breach. During that breach, malicious actors embedded trusted IT management tools with exploits that hacked into several government as well as business IT infrastructures across North America.
In this breach, a form of this same supply-chain attack was conducted, albeit with F5’s secrets being stolen for potential use by, or at least aimed at, F5 device users. Perhaps it’s not exactly alike, but this breach surely affects just as many users as that breach did, since a core, yet unseen, piece of our IT underpinning has been breached.
Parallels With SolarWinds Reflect Supply Chain Risks
It is useful to consider similarities with the SolarWinds attack, as has been done widely in the security community. In the SolarWinds attack of 2020, a group of Russian-speaking hacking actors had implanted malware in updates to SolarWinds’ Orion software, which was subsequently spread to thousands of clients, giving access to about a dozen U.S. federal agencies and several firms.
What distinguishes F5 from SolarWinds, but also stirs a sense of dejavu, is that F5, like SolarWinds, offers fundamentally pervasive networking tools that run in the background, meaning that a successful attack may carry strong ramifications notwithstanding its seemingly minor, under-the-radar presence in public consciousness. Like SolarWinds, this F5 attack was conducted by a nation-state actor that employed sophisticated means for their covert manipulation of the software supply chain, in this instance, by taking in-appropriated insight as opposed to coding.
Nevertheless, it appears that there’s a crucial point that differentiates this attack from others, as F5 has yet to find any signs of malicious changes to its true product or updates. This indicates that, unlike a typical backdoor installation at a supply level, the attackers didn’t manage to succeed. This means that customers won’t need to remove F5 products, such as SolarWinds’ Orion, which contained secretly embedded malware.
It was further identified that F5 had employed outside experts to check for any changes in its source code, which confirmed that no modifications had been made. However, this supply chain risk hasn’t dissipated, as it has now taken a different form. Since they now possess F5’s source code as well as its vulnerabilities, it’s almost as if they had a blueprint that helps pinpoint vulnerabilities in F5’s products that they could exploit.
Response of F5 and the Authorities to this Threat
Given its scale, F5 and relevant security organizations acted swiftly to address this problem. F5 issued a joint announcement with security patches for this breach on October 15, 2025, as a Quarterly Security Notification. This bundle of security patches contained patches for a variety of high-risk vulnerabilities affecting F5 products, including, but not limited to, information that had been accessed by attackers.
To further strengthen its defenses, F5 has mobilized its own resources and collaborated with others. F5 has been able to improve its stock management and patch management practices to make sure that it keeps pace with updating its various systems, and it has been able to improve monitoring and detection tools implemented across its environment as a whole. F5 has also announced that it will more rigorously start implementing a zero-trust security framework across its enterprise. It should be noted that F5 announced a collaborative partnership with CrowdStrike to roll out its advanced endpoint detection and response capabilities across its BIG-IP products.
F5 claimed that it has already started running CrowdStrike’s monitoring agent on its own corporate BIG-IP environment, going as far as offering its business customers access to its advanced threat protection for their own BIG-IP environments as a precautionary security service. This alert came after a briefing given by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an Emergency Directive called ED 26-01, requiring that all federal civilian agencies address F5 products immediately.
CISA had noted that with F5 source code being stolen, attackers now possess a profound technical advantage, constituting a threat that appears imminent, both to government agencies as well as likely commercial entities. Other experts in related fields, including in Canada, the UK, or Australia, issued notices emphasizing urgency in updating F5 devices.
