Suspected Chinese Hackers Spent a Year-Plus Inside F5 Systems: Report
None
<p>The Chinese state-sponsored threat actors believed to be behind the high-profile hack of F5’s corporate networks reportedly infiltrated the security company’s systems in late 2023 and remained undetected for more than a year.</p><p>Citing unnamed people briefed about the investigation, Bloomberg <a href="https://www.bloomberg.com/news/articles/2025-10-18/hackers-had-been-lurking-in-cyber-firm-f5-systems-since-2023" target="_blank" rel="noopener">wrote</a> that the hackers exploited a vulnerability in F5’s software, gained long-term access to the vendor’s network and stole files from its BIG-IP suite of application delivery and security services products, including some of the source code and information on unpatched security flaws.</p><p>F5 <a href="https://my.f5.com/manage/s/article/K000154696" target="_blank" rel="noopener">disclosed the intrusion</a> on October 15 on its website and in a <a href="https://www.sec.gov/Archives/edgar/data/1048695/000104869525000149/ffiv-20251015.htm" target="_blank" rel="noopener">filing</a> with the U.S. Securities and Exchange Commission, writing that it learned in August that “a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems.”</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>“These systems included our BIG-IP product development environment and engineering knowledge management platforms,” the company wrote. “We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”</p><p>Users are being urged to <a href="https://my.f5.com/manage/s/article/K000156572" target="_blank" rel="noopener">apply updates</a> to a range of products, including BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM.</p><h3>600,000 BIG-IP Instances Exposed</h3><p>Security researchers with Palo Alto Networks <a href="https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-source-code/" target="_blank" rel="noopener">noted</a> that the BIG-IP suite is used by large organizations for access control, availability, and security, mostly in the United States but also around the world. Customers include government agencies and Fortune 500 companies.</p><p>The Palo Alto researchers reported that their Cortex Xpanse attack surface management tool identified more than 600,000 BIG-IP instances exposed to the internet. They noted that F5 officials have said there is no evidence that bad actors have exploited any of F5’s undisclosed vulnerabilities or of access to or exfiltrated data from F5’s customer relationship management (CRM), financial, iHealth, or support case management systems.</p><p>There is also nothing that shows the threat actors modified F5’s software supply chain, including source code or build and release pipelines, or modified the F5’s NGINX source code, product development environment, or distributed cloud services or Silverline web app firewall systems.</p><h3>‘Unique’ Potential Impact</h3><p>The said, the Palo Alto researchers wrote that “the potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching. This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.”</p><p>According to Bloomberg, the hackers were suspected of using malware called BRICKSTORM, which is linked to the China-nexus threat group UNC5221. Researchers with Google Threat Intelligence Group and Google’s Mandiant business <a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" target="_blank" rel="noopener">wrote late last month</a> that the <a href="https://securityboulevard.com/2025/09/chinese-hackers-steal-data-from-u-s-legal-tech-firms-for-more-than-a-year/" target="_blank" rel="noopener">hackers were using BRICKSTORM</a> were using the backdoors to gain long-term access into the networks and systems of U.S. companies, including law firms, software-as-a-service (SaaS) companies, business process outsourcers (BPOs), and technology organizations.</p><h3>Tech Companies are a Growing Target</h3><p>Palo Alto researchers noted that “attacks in recent years have illustrated the allure of technology companies as not just a viable target, but a force multiplier in increasing the efficiency and timeline of espionage activity.”</p><p>Neil Carpenter, principal solutions architect at Minimus, echoed the sentiment, saying that “there are also many examples of an attacker using intelligence from a compromise of a technology or consulting firm as a stepping stone to compromising other, high-value targets. F5 states that exfiltrated data included ‘information about undisclosed vulnerabilities’ and, while they go on to state there’s no evidence of public exploitation of those vulnerabilities, this may have been the attacker’s target.”</p><h2>Governments React</h2><p>F5’s disclosure of the compromise prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to <a href="https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices" target="_blank" rel="noopener">instruct government agencies</a> to inventory the F5 products they use, determine if the networked management interfaces are accessible to the internet, and apply the updates from F5.</p><p>“This cyber threat actor presents an imminent threat to federal networks using F5 devices and software,” CISA wrote. “Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.”</p><p>The UK’s National Cyber Security Centre <a href="https://www.ncsc.gov.uk/news/confirmed-compromise-f5-network" target="_blank" rel="noopener">issued a similar alert</a>.</p><p>Misha Kuperman, chief reliability officer for Zscaler, said he expects there to be large-scale exploitation attempts against internet-exposed F5 devices in the wake of the intrusion.</p><p>“The recent F5 breach underscores what we continue to see: determined threat actors exploiting the inherent weaknesses of perimeter-based security,” Kuperman said. “Traditional firewalls, VPN concentrators, and other network appliances with publicly exposed IP addresses remain prime targets. These legacy technologies were designed to protect networks, not to contain modern attacks once an adversary is inside. When these devices are compromised, malware can persist undetected, move laterally, and exfiltrate sensitive data.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/suspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report/" data-a2a-title="Suspected Chinese Hackers Spent a Year-Plus Inside F5 Systems: Report"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsuspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report%2F&linkname=Suspected%20Chinese%20Hackers%20Spent%20a%20Year-Plus%20Inside%20F5%20Systems%3A%20Report" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsuspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report%2F&linkname=Suspected%20Chinese%20Hackers%20Spent%20a%20Year-Plus%20Inside%20F5%20Systems%3A%20Report" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsuspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report%2F&linkname=Suspected%20Chinese%20Hackers%20Spent%20a%20Year-Plus%20Inside%20F5%20Systems%3A%20Report" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsuspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report%2F&linkname=Suspected%20Chinese%20Hackers%20Spent%20a%20Year-Plus%20Inside%20F5%20Systems%3A%20Report" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsuspected-chinese-hackers-spent-a-year-plus-inside-f5-systems-report%2F&linkname=Suspected%20Chinese%20Hackers%20Spent%20a%20Year-Plus%20Inside%20F5%20Systems%3A%20Report" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>