‘The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate,’ F5 said.
A nation-state-affiliated threat actor that gained unauthorized access to F5 systems exfiltrated source code for its BIG-IP application delivery and security products plus files with customer configuration or implementation information.
The Seattle-based security vendor disclosed Wednesday in a regulatory filing and a post on its website that the configuration or implementation information was “for a small percentage of customers” and came from its knowledge management platform. The threat actor had “long-term, persistent access to” the BIG-IP development environment and engineering knowledge management platform.
“The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate,” F5 said in a filing with the U.S. Securities and Exchange Commission (SEC). “As of the date of this disclosure, this incident has not had a material impact on the Company’s operations, and the Company is evaluating the impact this incident may reasonably have on its financial condition or results of operations.”
[RELATED: Salesforce Confirms It Won’t ‘Engage, Negotiate With, Or Pay’ Threat Actors]
F5 BIG-IP Breach
CRN has reached out to F5 for comment.
The vendor’s top channel goals for 2025 include increasing partners’ customer satisfaction ratings, according to CRN’s 2025 Channel Chiefs.
The disclosure comes in the days leading to F5’s fourth fiscal quarter earnings report, which is set for Oct. 27.
The SEC filing notes that on Sept 12, the U.S. Department of Justice allowed F5 to delay public disclosure of the breach.
Although none of the public posts about the breach name the country the threat actor is affiliated with, notably cybersecurity consulting company Sygnia published a report in June 2024 that pointed to a group, Velvet Ant, that appeared to be affiliated with China and had targeted a legacy F5 BIG-IP appliance in a cyberattack on an unnamed large organization in late 2023.
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency published a bulletin online directing Federal Civilian Executive Branch (FCEB) agencies to inventory BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and update the products to avoid exploitation by “a nation-state affiliated cyber threat actor” that compromised F5’s systems.
“The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software,” according to the CISA bulletin. “The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits.”
CISA directed immediate emergency action for BIG-IP iSeries, rSeries and any other F5 hardware that has reached end of support. It also directed action for all devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, BIG-IP Next for Kubernetes (BNK and Cloud-Native Network Functions (CNF) software.
Agencies are to disconnect and decommission any F5 devices at end of support as part of the emergency actions.
Threat Actor Access Discovered In August
In F5’s SEC filing, the company said that it learned about the unauthorized access on Aug. 9 and, it believes, successfully contained the activity.
F5 has been working with CrowdStrike, Google subsidiary Mandiant, law enforcement and government partners since the discovery, according to a company statement Wednesday.
The vendor has not found evidence of exfiltrated data from its customer relationship management (CRM), financial, support case management or iHealth systems, according to F5.
The threat actor appears to have not accessed or modified NGINX source code or its product development environment, F5 Distributed Cloud Services systems or Silverline systems. NCC Group and IOActive have validated that no evidence exists of the threat actor modifying F5’s software supply chain.
F5’s recommendations to users include enabling BIG-IP event streaming to their security information and event management (SIEM) tool and updating BIG-IP software as soon as possible.
The vendor has rotated credentials and strengthened access controls across its systems, deployed improved inventory and patch management automation and enhanced its network security architecture among other improvements since discovering the unauthorized access, according to F5.
It continues to review code and test products with NCC Group and IOActive. It has extended the CrowdStrike Falcon endpoint detection and response (EDR) and Overwatch Threat Hunting products to BIG-IP for additional visibility and defense strengthening. F5 will give BIG-IP customers an early access version to the products and give supported customers a free CrowdStrike Falcon EDR subscription, according to the company’s online post about the security incident.
F5 notably discovered the unauthorized access days before revealing plans to cut more than 100 employees amid changes in its product organization.
F5 partners and customers are also at the start of a device refresh period that should go into next year for its Viprion and iSeries products, according to a Morgan Stanley report earlier this month.
The vendor has also been on an acquisition spree, closing on Sept. 29 on its $180 million purchase of CalypsoAI. This year has also seen F5 acquisitions of Fletch and MantisNet.
Other vendor battles with threat actors spilling into the public eye in recent days include Avnet, Oracle, Salesforce and Cisco.
