Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Nation-state hackers have been blamed for stealing the source code of BIG-IP, and the Australian Cyber Security Centre has released a critical alert over the breach.
Cloud security firm F5 has revealed that an unidentified nation-state hacker was able to gain and maintain access to its development environment, stealing source code related to its application delivery and security services platform.
“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems,” F5 said in a 15 October security advisory.
“These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorised activity, and we believe our containment efforts have been successful.”
The company believes that no data was stolen from its CRM platform or iHealth systems and has engaged CrowdStrike and Mandiant to support its investigation. F5 has also reported the incident to government partners and law enforcement.
“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” F5 said.
“This assessment has been validated through independent reviews by leading cyber security research firms NCC Group and IOActive.”
Following F5’s disclosure, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) released a critical alert warning Australian network defenders of the incident and of several other vulnerabilities revealed by the company.
“F5 have released an advisory regarding a cyber security incident that has affected certain F5 systems with recommendations on what customers can do to help protect themselves,” the ACSC said in a 16 October alert.
“In addition to this advisory, F5 has issued its October 2025 quarterly security notification summarising multiple critical vulnerabilities identified across its product portfolio. The notification details newly discovered and previously unresolved issues affecting multiple F5 platforms. The advisory provides a coordinated patch release to help customers maintain secure and supported versions across all F5 environments.”
The vulnerabilities range from high to low severity, and they impact F5 BIG-IP, BIG-IP Next, F5OS-A/C, and Silverline devices.
“Affected builds include major releases 15.x through 17.x, as well as Next SPK, CNF, and Kubernetes versions,” the ACSC said.
Bob Huber, Tenable’s chief security officer and ex-US Navy cyber leader, said the incident is “as bad as you think”.
“Make no mistake, the breach at F5 is a five-alarm fire for national security. The company reported that a nation-state adversary has stolen the digital blueprints – source code and undisclosed vulnerability data – for F5’s BIG-IP technology,” Huber said.
“While details are still emerging, it’s important to understand that this isn’t just another piece of software, but a foundational technology used to secure everything from government agencies to critical infrastructure. In the hands of a hostile actor, this stolen data is a master key that could be used to launch devastating attacks, similar to the campaigns waged by Salt Typhoon and Volt Typhoon.”
Huber noted that even on a good day, this incident would be a “shocking revelation”. However, with the US government in a state of shutdown due to a political deadlock between the Democrats and Republicans, F5’s disclosure is doubly concerning.
“While CISA has issued an emergency directive, the reality is that our national defenders are operating with one hand tied behind their back, right when a major threat has emerged. The task ahead is massive, and it’s anyone’s guess where the attackers may choose to strike next,” Huber said.
“This is a time for the entire cyber security industry to pull together, get proactive, and pay close attention to remediation guidance and updates from CISA and from F5 – who should get credit for their transparency and how they’ve handled this incident so far.
“Preventive security and continuous monitoring is now essential to identify and limit exposures. The attackers have a map to our most sensitive environments. Our only defence is to eliminate every possible path before they choose to strike.”
You can find more information on the incident and how to respond here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
