Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Dragos warns that stolen F5 BIG-IP data could expose operational technology systems to state-linked attacks.
Cyber security firm Dragos has issued a stark warning following F5 Networks’ disclosure of a breach of its engineering systems.
According to the company, the incident poses a significant threat to industrial operators and has the potential to undermine critical boundary defences that separate IT and operational technology environments.
Dragos released an intelligence brief on the last day of October, explaining that F5’s BIG-IP appliances are often positioned between corporate and industrial networks, managing secure remote access, load balancing, and authentication for critical infrastructure operators. Compromise of these devices could enable highly targeted attacks against energy, manufacturing, oil and gas, and transportation networks.
F5 confirmed on 15 October that a state-sponsored group had maintained long-term, unauthorised access to its internal product development environment, exfiltrating portions of source code, undisclosed vulnerabilities, and a limited amount of customer implementation data. The company said there was no evidence that its software builds or supply chain had been tampered with, and that patches for affected products – including BIG-IP, F5OS, and APM clients – were immediately made available.
“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems,” F5 said in its 15 October security advisory.
“These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorised activity, and we believe our containment efforts have been successful.”
Nonetheless, as far as Dragos is concerned, the incident represents a major intelligence coup for attackers. Access to design and vulnerability information could provide a roadmap for further exploitation of F5’s systems, allowing an attacker to manipulate traffic policies or even bypass authentication. In many industrial environments, BIG-IP appliances sit at the network perimeter or on the boundary between enterprise and control systems, making them security choke points.
Security researchers have attributed the breach to the group UNC5221, which Dragos tracks as cluster TAT25-43. Believed to have links to China, the group is known for exploiting zero-day vulnerabilities in network appliances such as Ivanti Connect Secure VPN and SAP NetWeaver, and for deploying the BRICKSTORM backdoor for long-term espionage.
Telemetry gathered through Dragos’ Neighborhood Keeper network confirmed the presence of F5 devices in multiple industrial sectors, highlighting the risk of lateral movement from compromised perimeter devices into control networks. Because F5 systems frequently store credentials, API keys, and certificates, attackers could impersonate users or systems, intercept sensitive traffic, or disable access while suppressing logs to evade detection.
Dragos urged operators to treat BIG-IP systems as high-value security assets rather than simple network tools. Strict administrative controls need to be enforced, credentials rotated, and patches regularly applied. The company also suggested implementing multifactor authentication, enhanced monitoring of VPN and API endpoints, and segregation of management interfaces from public access.
While F5 continues remediation and investigation efforts, Dragos said defenders should assume that sophisticated adversaries now possess insights into how BIG-IP devices authenticate and route traffic – knowledge that could be used to evade detection and compromise critical systems.
“Boundary systems that broker access to operational networks decide who and what reaches the systems that run your operations,” Dragos said in its 31 October brief.
“The F5 breach raises the likelihood of targeted misuse of remote access, policy changes, and stored secrets.”
You can read the full intelligence brief here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
