AI Autopsy: Why the F5 Breach Has Put the Internet on High Alert

The DoJ deemed it a national security threat. But what can CISOs do now to mitigate its impact, asks Danny Bradbury?

The world no longer sees many spectacular heists. However, when they do happen, they make headlines. In October, two smash-and-grab incidents took place in two very different worlds. While managers at the Louvre are still counting the cost of an audacious jewellery theft, halfway around the world, F5 revealed that intruders had stolen its own crown jewels.

The ramifications for the American cybersecurity company and its customers could be significant.

As bad as it gets?

Reports recently emerged that attackers had gained access to the network equipment company’s development environment for 12 months. The attack, which Bloomberg attributed to the Chinese group UNC5221, pilfered BIG-IP source code and vulnerability intelligence, providing the attackers with a means to exploit internet-facing devices.

In its breach notification, F5 states that it doesn’t have any evidence of access to administrative systems, such as CRM or support case management apps. But the attackers did get some files from its knowledge management system, with “configuration or implementation information for a small percentage of customers”.

“The DoJ told F5 not to reveal the issue immediately, citing national security concerns”

NCC Group and IOActive have both verified that there is no evidence suggesting F5’s source code or build and release pipelines have been modified, F5 adds. Neither does it think that the threat actor accessed the NGINX source code or product development environment, or its F5 Distributed Cloud Services or Silverline systems. NGINX powers a massive number of web servers, and F5 owns both the open-source project and the commercial version. Silverline is F5’s managed security services platform, which it runs from its own security operations centre.

F5 actually knew about the breach on August 9, but a month later, the DoJ instructed it not to reveal the issue immediately, citing national security concerns, according to F5’s SEC filing. That’s an illustration of how seriously the authorities are treating the incident.

Google’s Mandiant has associated the UNC5221 group with malware known as Brickstorm. The group, which network firm Zscaler believes has been operating since 2023, specialises in lurking inside a range of companies’ networks, spanning industries including legal services, SaaS, business process outsourcing, and technology.

Rather than targeting traditional endpoints that are protected by endpoint detection and response (EDR) technology, this malware focuses on network appliances that often lack these protections. “Appliances are often poorly inventoried, not monitored by security teams, and excluded from centralised security logging solutions,” notes Google’s analysis.

Nor does the group make it easy for defenders to identify it. It apparently never uses the same indicators of compromise, such as command-and-control vectors or malware samples, across any two attacks.

This under-the-radar approach enables UNC5221 to spend a long time lurking on its target networks. Mandiant believes that it dwells for 393 days on average. That’s plenty of time to nose around looking for source code and information on as-yet-unreleased vulnerability information. It’s a potential treasure trove of zero-day vulnerabilities.

If this is the group behind the attack, F5 wouldn’t be its first victim; it has reportedly targeted Ivanti as well.

CISA labels it an imminent threat

This is what Rich Greene, senior solutions engineer at SANS Institute, categorises as a “big deal”, on a par with the SolarWinds exploit in 2020. “Someone stole the blueprints and the list of known weak spots for core internet technology,” he tells Assured Intelligence. “F5 products sit in front of tens of thousands of networks across the globe. So this breach doesn’t just affect F5. I really do think it reshapes how defenders think about edge infrastructure risk as a whole.”

“This breach reshapes how defenders think about edge infrastructure risk as a whole” Rich Greene

There are indeed many F5 boxes out there on the internet. Palo Alto Networks states that its Cortex Xpanse attack surface management system has identified over 600,000 unique hosts behind internet-facing Big-IP instances.

The US Cybersecurity and Infrastructure Security Agency (CISA) was sufficiently moved to release Emergency Directive 26-01. This requires federal agencies to implement F5’s patches for F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF by October 22 2025.

Federal agencies must also disconnect devices that have reached the end of support, and inventory all F5 devices by October 29. CISA Acting Director Madhu Gottumukkala decries “the alarming ease with which these vulnerabilities can be exploited by malicious actors,” warning of “a catastrophic compromise of critical information systems.”

So what now?

Inventory is one of the first steps organisations using the F5 kit should take in light of these events, says Greene.

“Inventory, isolate, patch, harden, and watch would be my five-step program,” he says, adding that you can protect what you can’t see. This doesn’t just mean cataloguing your F5 gear, though, it also means adding accounts to your list of things to review. “Start with account audits,” Greene continues. “Make sure every single admin API or service account is legitimate and active. If it’s not, if it’s orphaned, get rid of it.”

Scott Walsh, principal security researcher at cyber-insurer Coalition, recommends assuming compromise until you have confirmation to the contrary. “A more prudent approach would be to assume that all F5 assets are at risk, given the nature of the breach,” he tells Assured Intelligence. “Re-image the appliances with the most up-to-date patches and apply your saved configuration.”

“Assume that all F5 assets are at risk, given the nature of the breach” Scott Walsh

Walsh also advises F5 users to monitor their systems for “novel requests” that could indicate attackers rattling their digital door handles. It’s a sign that attackers may have discovered a vulnerability in the source code and are attempting to exploit it for reconnaissance purposes.

Not all attacks will be so obvious, warns Christiaan Beek, senior director of threat intelligence and analytics at Rapid7. “Attackers will focus on establishing persistence via a beachhead that blends into normal operations, such as covert implants, scheduled maintenance tasks, abused automation tokens, and management-plane back doors,” he tells Assured Intelligence. This is a known UNC5221 tactic, so it makes sense that these adversaries – or whoever they hand the vulnerability vectors off to – would do their best to fly under the radar.

The problem for many organisations will be the sheer range of devices and accounts that they’ll have to check. It pays to be selective, he adds.

“Don’t get lost chasing every IP address that pings an F5 banner,” Beek warns. “Instead, merge external visibility with internal state awareness. The devices that matter are the ones which are both exposed and misaligned.” He also advises network defenders to look at management interfaces open to the internet, units with default certificates, those with outdated firmware, and rogue boxes generating strange outbound traffic.

Zero-trust principles apply

One thing that comes through clearly in the advice following this breach is to assume compromise. When a vendor of this scale gets hacked this badly, that’s a sensible move.

“The smarter move is to treat every edge device as untrusted infrastructure, continuously validate its behaviour, and limit what it can reach,” says Beek. Meanwhile, Greene points to segmentation as a key measure to avoid lateral movement, focusing those efforts on anything internet-reachable.

Measures like these, along with comparing device configurations with known-good configurations to ensure that there has been no tampering, are the customer’s responsibility. But what about the vendor?

A company attempting to rebuild trust among its user base has certain responsibilities, say experts, and software transparency is among them. Beek says vendors should provide reproducible builds that demonstrate public binaries match the source code, along with cryptographically signed build attestations that prove no tampering has occurred. F5 didn’t respond to our interview request.

Unlike the Louvre thieves, those suspected of the F5 attack haven’t been brought to justice, and if reports are right about the group’s identity, they likely never will. On the upside, most of the activity that Rapid7 is detecting around the F5 kit right now is simple scanning, with one attack attempting to exploit known vulnerabilities. For the time being, then, it seems that the threat group has kept its powder dry. But it might not stay that way for long, and this is one time when it pays to be prepared.