Sign In
F5 Discloses Nation-State Attack on Cybersecurity Firm, Prompting CISA Emergency Order to Patch BIG-IP
Back to top
October 20, 2025
F5 Discloses Nation-State Attack on Cybersecurity Firm, Prompting CISA Emergency Order to Patch BIG-IP
Following F5's disclosure of a nation-state actor attributed breach and loss of source code and undisclosed vulnerability data in August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01(ED 26-01).
The theft of source code and internal vulnerability information represents a supply chain threat of the same magnitude as the Solarwinds attack in 2020; one that will not be easily mitigated and will have long-term and far-ranging security ramifications for their flagship BIG-IP product line.
The Federal Response: CISA Emergency Directive 26-01
F5 technology acts as the digital gatekeeper for critical infrastructure, government agencies, and major corporations worldwide with 85% of Fortune 500 companies using their products.
The CISA ED 26-01: Mitigate Vulnerabilities in F5 Devices imposes aggressive deadlines on federal agencies, mandating that they inventory their F5 products, identify public-facing management interfaces, and update their devices.
According to the directive, the access to source code, internal API call documentation, and vulnerability data could provide adversaries with a technical advantage to discover zero-day vulnerabilities, develop precision exploits, bypass current security controls, and access embedded credentials and API keys on compromised devices.
Additionally, it expedites time between vulnerability discovery to zero-day exploitation, compounding second and third order effects.
The Attack: A Possible Nation-State Breach
In October, Bloomberg reported that F5 sent out a separate hunting guide for BRICKSTORM malware activity, which Google tracks under UNC5221, potentially highlighting a connection between the China-based threat actor and the incident.
The true danger of the F5 attack lies in the theft of BIG-IP proprietary source code and the undisclosed vulnerability data.
Given the type of information gathered regarding F5 product vulnerabilities, nation-state actors could easily weaponize the vulnerability – representing a significant technical advantage.
F5’s BIG-IP platform is foundational technology, acting as the digital air traffic controller for key infrastructure. These devices sit at the edge of the network and perform mission-critical functions, including SSL/TLS inspection for managing and decrypting secure connections, load balancing for directing all major web application traffic, and access control by serving as the primary gateway for enterprise access.
Compromising these kinds of capabilities is extremely powerful for a nation-state actor, enabling them to gain control over network traffic, decrypt sensitive communications, bypass authentication, or use as an entry point to a network.
The Adversary’s Playbook: Known TTPs and IOCs
While very few Indicators of Compromise (IOCs) exist from the F5 breach itself, future campaigns weaponizing the stolen source code and undisclosed vulnerability data into a custom set of tools and exploits is unlikely to resemble the initial F5 compromise.
Defenders need to proactively monitor their F5 appliances and adopt anomaly detection strategies to counter the unknown, yet likely, attacks that will be developed from the stolen source code and undisclosed vulnerability data, and must assume the adversary is developing, or has already developed, zero-day exploits.
To increase the probability of detecting an attack in its early stages, organizations should hunt for the network activity corresponding to critical MITRE ATT&CK TTPs. By prioritizing these TTPs, organizations with proactive network defense strategies can significantly minimize the threat actor's advantage.
| MITRE Tactic | MITRE Technique ID | Network Activity to Hunt | ExtraHop Detections |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Applications: Watch for abnormal connections to BIG-IP management interfaces (unusual HTTPS POST requests). | ExtraHop Detections: Detects unusual HTTPS POST requests to BIG-IP management interfaces, identifying anomalies in connection patterns and request sizes. |
| Credential Access | T1539/T1003 | Session Hijacking/Credential Theft: Look for activity related to cookie leakage or unauthorized access attempts against embedded API keys and configuration secrets. | ExtraHop Detections: Identifies suspicious activity related to cookie leakage, unauthorized access attempts to API keys, and configuration secrets by analyzing network traffic for abnormal authentication events and data exfiltration patterns. |
| Lateral Movement | T1021 | Remote Services: Monitor traffic originating from the BIG-IP device to internal systems, indicating the device is being used as a network pivot point. | ExtraHop Detections: Monitors traffic originating from BIG-IP devices to internal systems, flagging unusual internal connections and protocol usage indicative of pivot points. |
| Persistence | T1547 | Boot or Logon Autostart Execution: Search for evidence of new user accounts, unusual commands run via the command line (TMSH or bash), or unauthorized administrative access used to establish a foothold. | ExtraHop Detections: Detects unusual command-line activity (TMSH or bash) and unauthorized administrative access by monitoring network-level control plane interactions. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel: Watch for unscheduled, high-volume data transfers from the network core to external, non-whitelisted destinations. | ExtraHop Detections: Identifies anomalous data transfer volumes and destinations over command and control (C2) channels, even when encrypted, by analyzing flow metadata and behavioral patterns. |
| Discovery | T1595.002 | Active Scanning: Look for reconnaissance activity (e.g., attempts to identify internal network structure or user roles) immediately following any suspected compromise. | ExtraHop Detections: Pinpoints active scanning activities from compromised BIG-IP devices by observing unusual port scans and reconnaissance traffic. |
| Impact | T1499.004 | Application Denial of Service: Monitor for sudden device overload or management interface failure, a potential immediate result of a newly weaponized exploit. | ExtraHop Detections: Recognizes patterns indicative of application denial of service by monitoring traffic anomalies, connection rates, and server response times. |
The Response: Detect Known - and Unknown Threats - in Real-time with NDR
The threat intelligence gap created by the stolen F5 source code cannot be filled by simply patching and waiting. Since the threat actor taking advantage of these vulnerabilities will likely be developing custom zero-days, which are invisible to traditional signatures, defense must rely on monitoring for their actions. This is a core mandate of network detection and response (NDR).
Decrypt Traffic
For many organizations, the traffic traversing the BIG-IP device remains encrypted, hiding the adversary’s activities.
By securely receiving session keys out-of-band from the BIG-IP, ExtraHop decrypts the high-value HTTPS/TLS traffic in real time. This capability allows security teams to see the contents of Command-and-Control (C2) communications, monitor API keys and credentials for unauthorized access, and inspect the true volume of data during Exfiltration (T1041) attempts.
Detect Lateral Movement
The F5 platform sits at a key junction point, making east-west visibility essential. ExtraHop detects lateral movement by monitoring traffic between internal servers, triggering real-time alerts on behavioral anomalies like unauthorized remote service calls or unusual file access originating from the BIG-IP device.
Hunt for Threats
Network-based threat hunting shifts the defensive focus from searching for known files to analyzing the historical record of all L2-L7 communications. This visibility empowers security teams to rapidly validate TTPs against established baselines and identify data patterns that match the anticipated MITRE ATT&CK tactics. By targeting adversarial behavior rather than signatures, ExtraHop counters the threat actor’s primary advantage of stealth enabling defenders to detect the attack at the earliest possible stage.
