top of page
Search

Inside the F5 Breach: When the Defenders Become the Attack Surface

By the time F5 Networks discovered that foreign hackers had been inside its systems for more than a year, the damage was already done. The attackers had stolen portions of the source code for BIG-IP, one of the world’s most widely deployed application delivery and security platforms—software that sits at the heart of countless enterprise and government networks.


Now, investigators believe a Chinese espionage group, tracked as UNC5221, is responsible. The malware used—Brickstorm—matches tools recently documented by Google’s Threat Intelligence team and Mandiant in long-running intrusion campaigns against SaaS and technology firms.


Twelve Months of Silence


F5 confirmed that the threat actor gained access to internal engineering systems, exfiltrating select files and vulnerability data before being detected on August 9. According to reporting from Bloomberg and SecurityWeek, the company has privately attributed the operation to China and distributed a threat-hunting guide focused on the Brickstorm malware. Google’s analysis shows that these same operators often linger in victim networks for an average of 400 days—almost exactly the dwell time F5 customers were warned about.


In response, F5 has rotated its cryptographic signing keys, released a sweeping batch of patches—more than two dozen rated high severity—and enlisted Mandiant and CrowdStrike to help contain the incident. The company says it has found no evidence of supply-chain tampering or of intrusions into NGINX or its Distributed Cloud and Silverline services.


A Familiar Exploit Pattern


While speculation has centered on the possibility of a new zero-day vulnerability, Lydia Zhang, President and Co-Founder of Ridge Security Technology, says the activity bears an uncomfortable resemblance to a known exploit.


“The article suggests that this may be a zero-day CVE, but based on its description, it appears quite similar to CVE-2022-1388, which was exploited in 2022,” Zhang said. “That vulnerability was discovered in F5 Network’s BIG-IP and allows unauthenticated actors to gain control of the system through the management port or self-IP addresses. “CVE-2022-1388 leverages two techniques: the ‘admin:’ empty token authentication bypass, and the abuse of the HTTP hop-by-hop request header, which manipulates the header to enable a remote code execution (RCE) attack. “In 2022, we encouraged all organizations to test and apply the necessary patches.”

If Zhang’s assessment holds true, the new breach could be a case of old wounds reopened—exploited not because a new flaw was found, but because patching and segmentation lagged in environments where BIG-IP appliances are mission-critical.


National Security by Supply Chain


For Noelle Murata, Senior Security Engineer at Xcape Inc., the significance extends well beyond F5’s perimeter.


“This incident demonstrates how vulnerabilities at the infrastructure and supply chain levels can have a domino effect on national security,” Murata explained. “The possibility of highly customized zero-day exploits is increased by the fact that a nation-state actor has sustained access to F5's source code.” “When Mandiant publicly disclosed this vulnerability to the SEC earlier this year, F5 noted that the Justice Department had placed a one-month hold on its general dissemination. The information that is currently accessible points to a potential relationship between the actor and China's Ministry of State Security, which has previously taken advantage of certain intriguing insights that surfaced because of this disclosure, albeit this has not been verified.” “Patching must be done right away, but companies should also keep a closer eye on any network activity involving F5 devices and look for indications of compromise. This is not only a federal problem; businesses in the private sector who use these items also run the same risks and need to take immediate action.”

A Government-Level Emergency


Those warnings are resonating in Washington and London. CISA has issued an emergency directive ordering federal agencies to patch all F5 devices by October 31, disconnect unsupported hardware, and hunt for indicators of compromise tied to Brickstorm. The agency warned that stolen source code could give adversaries a “technical advantage to exploit F5 devices and software.”


Across the Atlantic, the UK’s National Cyber Security Centre (NCSC) echoed those concerns, cautioning that successful exploitation could expose embedded credentials and API keys, allowing attackers to move laterally and exfiltrate sensitive data.


Why F5 Was an Irresistible Target


As Gene Moody, Field CTO at Action1, noted, the strategic value of breaching a company like F5 is enormous:


“APT groups such as UNC5221 focus on high-value infrastructure targets like F5 for several reasons. These products are deeply embedded within enterprise environments … Compromising such a platform effectively turns the attacker’s access into a ‘shopping mall’ of potential follow-on targets.”

Moody added that organizations must treat even trusted infrastructure as potentially hostile: continuous monitoring, aggressive patching, and rapid incident response are now essential.


The Bigger Picture


The F5 breach is a sobering reminder that the security industry itself is part of the attack surface. When nation-state hackers compromise the guardians of the network, they gain the keys to countless downstream systems—erasing the boundary between infrastructure and espionage.


And while F5’s patches and reassurances may stabilize the present, the source-code theft ensures the threat will linger. Attackers can now study the inner workings of one of the internet’s most pervasive network appliances, turning defensive design into offensive intelligence.


In the cat-and-mouse game of cybersecurity, F5’s breach is a lesson written in source code: even the watchdogs can bleed.

bottom of page