Potentially 'catastrophic' cyber firm breach blamed on China

A potentially “catastrophic” breach of a major U.S. cybersecurity provider has been blamed on state-backed hackers from China, according to people familiar with the matter. Seattle-based F5 Inc. disclosed in a regulatory filing Wednesday morning that nation-state hackers breached its networks and gained “long-term, persistent access” to certain systems. The intruders stole files, including portions of source code from the company’s BIG-IP suite of application services, which are widely used by Fortune 500 companies and government agencies, in addition to details about some bugs that could be used to target the company’s customers. Representatives for F5 told customers the hackers had been in the company’s network for at least 12 months, according to the people, who asked not to be named because they were not authorized to speak publicly about the incident. One of the people said F5 CEO François Locoh-Donou was personally informing clients about the timeline and the China-linked hackers. F5 did not respond to messages seeking comment. “Regarding such baseless accusations made without evidence, we have made China’s position clear more than once,” Chinese Foreign Ministry spokesman Lin Jian said at a regular press briefing in Beijing on Thursday. “China always opposes and fights hacking activities in accordance with the law. And China strongly opposes the spread of disinformation outside of political agenda.” F5’s BIG-IP products are an integral part of many large organizations’ IT systems. They perform many functions, including “load balancing,” which refers to directing traffic to the appropriate systems so that applications run smoothly, and wrapping those software programs in security features such as access control mechanisms and firewalls to prevent hackers from accessing them. Cybersecurity experts said the main concern about the hack of the BIG-IP source code is that the hackers could have found ways to infiltrate those systems to monitor and potentially manipulate traffic and gain access to sensitive data that would be difficult to trace. On Wednesday, F5 sent customers a threat hunting guide for a type of malware called Brickstorm used by a Chinese state-backed hacking group, according to people familiar with the matter. According to Mandiant, Google’s threat intelligence arm, the hackers behind Brickstorm are known to steal source code in popular technology vendors to look for software bugs. They then use those flaws to hack into the technology provider’s customers, according to a Mandiant report published earlier this year about the cyber campaign. Mandiant described the hackers behind Brickstorm as “UNC5221,” and a “China-nexus espionage actor” they have observed targeting organizations since 2023. The cybersecurity company’s breach prompted warnings from authorities in the US and the UK. The US Cybersecurity and Infrastructure Agency issued an emergency directive on Wednesday, describing it as a “significant cyber threat targeting federal networks using certain F5 devices and software.” It warned all federal agencies to update their F5 technology by October 22. The agency warned that nation-state hackers could exploit vulnerabilities in F5 products to gain access to credentials and tools that could allow them to move through a company’s network, steal sensitive data and compromise entire information systems. “The alarming ease with which these vulnerabilities can be exploited by malicious actors requires immediate and decisive action from all federal agencies,” CISA Acting Director Madhu Gottumukkala said in a statement. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems.” The UK’s National Cyber ​​Security Center also issued an alert about the breach on Wednesday, warning that hackers could use their access to F5 systems to exploit the company’s technology and identify additional vulnerabilities. The UK government urged customers to identify all F5 products, determine if those devices have been compromised, inform the NCSC of possible breaches and install the latest security updates. With help from Philip Glamann. ©2025 Bloomberg LP This article was generated from an automated news agency feed with no text modifications.