Federal authorities warned on Wednesday of an imminent threat to thousands of networks following a breach at F5, the Seattle-based maker of BIG-IP software. The breach, disclosed by F5, appears to involve a sophisticated nation-state threat actor that had persisted in the company’s network for an extended period.
According to F5, the intruders gained control of the network segment used to build and distribute updates for BIG-IP appliances, which are deployed by many Fortune 500 firms and government networks. The attackers reportedly downloaded proprietary BIG-IP source code and unpatched vulnerability information, along with customer configuration data.
The access could enable supply-chain style attacks or credential abuse, giving attackers knowledge of weaknesses across thousands of networks.
F5 noted that external incident responders had not found evidence of a broader supply-chain compromise and that some findings by IOActive and NCC Group showed no signs of tampering in the in-scope items, while CERT and the U.K. NCSC issued directives calling for emergency action. BIG-IP signing certificates were rotated as part of the response.
CISA ordered federal agencies to inventory BIG-IP devices, install the updates, and follow a threat-hunting guide issued by F5. Private-sector BIG-IP users were urged to do the same, given the product’s role in load balancing, encryption, and traffic inspection across many networks.
