Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023

The state-backed hackers who breached cybersecurity company F5 Inc. broke in beginning in late 2023 and lurked in the company’s systems until being discovered in August of this year, according to people who were briefed by F5 about the incident.

The attackers penetrated F5’s computer systems by exploiting software from the company that had been left vulnerable and exposed to the internet, according to the people. F5 told customers that the hackers were able to break in after the firm’s staff failed to follow the cybersecurity guidelines it provides customers, said the people, who spoke on the condition that they not be identified because they were not authorized to discuss the matter.

A spokesperson for F5 declined to comment.

Seattle-based F5 disclosed earlier this week in a regulatory filing that it had learned on Aug. 9 that nation-state hackers had compromised its systems and gained “long-term, persistent access.” The intruders downloaded some files from F5’s BIG-IP suite of application services, including some source code and information about undisclosed vulnerabilities the company was working to fix.

Chinese state-backed hackers were behind the attack, according to people familiar with the matter. A Chinese official called the claim “groundless accusations made without evidence.”

The disclosure sent F5 shares plunging by more than 10% on Oct. 16.

F5’s BIG-IP platform is an integral part of many large organizations’ IT systems. It performs many functions, including “load balancing,” which refers to directing traffic to the appropriate systems so that applications run smoothly, and wrapping those software programs in security features to prevent hackers from accessing them.

Cybersecurity experts say the primary concern with the breach is that the hackers may have used the stolen source code to look for or develop ways to silently surveil and manipulate the traffic flowing through those devices or to shut them down entirely.

The attack prompted alerts from governments in the US and UK, with one American official warning of potentially “catastrophic” consequences. F5’s customers include government agencies and 85% of the Fortune 500.

In the days since the announcement, F5 officials, including Chief Executive Officer Francois Locoh-Donou, has briefed customers about the incident, Bloomberg has reported. The company has hired cybersecurity firms CrowdStrike Holdings Inc. and Google’s Mandiant, in addition to working with law enforcement and government officials.

The attackers used a type of malware called Brickstorm, according to people familiar with the matter. Brickstorm is known to be used by a suspected “Chinese-nexus threat actor,” who has used it to maintain “long-term stealthy access” to technology providers, legal service and business process outsourcers, according to Mandiant.

After gaining initial access through F5 BIG-IP software in 2023, the hackers moved to the company’s VMware virtual machines and infrastructure in order to achieve persistent access, according to one of the people. The hackers then went virtually quiet for more than a year, a tactic typically used to thwart companies that stop retaining expensive logs after about a year, according to the person.

Cybersecurity logs provide forensic data about how hackers breach organizations and help victim organizations reconstruct attackers’ behaviors. Hackers can cover their tracks by waiting for such logs to expire.

A representative of Broadcom Inc., which owns VMware, declined to comment.

F5 has said that the hackers stole information for a small percentage of customers, and that it was not aware of active exploitation of any undisclosed vulnerabilities.

There is also no evidence that the company’s source code has been modified, according to an F5 statement.

The incident was called a “significant cyber threat targeting federal networks” in an emergency directive issued on Wednesday by the US Cybersecurity and Infrastructure Security Agency which directed all federal agencies to identify and update their F5 products by Oct. 22. The UK’s National Cyber Security Centre also issued an alert about the breach on Wednesday, warning that hackers could use their access to F5 systems to exploit the company’s technology and to identify additional vulnerabilities.

Photo: Photographer: Sean Gallup/Getty Images

Copyright 2025 Bloomberg.

Topics
Cyber