It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
I can't help thinking that a part of it is that the supreme court has proactively & progressively been watering down the threat of class actions (in general, not specific to tech) since the early 2010s.
Sony & many others have proved pretty comprehensively that brand reputation isn't really impacted by breaches, even in high profile consumer facing businesses. That trickles down to B2B: if your clients don't care, why should you.
That leaves legal risk as the only other motivating factor. If that's been effectively neutered, it doesn't make economic sense for companies to do due diligence with breaches.
As far as I'm aware, Yahoo were the last company to suffer any significant impact from the US legal system due to a breach.
Their customer base are enterprise, so the issue can be addressed in private channels. There's little to be gained from making this particular breach public, from their point view. If anything, it's F5 customers who should advise their own customers downstream about the risks, when risks apply. Disclosure: I'm affected by this breach downstream at several sites and we have not been informed of risks by anyone but have been fighting fires where F5 was involved, but not necessarily blamed for anything.
But you are right, at F5's size and moneys, incentives for public disclosure are not aligned in the public's favor. Damage control, in all its meanings, has taken priority lately over transparency.
Just to be clear, the attackers had access to the systems well before this date.
Sometimes when a company engages law enforcement, law enforcement can request that they not divulge that the company knows about the problem so that forensics can begin tracking the problem.
I won't speak how often or how competent law enforcement are though, but it can happen.
My understading is that the hackers had a copy of the source code for their app so they had to patch all their outstanding CVE that they where sitting on so the DOJ let them hold back until that was ready. It's not ideal but I suppose there is at least something people can do right now. Feels like they could have been a bit quicker with some of the information though.
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later are signed with new certificates and keys
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later contain new public keys used to verify certain F5-produced objects released in October 2025 and later
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later may not be able to verify certain F5-produced objects released prior to October 2025
BIG-IP and BIG-IQ TMOS product versions released prior to October 2025 may not be able to verify certain F5-produced objects released in October 2025 and later
I wonder if there's a bet to be made on future 8K disclosures following quietly updated signing keys. A bet against F5 placed this morning would've only made 3.6%.
Not so much irony as it's a great vector to get inside an org. Security / monitoring agents that you deploy everywhere and don't suspect when you see they exfiltrate data, since you're expecting the telemetry anyway.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I think it is more valuable for the attackers to have exfiltrated their code and analyze it for vulnerabilities.
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.
I mean, because it depends where the attack happened. Working with large companies like this in CI/CD there are a number of tools that the source code gets checked on, but not fed back into the system that could have been the source of the attack.
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
Yes, i raise my eyebrow too. "F5 is a Fortune 500 tech giant specializing in cybersecurity" and "the attackers had gained long-term access to its system" doesn't seem to agree with each other.
This is an excellent argument against the British style request for a state level back door to encrypted data. It will be exploited and it will likely be quite some time until they learn of the exploit and even longer if ever until we do.
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
Even if it was actually an honest to god nation-state I can't see why security circles get hyperfixated on the term. Does it really matter at all if it's a nation, state, or nation-state? Of course not, but "nation-state" sounds really cool so that's the go to, even when it's not actually a nation-state.
BIG-IP runs DPI (not as good as Sandvine Active Logic), but it's an authoritarian states best friend. Want to compromise another nation state that runs all their traffic through it? These vulns aren't a bad place to start...
Often it can be like that. This a case where the kind of attacker seems highly relevant, though. Imagine a group like Shiny Hunters were the ones to steal these vulns from F5, you'd know if they hit your F5s because they'd have already dumped all your databases and bragged about it. The attacker being a "nation-state" warrants a more careful investigation of historical activity if you're the kind of organization that gets targeted by espionage motivated attacks.
Nation-state actors do this kind of stuff all the time, and they're difficult to defend against because they tend to be well-funded and therefore able to hire talent, have resources, and spend money on intelligence and 0days. And they're immune from prosecution unless they're stupid enough to travel to a hostile state.
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
Yeah, I was trying to make sense of what was described here.
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.
From the published CISA mitigation[0]:
A nation-state affiliated cyber threat actor has
compromised F5’s systems and exfiltrated files, which
included a portion of its BIG-IP source code and
vulnerability information. The threat actor’s access to
F5’s proprietary source code could provide that threat
actor with a technical advantage to exploit F5 devices and
software.
> Its the boogyman [sic] like terrorism.
Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
This cyber threat actor presents an imminent threat to
federal networks using F5 devices and software. Successful
exploitation of the impacted F5 products could enable a
threat actor to access embedded credentials and Application
Programming Interface (API) keys, move laterally within an
organization’s network, exfiltrate data, and establish
persistent system access. This could potentially lead to a
full compromise of target information systems.
This is a mean-spirited interpretation of what happens when you claim nation state.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker?
* Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X)
* Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
If there was some government program I was previously unaware of that pays organizations that were compromised by nation state hackers then I’m going to be upgrading all my networking infrastructure to F5 products and start reading up on BIG-IP migrations.
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
knappe|4 months ago
lucideer|4 months ago
Sony & many others have proved pretty comprehensively that brand reputation isn't really impacted by breaches, even in high profile consumer facing businesses. That trickles down to B2B: if your clients don't care, why should you.
That leaves legal risk as the only other motivating factor. If that's been effectively neutered, it doesn't make economic sense for companies to do due diligence with breaches.
As far as I'm aware, Yahoo were the last company to suffer any significant impact from the US legal system due to a breach.
ojosilva|4 months ago
But you are right, at F5's size and moneys, incentives for public disclosure are not aligned in the public's favor. Damage control, in all its meanings, has taken priority lately over transparency.
worthless-trash|4 months ago
Sometimes when a company engages law enforcement, law enforcement can request that they not divulge that the company knows about the problem so that forensics can begin tracking the problem.
I won't speak how often or how competent law enforcement are though, but it can happen.
choffee|4 months ago
weeha|4 months ago
https://my.f5.com/manage/s/article/K000157005
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
brunoTbear|4 months ago
navidr1|4 months ago
https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...
fn-mote|4 months ago
Is it just me?
x1unix|4 months ago
vasco|4 months ago
1oooqooq|4 months ago
tiahura|4 months ago
Why would anyone have confidence in F5’s analysis?
ExoticPearTree|4 months ago
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.
pixl97|4 months ago
fn-mote|4 months ago
It seems more likely that we do not KNOW how the access was used.
bangaladore|4 months ago
They claim the vulnerabilities discovered through the exfiltration were not used though.
wallaBBB|4 months ago
I don’t know why, but this sounds a bit like backdoors.
Templeton2X|4 months ago
[deleted]
ZeroConcerns|4 months ago
ktallett|4 months ago
xcf_seetan|4 months ago
wonderwonder|4 months ago
ChrisArchitect|4 months ago
zingababba|4 months ago
F5, Inc. (“F5”) engaged NCC Group to perform (i) a security assessment of critical F5 software source code, including critical software components of the BIG-IP product, as provided by F5, and (ii) a review of portions of the software development build pipeline related to the same, and designated as critical by F5 (collectively, the “In-Scope Items”). NCC Group’s assessment included a source code security review by 76 consultants over a total of 551 person-days of effort.
Wonder what the bill was?
wobfan|4 months ago
Sure thing. It's so hard not to hate this PR stuff when they can't even be a tiny bit humble. "The hackers were so sophisticated and organized, we didn't even have a change! They could've hacked everyone!"
> In response to this incident, we are taking proactive measures to protect our customers
Such as, fixing the bugs or the structural problems that led to you being hacked and leaking information about even more bugs that you left undisclosed and just postponed to fix it? This wording sounds like they're now going the extra mile to protect their customers and makes it sound like a good thing, when keeping your systems secure and fixing known bugs should've been the first meters they should've gone.
Just be honest, you fucked up twice. It's shit, but it happens. I just hate PR.
sevg|4 months ago
zamadatix|4 months ago
scotho3|4 months ago
resfirestar|4 months ago
habinero|4 months ago
North Korea really does spend a lot of money on this, and so does Russia and China. And US and Israel, for that matter.
joshred|4 months ago
verdverm|4 months ago
behringer|4 months ago
hoodguy|4 months ago
hoodguy|4 months ago
[deleted]
bananapub|4 months ago
elzbardico|4 months ago
Translated =>
We don't know whether they have used or are going to use our NSA-mandated backdoors.
wdb|4 months ago
Fokamul|4 months ago
gilberthelen|4 months ago
[deleted]
marcuskoss9|4 months ago
[deleted]
tru3_power|4 months ago
bangaladore|4 months ago
Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?
If so, lol.
citizenpaul|4 months ago
marcusb|4 months ago
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
AdieuToLogic|4 months ago
From the published CISA mitigation[0]:
> Its the boogyman [sic] like terrorism.Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
0 - https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...wyldberry|4 months ago
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker? * Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X) * Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
[0] -https://www.f5.com/company/news/press-releases/earnings-q2-f...
hhh|4 months ago
catigula|4 months ago
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
sigmarule|4 months ago
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
akerl_|4 months ago
sickofparadox|4 months ago