Search
December 5, 2025
State-backed Actor Breaches Enterprise Software Product Security
CISA, E-ISAC Respond to Announcement of F5 Infiltration

Listen to this Story Listen to this story

F5 headquarters in Seattle
F5 headquarters in Seattle | F5
Oct 16, 2025 | Holden Mann
A major supplier of enterprise software has disclosed a long-term security breach, leaving the public and private sectors scrambling to respond.

Networking software and hardware developer F5 has suffered a major security breach by a nation-state threat actor that gained “long-term, persistent access” to information on the widely used BIG-IP product, the company said in an Oct. 15 statement.

BIG-IP is a family of hardware and software products that provide a range of services to enterprise customers, including cybersecurity, network load balancing and automation. F5 claims its products are used by 85% of the Fortune 500.

In its statement, F5 said the attackers gained access to company systems including the BIG-IP development environment and engineering knowledge management platform. The company admitted in a regulatory filing the same day that the intruders stole files containing portions of the BIG-IP source code and information about undisclosed vulnerabilities that F5 was working to address.

Also in the stolen files was “configuration or implementation information for a small percentage of customers.” F5 said it is still reviewing the files and will communicate with affected customers as needed. According to the regulatory filing, F5 learned of the unauthorized access on Aug. 9 but was allowed to delay disclosure for 30 days by the U.S. Department of Justice on Sept. 12 on the grounds that the revelation would present a national security risk.

The infiltration of a product development environment by nation-state actors is reminiscent of the SolarWinds hack of 2020, in which attackers — now identified by the U.S. as belonging to Russian intelligence agencies — accessed the update channel for SolarWinds’ Orion network management software and pushed code that could be used to gain access to customers’ systems. After that event, FERC ordered the development of new standards requiring internal network security monitoring at electric utilities. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.)

That similarity might be why F5 emphasized that it had seen “no evidence of modification to our software supply chain, including our source code and out-build and release pipeline.” It brought in independent cybersecurity research firms NCC Group and IOActive to validate this claim.

Those firms are also helping F5 with code review and penetration testing to identify and remediate vulnerabilities, the company wrote. Additional mitigation efforts underway include rotating credentials and strengthening access controls across all systems, hardening the development environment, and deploying improved inventory and patch management automation.

F5’s recommendations for its customers include immediately updating their BIG-IP software. The company issued downloadable updates in its quarterly security notification, but warned that only versions of software that have not yet reached their end of technical support phase will be patched. Other resources made available by F5 are threat hunting guides, hardening guidance with a verification tool, and threat monitoring tools.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), responding to the disclosure of the breach, issued an emergency directive ordering federal agencies to inventory their F5 products and apply updates to the affected software by Oct. 22. CISA also directed agencies to harden all public-facing BIG-IP physical or virtual devices and disconnect those that are no longer supported.

In CISA’s first press release since the federal government shutdown began Oct. 1, acting Director Madhu Gottumukkala said that “the alarming ease with which these vulnerabilities can be exploited … demands immediate and decisive action from all federal agencies.”

NERC and the Electricity Information Sharing and Analysis Center (E-ISAC) wrote in an email to ERO Insider that they were “not aware of any industry impact arising from the F5 vulnerability at this time,” but in the interest of caution, the E-ISAC sent an all-points bulletin to its members Oct. 15.

“The threat of cyber and physical attacks targeting critical infrastructure is not new, and ensuring a secure and reliable bulk power system is a top priority for NERC,” ERO staff wrote.

E-ISAC
KeywordscybersecurityCybersecurity and Infrastructure Security Agency (CISA)Electricity Information Sharing and Analysis Center (E-ISAC)F5North American Electric Reliability Corp. (NERC)SolarWinds
Holden Mann
ISAC Speakers Tout Cross-sector Partnerships
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
West Needs Unified IBR Approach, WIRAB Says
Dec 3, 2025CAISO/WEIMHenrik Nilsson
2
CISA Publishes Guide for AI Critical Infrastructure Integration
Dec 3, 2025FERC & FederalHolden Mann
3
Power Industry Asks Congress to Authorize Cyber Defense Programs
Dec 2, 2025Public PolicyJames Downing
4
ISAC Speakers Tout Cross-sector Partnerships
Dec 2, 2025Standards/ProgramsHolden Mann
5
CISA Releases Drone Security Guides for Infrastructure Operators
Nov 25, 2025FERC & FederalHolden Mann

Popular Stories

1
NERC Winter Reliability Assessment Finds Many Regions Facing Elevated Risk
Nov 18, 2025ResourcesJames Downing
2
FERC Winter Outlook Warns of ‘Tight’ Conditions
Nov 20, 2025Public PolicyHolden Mann
3
FERC Ends Nonpublic Investigations into Winter Storm Uri
Nov 20, 2025MarketsJames Downing
4
GridEx Participants Report No Disruption from Shutdown
Nov 17, 2025Standards/ProgramsHolden Mann
5
NARUC Report Seeks to Make Headway on Gas-electric Challenges
Nov 13, 2025Public PolicyRobert Mullin

Industry Gatherings


Upcoming Event

Upcoming Event

Upcoming Event