The Background of Cyber Attacks by Chinese Hackers on F5 Networks: Risks Hidden in US and UK Warnings

1) What Happened

On October 15, F5 in Seattle, USA, disclosed a breach by a hostile actor at the national level. The leak includes some source code of BIG-IP, unreleased vulnerability information, and some customer configuration and deployment information. Although no tampering with the supply chain has been detected, the greatest concern is that attackers obtaining the "blueprints" could accelerate zero-day development. The Hacker News

The U.S. CISA issued Emergency Directive ED-26-01, ordering federal agencies to immediately inventory, update, and isolate. The strong wording with a deadline underscores the severity of the "frontline devices" of government networks being directly hit. CISA

2) Timeline (Key Dates in UTC)

• August 9, 2025: F5 first recognized suspicious access. Subsequently, external forensics were deployed. Rapid7

• September 12, 2025: The U.S. Department of Justice (DoJ) granted a publication deferral based on the new SEC rules, citing national security reasons. CBS News

• October 15, 2025: F5 submitted and disclosed Form 8-K and disclosure documents. On the same day, CISA issued ED-26-01. SEC

• Compliance Deadlines: Many F5 products must be updated by October 22, with the remainder by October 31. Reports must be submitted by October 29, and a complete inventory must be submitted by December 3 (for federal agencies). nuharborsecurity.com

3) How Much Was Compromised

F5 acknowledged long-term access to development and knowledge systems and the leak of some customer configuration data. They emphasize that no tampering with build systems or distributions has been confirmed. However, the leak of source code and vulnerability information leaves the discovery of vulnerabilities through static and dynamic analysis to the attackers, raising concerns about an increase in follow-up zero-days. BleepingComputer

Based on reports, there is a suggestion of a 12-month or longer infiltration, with speculation about Chinese involvement. However, F5 and CISA have not officially identified the origin. Reuters

4) Impact on Industry—Is It "SolarWinds Level"?

F5 is used by most of the Fortune 500 and U.S. government networks, serving as "traffic intersections" as load balancers, WAFs, and gateways. If the blueprints of these intersections are leaked, it becomes easier for pinpoint intrusions based on existing operations. Experts are raising concerns about risks comparable to SolarWinds in 2020. Reuters

5) Actions by U.S. and UK Authorities

CISA's ED-26-01 mandated asset inventory, management interface isolation (prohibiting external management), updates, and disconnection of EoL devices. The UK's NCSC also confirmed the breach of F5 networks and urged the application of the latest updates. CISA

6) Reactions on Social Media (Summary)

• Tenable CSO Bob Huber described it as a "five-alarm fire," urging emergency response as a matter of national security. Tenable®

• Zscaler cited CISA's emergency directive, emphasizing the seriousness of the leak of source code and sensitive data. X (formerly Twitter)

• Censys described it as a "high risk of weaponization," recommending the immediate disconnection of management interfaces and updates. X (formerly Twitter)

• Security media (The Hacker News, SC Media) also spread the news, reiterating the federal directive and the BIG-IP source leak. X (formerly Twitter)

• In the investment and market circles (posts from Seeking Alpha), there was speculation about $FFIV and security stocks. X (formerly Twitter)

※ Quotes are kept short, summarizing the context of each post.

7) "Immediate Response" Checklist for Practitioners

(A) Exposure Blocking (Today)

1. Reduce external exposure of management interfaces (mgmt/GUI/SSH/TMUI) to zero, limiting to jump boxes/VPN.

2. Disconnect EoL/EoS devices from the network, planning for replacement with successors. CISA

(B) Updates and Hardening (by 10/22 & 10/31)
3. Update BIG-IP / F5OS / BIG-IQ / APM clients by the 10/22 & 10/31 deadlines. Apply kernel, signature, and attack mitigation settings. nuharborsecurity.com
4. Mitigation settings for known issues with cookies/sessions, recheck for legacy TMUI exposure. The Hacker News

(C) Detection and Containment (This Week)
5. Hunt through logs from the past 12-18 months for anomalies in development and management interfaces, long-term presence of unknown IPs, and abuse of authentication tokens.
6. Rotate credentials and API keys (including those linked to BIG-IP).
7. Redesign segmentation: Review boundaries for each role of LTM/ASM/AFM/Access.
8. Organizations with reporting obligations should prepare for CISA submissions on 10/29 & 12/3, maintaining complete inventory and corrective records (for applicable agencies). nuharborsecurity.com

(D) Medium to Long Term (Next 1-3 Months)
9. Prepare for anticipated zero-days by enabling operations that can immediately apply **virtual patches (WAF signatures/ASM policies)**.
10. Although no build tampering has been detected, routine **verification of supply integrity (SBOM/signature verification)** should be implemented. The Hacker News

8) Why the "Edge" is Targeted

Edge devices interact with both credentials and traffic. Attackers, by knowing the design and defaults, can select weak operations (exposure, old versions, EoL). This time, the government enforced mandatory corrective measures with deadlines, signaling a move