The October revelation of the long-running, supply-chain attack that impacted application security and network traffic management provider F5 has rocked the cybersecurity industry. For critical infrastructure operators, this breach represents a serious threat—one that may rival the 2020 SolarWinds attack in scope and potential impact.
Summary
The recent F5 supply-chain breach has exposed one of the most trusted names in application delivery and network traffic management to a sophisticated, long-term cyberespionage campaign. With attackers stealing source code, tailoring zero-day exploits, and targeting critical infrastructure through secondary campaigns like BRICKSTORM, this incident underscores how deeply supply-chain compromises can infiltrate trusted vendor ecosystems. In this report, InfraShield examines the scope of the F5 breach, its implications for federal and industrial operators, and the urgent mitigation steps organizations should take to safeguard mission-critical systems.
On October 15, F5 issued a statement, saying they learned in August that a “highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems.” Additionally, this cyber espionage campaign progressed undetected for at least 12 months, according to Bloomberg reporting.
F5 systems breached by the attackers include the vendor’s BIG-IP product development environment and engineering knowledge management platforms, according to the statement. In a statement provided to Federal News Network, Tenable chief security officer Bob Huber noted that these F5 systems are “foundational” technologies used to “secure everything from government agencies to critical infrastructure.”
Files stolen from F5 include some of the company’s BIG-IP source code and information about undisclosed BIG-IP vulnerabilities. BIG-IP is a comprehensive application delivery and security platform that acts as both a load balancer and a full proxy for managing, securing, and optimizing network traffic across applications and data centers.
According to F5’s glossary, a “load balancer is a solution that acts as a traffic proxy and distributes network or application traffic across endpoints on a number of servers. Load balancers are used to distribute capacity during peak traffic times, and to increase reliability of applications. They improve the overall performance of applications by decreasing the burden on individual services or clouds, and distribute the demand across different compute surfaces to help maintain application and network sessions.”
Essentially, BIG-IP acts as the nucleus of F5’s product ecosystem and operates on the Traffic Management Operating System (TMOS). TMOS is a real-time, purpose-built OS designed by F5 specifically for efficient packet processing, traffic inspection, and application acceleration.
The core function of BIG-IP is to enable organizations to control, monitor, and secure traffic between clients and servers by terminating and re-establishing connections independently on both sides.
In their breach statement, F5 noted that “some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers.” These configuration settings could enable threat actors with the precise schematics they need to penetrate and gain persistent access to F5 customer networks.
According to the Cybersecurity and Infrastructure Security Agency (CISA), the F5 breach puts federal agencies at particularly high risk of deeper and potentially catastrophic compromise.
CISA Issues Emergency Directive
On the same day F5 disclosed the breach, CISA issued an emergency directive, having determined that the malicious campaign that compromised the vendor’s systems posed an “unacceptable risk to Federal Civilian Executive Branch (FCEB) Agencies.”
CISA’s directive urged all federal agencies to “apply the latest vendor-provided update for at-risk F5 virtual and physical devices and downloaded software, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF, by October 22, 2025.”
The directive also included the following statement from CISA Acting Director Madhu Gottumukkala: “The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies. These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems.”
Specifically, an emergency directive companion document detailing mitigation measures for the breach said the “threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software.”
Additionally, the “threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits,” according to CISA’s F5 mitigation advisory.
CISA also warned that “successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access.”
For F5 products and devices not immediately classified as “at-risk,” CISA directed all FCEBs to update them with the “latest software release patch by October 31, 2025, and apply the latest F5-provided asset hardening guidance,” according to the mitigation advisory.
Secondary BRICKSTORM Attack Campaign
Exactly a week after F5 disclosed the breach, cyber-threat intelligence firm Resecurity published a report stating that China-nexus threat cluster UNC5221 was actively targeting organizations that deploy F5 BIG-IP, using the BRICKSTORM backdoor malware.
First discovered by Google’s Threat Intelligence Group (GTIG) in April 2024, BRICKSTORM is a Go backdoor “targeting VMware vCenter servers,” and which “supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying,” according to GTIG.
In a more recent report published in September 2025, GTIG noted that “while BRICKSTORM has been found on many appliance types, UNC5221 consistently targets VMware vCenter and ESXi hosts.” Some examples of network appliances include firewalls and routers.
More broadly, BRICKSTORM’s Go-based coding supports UNC5221’s “preference to deploy backdoors on appliance platforms that do not support traditional” endpoint detection and response (EDR) tools. The reason for this is that appliances like routers and firewalls are not endpoints themselves, unlike servers, desktops, laptops, and cloud workloads.
Resecurity’s investigation collected three primary forensic artifacts associated with UNC5221’s malicious, F5-related campaign, according to their report:
- A statically linked Go ELF backdoor consistent with the BRICKSTORM family
- Small deployment scripts used to stage and persist the backdoor on edge devices.
- A servlet filter web component used by the same actor set to harvest credentials post-foothold.
In this context, an ELF refers to an Executable and Linkable Format file, which is a common standard file format used on Unix and Linux systems for executable files, object code, shared libraries, and core dumps. This standard format defines how programs are stored on disk and how the operating system loads them into memory for execution.
Resecurity said the “backdoor is a self-contained, dependency-free executable (Go, linux/amd64) packaged for appliances with limited userland; it embeds full web transport (TLS client, HTTP/1.1/HTTP/2 paths, WebSocket upgrade/session handling), Yamux for multiplexing many logical streams over one socket, a SOCKS mechanism for TCP pivoting, and a complete multipart/form-data stack for web-looking file staging/exfil.”
For this secondary F5 campaign, UNC5521 threat actors use an exploit and deploy an “ELF file on the BIG-IP device after gaining code execution.” Then, attackers configure the BIG-IP device to “establish outbound TLS that negotiates HTTP/2 and upgrades the connection to WebSocket for a persistent C2 tunnel,” according to Resecurity. Finally, the attacker launches the ELF file with “operator-supplied C2 parameters to multiplex concurrent streams over a single socket via Yamux,” Resecurity said.
Resecurity researchers noticed that there were no “hardcoded domains or credentials in the ELF file, which suggests the attackers likely used a zero-day to gain access and can connect back to the target without issue,” according to the report.
“If an attacker gets code execution (via 0-day or weakly secured services), BRICKSTORM can turn a BIG-IP into a stealth egress point and internal proxy, with minimal logs and long dwell,” Resecurity said.
In other words, this threat model can turn an infected appliance from a security control into an attacker's covert operations hub, enabling persistent, difficult-to-detect intrusions and data theft with a high probability of evading even skilled defenders for prolonged periods.
Patch Immediately
The Resecurity report noted that “F5 has disclosed over twenty vulnerabilities spanning BIG-IP (all modules), F5OS (A/C), and BIG-IP Next (SPK/CNF), with several issues that could enable remote exploitation of internet-exposed management services.”
InfraShield concurs with Resecurity’s guidance on this topic: Organizations that operate any affected versions listed above should treat this security incident as a critical “emergency.”
Affected organizations should move swiftly to remove public exposure of management planes, restrict egress, and upgrade to F5’s latest fixed releases immediately. “After patching, organizations should verify that devices no longer match the affected version ranges, re-enable only necessary services, and monitor for anomalous HTTP/2/WebSocket egress from appliance subnets,” advises the Resecurity report.
Following the discovery of the incident, The Hacker News reported that F5 has “engaged the services of Google Mandiant and CrowdStrike, as well as rotated credentials and signing certificates and keys, strengthened access controls, deployed tooling to better monitor threats, bolstered its product development environment with extra security controls, and implemented enhancements to its network security architecture.”
Nevertheless, concerns persist that the threat actors behind the campaign may use F5’s stolen source code and other sensitive intellectual property to develop tailor-made zero-day exploits and other cyberespionage tools.
Additionally, Reuters reported that Greynoise Intelligence, a cybersecurity firm “which monitors internet scanning and attack activity, has found hints that an unknown actor was searching out F5 devices on the internet starting about a month ago.”
Greynoise “detected a major spike in scanning activity focused on F5 beginning in mid-September, according to Glenn Thorpe, the company's senior director of security research and detection engineering,” Reuters said.
The implications of this device scanning are unsettling to say the least, given that this activity occurred a month after F5 quietly discovered the breach, and in light of Resecurity’s recent BRICKSTORM research.
How InfraShield Can Help
For critical infrastructure organizations, the F5 supply-chain breach underscores the fragility of trusted vendor ecosystems and the real-world consequences of latent exposure within essential network technologies.
The possibility that threat actors now possess proprietary F5 source code and exploit-ready intelligence should prompt immediate reassessment of security controls, especially for entities managing industrial control systems (ICS), utilities, transportation networks, or defense-related infrastructure.
InfraShield specializes in defending critical infrastructure from precisely these kinds of cascading, supply-chain-driven threats. Our cybersecurity experts conduct comprehensive, tailored security audits to identify latent exposure paths, assess the impact of vendor compromise, and harden customers’ operational technology (OT) and IT environments against emerging exploits.
If your organization relies on F5 products—or is concerned about possible secondary exposure—contact InfraShield today for a customized security audit and risk assessment. Don’t wait for the next wave of attacks to expose hidden vulnerabilities—act now to protect your infrastructure, your operations, and your mission.
