Recently, American cybersecurity company F5 (F5 Inc.) revealed that its systems have been infiltrated by state-level hackers since the end of 2023, only detected in August 2025. It is reported that the attack is believed to be connected to hackers supported by the Chinese Communist Party, leading to emergency alerts issued by the governments of the United States and the United Kingdom.
F5 issued a statement on Wednesday, October 15th, confirming that its systems were targeted by “technically sophisticated state-level hackers” in August this year, resulting in some internal data leakage. The company emphasized that the attack has been successfully thwarted, and they are now intensifying defense measures and assisting customers in mitigating potential risks.
According to F5’s statement, hackers have been lurking in the company’s systems since 2023 and were discovered in August this year. The targets of the breach included the BIG-IP product development environment and engineering knowledge management platform. Attackers downloaded some files, including BIG-IP source code and undisclosed vulnerability information.
The Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security subsequently issued an emergency directive, requiring all federal agencies to identify and update F5 products by October 22, stating that the event constitutes a “significant cybersecurity threat to federal networks.”
The UK National Cyber Security Centre (NCSC) also issued a warning, indicating that hackers may exploit control over F5 systems to further exploit vulnerabilities.
According to reports from Bloomberg, hackers utilized a vulnerability in F5’s own software at the end of 2023 to penetrate internal systems. The vulnerability was supposed to be isolated but was exposed to the internet due to employees failing to adhere to company network security guidelines. The infiltrators remained hidden in the system for nearly 20 months until being discovered on August 9th this year.
Multiple sources suggest that the intrusion is linked to hackers supported by the Chinese government.
F5 CEO Francois Locoh-Donou personally informed major clients of the incident and hired cybersecurity firms like CrowdStrike and Mandiant, a subsidiary of Google, to assist in the investigation while cooperating with law enforcement agencies.
Following the news, F5’s stock price plummeted over 10% on October 16th. The company, headquartered in Seattle, extensively uses its BIG-IP platform in large enterprises and government institutions globally for traffic distribution, application protection, and data encryption. As F5’s clients include U.S. government departments and around 85% of Fortune 500 companies, concerns arise that this event may impact critical infrastructure security.
According to Mandiant’s analysis, the attackers employed malicious software named “Brickstorm.” This software is suspected to be associated with Chinese hacker groups specializing in long-term infiltration of technology and legal service providers’ systems. After initially infiltrating F5’s BIG-IP software in 2023, hackers also penetrated its VMware virtual machine environment to ensure continuous control.
An insider involved in the investigation revealed that the hackers remained quiet for over a year after infiltration, seemingly waiting for F5’s internal security logs to expire to erase traces of the breach. This tactic is commonly used by state-level actors to evade detection.
F5 is currently working to repair the affected systems and collaborating with authorities on the investigation. Officials from the U.S. Department of Homeland Security warned that without promptly strengthening defense measures, such penetrations targeting core supply chains could pose even greater national security risks.