Federal Response to F5 Breach Hampered by Government Shutdown
A likely Chinese nation-state actor breached F5's internal systems, stealing sensitive files including portions of BIG-IP source code and details of undisclosed vulnerabilities, according to U.S. cybersecurity officials. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning that these stolen details could be used to craft custom exploits, and research identified over 680,000 F5 BIG-IP devices exposed online, many of which are linked to U.S. government agencies. The federal response to this incident has been severely hindered by the ongoing government shutdown, which has resulted in major staffing cuts, furloughs, and delays in patching and emergency remediation work. CISA, operating with a reduced staff and without a Senate-confirmed director, has struggled to provide adequate support to agencies and private sector operators during this critical period.
Senior federal cyber leaders have highlighted that the shutdown has exacerbated existing challenges in defending against urgent cyber threats, as routine patching, threat hunting, and vendor support have all been disrupted. The situation underscores the broader impact of government shutdowns on cybersecurity readiness, with delayed remediation times and limited ability to respond to emerging vulnerabilities, leaving federal networks at increased risk of compromise. The F5 breach and the hampered response illustrate the compounding risks posed by both sophisticated cyberattacks and operational disruptions within government cybersecurity teams.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers warn of longer-term enterprise risk from the F5 breach
Eclypsium published follow-on analysis highlighting future enterprise risk stemming from the F5 breach, indicating that the incident had implications beyond the immediate federal response. The piece appears to add technical and strategic concern about ongoing exposure rather than report a new victim or law-enforcement action.
CISA job cuts, shutdown, and F5 breach cited as weakening U.S. cyber readiness
An analysis published the next day framed the F5 breach alongside CISA staffing cuts and the shutdown as a broader deterioration in U.S. cyber readiness. This represented an escalation in how the incident was being interpreted at the national level rather than a separate technical breach event.
Government shutdown slows the federal F5 hack response
Reporting said a U.S. government shutdown was impeding the federal response to the F5-related hack, complicating coordination and remediation efforts across agencies. Multiple outlets described the response as disorganized and slowed by the shutdown.
Federal agencies begin responding to an F5-related breach
U.S. federal defenders began incident response to a breach involving F5 technology affecting government networks. The exact start date is not provided in the references, but it predates later reporting that the response was underway and being hindered by broader government disruptions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
The Future of F5 Risk In The Enterprise
eclypsium.com
Open sourceHow the F5 breach, CISA job cuts, and a government shutdown are eroding U.S. cyber readiness
cyberscoop.com
Open source'It's Been a Mess': Shutdown Slows Federal F5 Hack Response
govinfosecurity.com
Open source'It's Been a Mess': Shutdown Slows Federal F5 Hack Response
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Emergency Directive on F5 Device Vulnerabilities Exploited by Nation-State Actors
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to immediately patch critical vulnerabilities in F5 devices and software following the discovery of a nation-state cyber intrusion. CISA identified that a sophisticated threat actor, linked to China, has been actively exploiting vulnerabilities in F5 products, posing an imminent threat to federal networks. The vulnerabilities allow attackers to gain unauthorized access to embedded credentials and API keys, which can be leveraged to move laterally within affected networks. This access enables the exfiltration of sensitive data and the establishment of persistent access, potentially resulting in a full compromise of targeted information systems. F5 disclosed that the threat actor had maintained long-term, persistent access to its BIG-IP development environment and engineering knowledge management platforms, leading to the exfiltration of files. CISA’s Emergency Directive 26-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the latest vendor-provided updates to at-risk F5 devices and software, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF, by October 22, 2025. Agencies are also instructed to follow F5’s Quarterly Security Notification for further mitigation steps. The directive was issued despite ongoing challenges such as a government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, underscoring the urgency and severity of the threat. CISA’s acting director emphasized the alarming ease with which these vulnerabilities can be exploited and warned that the risks extend beyond federal agencies to any organization using F5 technology. The agency highlighted the potential for catastrophic compromise of critical information systems if the vulnerabilities are not addressed promptly. The directive is part of a broader effort to protect federal networks from nation-state adversaries and to ensure the security of sensitive government data. CISA’s response follows a pattern of nation-state actors targeting widely used enterprise technologies to gain access to high-value networks. The agency’s public statements and technical guidance stress the importance of immediate action and cross-sector vigilance. F5’s own disclosures and cooperation with CISA have been critical in identifying the scope of the intrusion and the necessary remediation steps. The incident has raised concerns about the security of supply chains and the potential for similar attacks on other technology vendors. Federal agencies are being closely monitored for compliance with the directive, and CISA is providing ongoing support and threat intelligence updates. The event highlights the persistent and evolving nature of nation-state cyber threats targeting critical infrastructure and government systems.
Mar 21, 2026
F5 Breach Exposes BIG-IP Source Code and Undisclosed Vulnerabilities
F5, a leading provider of application security and delivery technology, confirmed that it suffered a significant cybersecurity breach attributed to a highly sophisticated nation-state threat actor. The company first detected unauthorized access to its systems on August 9, 2025, and immediately initiated incident response protocols, including engaging external cybersecurity experts such as CrowdStrike and Mandiant. Investigations revealed that the attackers maintained long-term, persistent access to critical F5 environments, specifically the BIG-IP product development environment and the engineering knowledge management platform. During this period, the threat actors exfiltrated files containing portions of the BIG-IP source code and information about vulnerabilities that had not yet been publicly disclosed or patched. Additionally, some configuration and implementation information for a limited number of customers was also stolen, though F5 stated that affected customers would be notified directly. The breach did not impact F5’s software supply chain, as independent reviews found no evidence of malicious modifications to source code, build, or release pipelines. There was also no indication that the attackers accessed or tampered with the NGINX product line, Distributed Cloud Services, Silverline systems, or customer data in CRM, financial, or support case management systems. F5 emphasized that, as of the latest investigation, there is no evidence that the stolen vulnerability information has been used in active exploitation or that the private information has been publicly disclosed. The company’s containment measures, implemented promptly after discovery, have been effective, with no signs of further unauthorized activity since their deployment. The U.S. Department of Justice authorized F5 to delay public disclosure of the breach due to national security concerns, as permitted under SEC rules. The UK National Cyber Security Centre highlighted the risk that attackers could use the stolen source code to identify additional vulnerabilities and develop targeted exploits. F5’s flagship BIG-IP product is widely used by major enterprises, including 48 of the Fortune 50, raising concerns about the potential impact of the breach. The company continues to monitor for any signs of exploitation and is working closely with law enforcement and cybersecurity partners. F5 has reassured customers that the breach did not compromise the integrity of its software updates or supply chain. The incident underscores the ongoing threat posed by nation-state actors to critical technology providers and the importance of rapid detection and response to sophisticated intrusions.
Apr 14, 2026
F5 Breach Involving Advanced Brickstorm Malware and Supply Chain Risks
F5, a major application delivery and security provider, disclosed a significant breach in which malicious actors maintained persistent access to critical systems, including the BIG-IP product development environment and engineering knowledge management platform. The breach, which began in August and was deemed material by September, prompted F5 to delay public notification due to national security concerns. Upon disclosure, F5 released security patches for affected products, and CISA issued an emergency directive requiring federal agencies to patch vulnerable F5 devices immediately. The advanced 'Brickstorm' malware, attributed to Chinese threat actors, was detected as part of this breach, raising concerns about the potential for long-term exploitation of stolen technical specifications and code. While there is currently no evidence that the stolen information has been used to exploit F5 devices or alter the codebase, the incident highlights the ongoing risks associated with software supply chain attacks. The breach underscores the challenges organizations face in securing complex supply chains, as even widely adopted security frameworks may not fully mitigate such threats. The F5 incident draws parallels to previous high-profile supply chain compromises, emphasizing the need for more robust and comprehensive security measures to protect critical infrastructure and sensitive data from sophisticated nation-state actors.
Mar 21, 2026