Unknown Attackers Breach Cybersecurity Company F5’s Networks, Steal Customer Data

Zack Whittaker of TechCrunch reports that F5 Networks, a Seattle-based cybersecurity company serving major global enterprises and governments, says government-backed hackers maintained “long-term, persistent access” to its internal systems, including customer data.

F5 first detected the intrusion on August 9, 2025, and has since worked to secure its systems and assess the scope of the damage. The company confirmed that source code and customer data were stolen, but stated that containment measures have since been successful in preventing further dissemination.

The breach, which affected F5’s BIG-IP product development and knowledge management systems, raises serious concerns given the company’s role in protecting critical digital infrastructure across multiple industries.

The attackers accessed source code repositories and internal files that contain configurations and implementation details of customers’ systems. Such information could be used to identify and exploit security weaknesses.

F5 reported no evidence of software tampering or exploitation of vulnerabilities, but released several updates for its BIG-IP platform to address previously undisclosed flaws. The US Department of Justice allowed F5 to delay public disclosure, citing potential risks to national security.

Following the announcement, the UK National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency (CISA) issued warnings and directives for immediate system patching.

F5 did not name a specific government or nation-state group behind the attack. The incident adds F5 to a growing list of technology companies targeted in state-sponsored cyber operations, which also includes Microsoft, Hewlett Packard Enterprise, and SolarWinds.

The breach illustrates the vulnerability of even advanced cybersecurity firms to sophisticated government-sponsored attacks. Lawyers advising affected organizations should anticipate potential regulatory inquiries, contractual disclosure obligations, and incident response coordination requirements.