There is an ironclad rule in the cyber security industry: even gatekeepers can become targets. The latest incident at US-based F5, a manufacturer of network and application security solutions, shows just how valid this rule is. According to reports from Bloomberg, hackers – possibly linked to China – were said to have been on F5’s network for up to a year, gaining access to files including pieces of source code and documentation on security vulnerabilities.
F5 confirmed ‘unauthorised access’ to parts of its systems, while assuring that the company’s operations had not been disrupted. However, this is only part of the picture. The US Cyber Security and Infrastructure Agency (CISA) has assessed the risk as a direct threat to federal government networks, as knowledge stolen from F5 could become a map for large-scale intrusions – no longer just in the US, but across all organisations using their devices.
The situation has a geopolitical dimension. Although CISA has not named the perpetrators, Bloomberg’s sources speak directly of a sophisticated group linked to China. This is part of a wider trend: the growing number of cyber espionage operations targeting critical infrastructure providers. Similar incidents have previously occurred at SolarWinds and Microsoft Exchange, among others.
Significantly, F5 chose to involve several third-party companies – CrowdStrike, Mandiant, NCC Group – suggesting a high level of complexity in the attack. According to disclosures to the SEC, the US Department of Justice allowed F5 to delay public disclosure of the incident until 12 September, citing national security.
For F5’s customers – from the financial sector to government to telecommunications – this incident is a wake-up call. It is not only about the need for immediate updates. If attackers have gained knowledge of yet unidentified vulnerabilities, the consequences can be stretched over time. The UK NCSC has already appealed for F5 systems to be updated, warning of potential secondary attacks.
This story demonstrates a key change in attack vectors: instead of individual organisations, technology providers who, through their products, are the ‘gateway’ to thousands of networks are becoming the target. The ‘zero trust’ narrative is no longer a marketing buzzword – it is becoming a necessity when dealing with any supplier, even those in the cyber security industry.
