US cybersecurity company F5, Inc. has revealed that it suffered a serious cyber breach, which was discovered internally on August 9, 2025. A state-sponsored actor managed to infiltrate F5’s systems and remain hidden for over a year. US authorities even authorized a delay in public disclosure for national security reasons (until September 12), so the news of the breach was only made public on October 15, 2025. This unusual timing, with weeks between discovery and announcement, reflects the geopolitical sensitivity of the incident and has put the spotlight on issues of cyber sovereignty and the risk posed by Chinese cyber threats.
Source code theft and vulnerabilities
Investigations revealed that the state-sponsored actor maintained persistent, long-term access to specific internal F5 environments, specifically the flagship BIG-IP product development platform and an engineering knowledge management system. Through this breach, they were able to exfiltrate sensitive data, including portions of BIG-IP source code and information about software vulnerabilities not yet publicly disclosed. In other words, the state-sponsored group obtained a detailed blueprint of F5 software vulnerabilities the company could fix them. Experts warn that this combination of source code and details of unpatched flaws is potentially catastrophic, because it allows malicious actors to develop targeted exploits before patches are distributed. F5 has stated that there is no evidence so far of active exploitation or manipulation within its build or release pipeline, nor of unauthorised access to its core internal systems (CRM, finance, or support platforms). In addition, the company has stated that it has not found any access to critical internal systems (CRM, finance, support platforms) and that only a small percentage of customers have had some configuration files stolen, for which direct notification to those affected is underway.
Immediate response from F5 and government alert
As soon as the intrusion was discovered, F5 activated its cyber incident response procedures: it involved leading cybersecurity companies (including CrowdStrike, Mandiant, NCC Group, and IOActive) and took extensive containment measures to expel the intruders. The company worked closely with federal law enforcement during the investigation and obtained permission to temporarily delay public disclosure so as not to compromise any investigative operations. At the same time, F5 released emergency updates for its products (BIG-IP, F5OS, BIG-IQ, etc.) and encouraged all customers to apply them urgently, also offering additional security tools such as free EDR sensors on BIG-IP.
Government agencies, for their part, responded by calling the situation a significant threat. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive ordering all federal agencies to identify and update F5 devices by tight deadlines (by October 22 for many systems). CISA warned that F5 vulnerabilities could allow attackers to move laterally across networks and compromise sensitive information, with potentially catastrophic risks to critical systems. A similar alert came from the UK’s National Cyber Security Centre (NCSC), which urged all organizations to immediately update their F5 installations and verify the integrity of their systems. This coordinated response reflects the perceived severity: the F5 breach is not an isolated incident, but a textbook case of systemic risk, capable of undermining confidence in transatlantic digital infrastructure.
Cyber sovereignty and technological dependence
The F5 episode reignites the debate on cyber sovereignty, understood as a state’s ability to preserve control and security of its digital space. F5, with its BIG-IP suite, is a key provider of application delivery and security solutions for large banks, multinationals, and even government agencies around the world. Its devices often act as gatekeepers of network traffic, serving as critical access points between users and digital services. Compromising F5’s code therefore weakens a fundamental part of the Western cyber ecosystem, potentially exposing backdoors through which an adversary can penetrate multiple infrastructures.
The incident highlights the risks of heavy technological dependence on a few global vendors. If a single supplier (however reliable) is infiltrated by a hostile actor, the consequences spread like wildfire to all those who trust that technology. For allied countries, including Italy, the lesson is twofold: on the one hand, investing in the diversification and security of the digital supply chain, and on the other, developing autonomous (or at least European) capabilities in the cyber sphere. In an era of geostrategic rivalry increasingly played out on the technological front, ensuring greater cyber sovereignty means reducing exposure to blackmail or vulnerabilities imposed from outside. This does not imply unrealistic digital autarky, but requires resilience strategies and international cooperation (e.g., shared security standards, certifications, allied threat intelligence) to ensure that the “software heart” of our infrastructure remains under control even when a giant like F5 falters.
The China factor: espionage and strategic risk
According to multiple sources, the F5 cyber breach bears the signature of state-sponsored hackers linked to China. Two people familiar with the investigation told US media that the attack is attributable to a group of cyber spies supported by the Chinese state. Beijing has firmly rejected all charges, calling the allegations “baseless” and reiterating its official position against hacking activities. Behind the scenes, however, investigators believe it is likely that a group identified as UNC5221, already known to Mandiant (Google) analysts for long-term espionage operations, was involved. This group, active since at least 2023, is said to specialize in infiltrating Western technology suppliers and stealing source code and industrial secrets, which is exactly the modus operandi seen in F5. The campaigns attributed to UNC5221 even employ advanced malware nicknamed Brickstorm, designed to ensure long-term stealth access and facilitate the theft of intellectual property and hidden vulnerabilities.
If confirmed, the attack on F5 is part of a broader Chinese cyber espionage strategy aimed at gaining competitive and strategic advantages through incursions into other countries’ technologies. In recent years, hackers linked to Beijing have been accused of a series of intrusions targeting sources of Western innovation (from universities to laboratories to widely used software providers), fueling fears of a “permanent cyber campaign” to bridge technological gaps and prepare potential cyber weapons. In this scenario, the Chinese threat is no longer just theoretical: it manifests itself concretely in sophisticated operations such as the one suffered by F5, capable of undermining confidence in the global digital fabric. For Western democracies, this means raising the level of vigilance: investing in cyber-intelligence countermeasures, strengthening the defenses of critical suppliers, and perhaps rethinking technological cooperation with Beijing in light of these risks. In short, the incursion into F5’s systems teaches us that Sino-American competition is also fought behind the scenes of code and that cyber security is now an essential pillar of national and economic security.
