F5 Is Misleading the Market – The Breach Is Nowhere Near Contained

F5’s Recommendations Expose the Cover-Up, Not the Cure

Among the various recommendations published by the company, most read like they were copied straight from ChatGPT — generic, recycled language with no real insight or actionable direction for customers.

Out of all the recommendations, we found only one that could be considered relevant.

Updates to BIG-IP software. Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now. Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible. More information about these updates can be found in the Quarterly Security Notification.

Source: K000154696 Notification

As far as we know, CISA (Cybersecurity and Infrastructure Security Agency) has never issued Emergency Directives for breaches before. They did now. According to the provided information, stolen F5 source code, configurations, and vulnerability data have exposed 600,000+ devices globally, which CISA considers an immediate federal security threat, particularly because the stolen material enables the actor to penetrate core networks of F5 customers and decrypt a significant portion of global Internet traffic. (link) (link)

We found a clear and disproportionate gap between the shallow report published by F5 and the extraordinary alert issued by CISA. This asymmetry speaks volumes — it highlights the true severity of the breach that F5 is downplaying.

The Recommendation Focuses on a Minor Issue Instead of the Core Problem

• F5’s only relevant recommendation: update software versions on several products.
• This update addresses specific vulnerabilities listed in F5 notification K000156572.
• The recommendation fixes 44 vulnerabilities which were disclosed to the threat actor by accessing internal documentation.
• F5’s claim that some vulnerabilities are not critical is inaccurate.
• Review of documentation shows multiple vulnerabilities should be classified as “critical” due to their business impact.

F5’s communication downplays actual risk and we believe misleads on the following criteria:

(Follows NIST SP 800‑86, NIST SP 800‑61)

1. Data Theft & Exfiltration — Theft of proprietary data, code, and design assets indicates possible long-term espionage intent.
2. Credential Harvesting — Stolen credentials and hidden accounts suggest sustained access capability post‑incident.
3. Privilege Escalation / Lateral Movement — Actor’s internal dwell time and situational awareness support re-escalation and lateral pivoting.
4. Persistence — Backdoors or implants embedded in product lines ensure silent control and delayed detection.
5. Software & Supply Chain Tampering — High‑trust access could enable product‑level compromise. Comprehensive forensic validation required.
6. Destruction / Sabotage — Backup corruption or substitution may mask intrusion and delay recovery.
7. Financial Exposure — ERP breach risk extends to transactional manipulation and business operations.
8. Reputation & Extortion — Attacker may weaponize stolen data for financial blackmail or customer‑facing leaks.
9. Infrastructure Abuse (Pivoting) — Compromised appliances could be leveraged to attack customers or persist via update channels.
10. Data / Analytics Poisoning — Stolen certificates may facilitate continuous infiltration of customer environments.

Since F5’s breach response didn’t provide a proper answer to the criteria above, we find this to be pure negligence — no control, no transparency, and no technical proof.

The company’s narrow focus on reviewing written code is based on the unrealistic assumption that a year-long nation-state intrusion would “just” modify source code. (e.g, Solarwinds, NotPetya and Stuxnet)

We cannot accept that narrative — such an attack inevitably extends far beyond code changes. but move even further than into compromised build systems, stolen credentials, embedded persistence, and manipulated supply-chain components.

With this information, we took an additional step and reviewed the company’s historical security posture.

Based on our research, we are confident that F5’s IT infrastructure has consistently demonstrated noncompliance with even minimal security standards, revealing systemic negligence in IT governance, product development oversight, and regulatory compliance.

After a full year of undetected sophisticated hacker activity inside its network, F5 still has no proof that the threat is gone.

Professionals in that domain expect to see a confirmation for firmware backdoors removed, verification about stolen credentials, and evidence the supply chain wasn’t tampered with and more.

NCC and IOActive didn’t perform the action required by NIST — no proper forensics, no threat hunting, no verification. Their involvement is detailed in the two engagement letters published by F5 describing actions irrelevant to the core risk.
As far as we understand, F5’s chose to outsource containment without granting full access or internal context, which reflects arrogant and unacceptable conduct towards its customers and investors.

Our research leads us to believe F5 has lost control of its environment years ago, and this incident will continue to unfold in unpredictable ways, likely revealing more undisclosed or undetected compromises.
It shows a level of audacity that we feel borders on misrepresentation — leaving us no doubt that F5’s products cannot be considered safe or free from sophisticated threats.

Irrelevant service providers for the mission

The Detection Challenge Reality

Detecting nation-state adversaries requires months, sometimes even years of intensive forensic and reverse engineering work by elite threat hunters specifically trained in APT detection methodologies — expertise that IOActive and NCC Group demonstrably lack.

Firms Without the Required Capabilities

Both firms were relegated to post-breach supply chain validation — confirming files weren’t modified after discovery — not the manual threat hunting needed to detect a year-long intrusion. Their automated testing tools and penetration testing methodologies are fundamentally incapable of detecting sophisticated adversaries who employ custom malware with delayed activation, unique command-and-control infrastructure, active obfuscation, and systematic artifact removal techniques specifically designed to evade their standard toolsets.

IOActive and NCC Group’s validation that “no supply chain modification exists” addresses one narrow technical question while leaving critical issues unresolved: initial access methods, additional exfiltrated data, dormant persistence mechanisms, and intelligence gathered during 12 months of privileged access. Without dedicated APT hunters trained in nation-state tradecraft not product testers running automated scans — the true extent of what adversaries accomplished remains deliberately obscured

The selection of IOActive and NCC Group reveals F5’s actual priorities: buying time with regulators and checking compliance boxes, not conducting genuine forensic investigation. Their narrow validation provides regulatory cover while avoiding the intensive months-long analysis that would expose the breach’s true scope and F5’s security failures.