F5 discloses long-term breach tied to nation-state actors.

Summary

By the CyberWire staff

F5 discloses long-term breach tied to nation-state actors.

Seattle-based cybersecurity firm F5 disclosed yesterday that state-sponsored hackers had "long-term, persistent access" to its networks, leading to the theft of source code and customer information, TechCrunch reports. The company says the hackers had access to the development environment for its BIG-IP product suite and its engineering knowledge management platform.

The company said in an SEC filing, "Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines."

Bloomberg cites people familiar with the matter as saying the hack is believed to be linked to China, and that the hackers were inside F5's networks for at least twelve months. Ars Technica notes that F5's BIG-IP line is used across the US government and by most of the largest companies in the world.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering Federal civilian agencies to immediately inventory F5 devices and apply the latest updates by October 22nd. The agency stated, "The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software. The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits."

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Phishing campaign impersonates LastPass and Bitwarden.

BleepingComputer reports that a phishing campaign is impersonating LastPass and Bitwarden with phony breach notifications. The emails claim the companies have been hacked, and instruct users to install a more secure version of the password managers. This file will download the Syncro remote monitoring and management tool, which the attackers use to install ScreenConnect software. ScreenConnect is a legitimate remote management tool, but is frequently abused by attackers to take control of victims' computers.

LastPass issued a statement on the phishing campaign, noting, "To be clear, LastPass has NOT been hacked, and this is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails."

SecAI+: CompTIA’s first AI certification.

CompTIA is developing their first-ever certification focused on artificial intelligence in cybersecurity. The SecAI+certification aims to help mid-career cybersecurity professionals demonstrate competencies with AI tools. Learn how N2K can help you get a jumpstart on preparing for this new certification today.

PowerSchool hacker receives a four-year prison sentence.

19-year-old Matthew Lane of Massachusetts has been sentenced to four years in prison after pleading guilty to hacking education software provider PowerSchool, the Record reports. Lane stole information belonging to more than 70 million individuals and demanded a ransom of $2.9 million in exchange for not publishing the data. In addition to his prison sentence, Lane has been ordered to pay $14 million in restitution and a $25,000 fine.

Notes.

Today's issue includes events affecting , and China the United States.

Attacks, Threats, and Vulnerabilities

Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate (Resecurity) The following Resecurity report will explore the Qilin ransomware-as-a-service (RaaS) operation’s reliance on bullet-proof-hosting (BPH) infrastructures, with an emphasis on a network of rogue providers based in different parts of the world.

Google Careers impersonation credential phishing scam with endless variation (Sublime Security) Credentials phishing with fake Google Careers messages showing a wide range of variations

Elasticsearch Leak Exposes 6 Billion Records from Scraping, Old and New Breaches (Hackread) Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Legislation, Policy, and Regulation

Cisco faces Senate scrutiny over firewall flaws (The Register) : Bill Cassidy letter asks if Switchzilla sat on critical flaws before feds were forced into emergency patching

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

AFRL Space Cyber Summit (Albuquerque, New Mexico, USA, Oct 15 - 16, 2025) The AFRL Space Cyber Summit is an annual event hosted by the Air Force Research Laboratory (AFRL) to bring together experts from government, academia, and industry to advance space cyber expertise and technologies, foster community-wide collaboration, and anticipate future technology growth in a cyber-contested space domain. The summit aims to develop cyber-secure systems for space, protect against evolving threats, and identify opportunities for collaboration and innovation.

ISC2 Security Congress 2025 (Nashville + Virtual, Tennessee, USA, Oct 29 - 31, 2025) Join thousands of cybersecurity experts at ISC2 Security Congress 2025 and help lead the future of our connected world. Gain the insights you need to stay ahead of the evolving digital landscape. From innovative software to new security strategies, ISC2 Security Congress 2025 is designed to ensure you can navigate tomorrow’s threats.

Cyber Innovation Day 2025 | Datatribe (Washington, DC, USA, Nov 4, 2025) If you’re raising a seed or pre-seed round and are building the next category-defining company, we want to hear from you! The DataTribe Challenge is the headline event of the afternoon at Cyber Innovation Day 2025, where five finalists take the stage after weeks of hands-on coaching from seasoned startup operators and investors. These five finalists—along with additional promising startups—will exhibit in the Cyber Innovation Expo Hall, gaining high-impact exposure to top investors, cybersecurity leaders, and strategic partners.

CYBERWARCON (Virtual and Arlington, Virginia, USA, Nov 19, 2025) CYBERWARCON is a one-day conference in Arlington, VA focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. CYBERWARCON is not a hacker conference, or an ICS conference, or an international policy conference. The central purpose of this conference is to identify and explore threats. Participants and attendees come from a spectrum of backgrounds, including the military and government, academia, the media, and the private sector.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 10.16.25

Top stories.

F5 discloses long-term breach tied to nation-state actors.

Phishing campaign impersonates LastPass and Bitwarden.

PowerSchool hacker receives a four-year prison sentence.

Notes.

Attacks, Threats, and Vulnerabilities

Legislation, Policy, and Regulation

Events