F5 asserts limited impact from prolonged nation-state attack on its systems
F5 CEO François Locoh-Donou said on a company earnings call that there were two categories of impact on customers following a nation-state attacker’s long-term, persistent access to its systems: widespread emergency updates to BIG-IP software and hardware, and customers whose configuration data was stolen during the attack.
“We were very impressed frankly, with the speed with which our customers have mobilized resources to be able to make these upgrades and put them in production fairly rapidly,” Locoh-Donou said Monday. F5 helped thousands of customers install critical updates upon disclosure, he added.
The vendor’s latest assessment of the prolonged attack, which it became aware of Aug. 9 and disclosed Oct. 15, indicates F5 remains optimistic it has contained and limited exposure from the breach, which prompted a rare emergency directive from federal cyber authorities when it was disclosed in a regulatory filing.
“A significant number of our largest customers have completed their updates with minimal disruption,” Locoh-Donou said, adding “a North American technology provider completed updates to 814 devices in a six-hour window in the first weekend.”
Data exfiltration “impacted a small percentage of our customers,” and an investigation into the full scope of data and customers exposed by the attack on F5’s internal systems is ongoing, Locoh-Donou said. Initial response and recovery efforts identified some customers that were impacted, and F5 has notified those organizations and shared details about the data that might have been exfiltrated, he added.
The intrusion allowed an unidentified nation-state attacker to steal segments of BIG-IP source code, customers’ configuration data and 44 undisclosed vulnerabilities F5 was addressing internally at the time.
Locoh-Donou said most customers that are known to be impacted are at relative ease about the type of data stolen from F5’s systems. “The most common feedback from customers so far has been that that data is not sensitive and they’re not concerned about it,” he said. “There was no impact to our customer relationship management or our support system.”
F5 hasn’t described what information was contained in the customer configuration data stolen by the attacker.
The vendor is also confident it can limit the fallout from potential vulnerabilities discovered in its stolen BIG-IP source code. NCC Group and IOActive, firms F5 brought in to assist with response and recovery efforts, previously attested they found no critical-severity vulnerabilities in the source code nor did they find evidence of exploited defects in the company’s critical software, products or development environment.
F5 is continuing to scan its code with the aid of third-party experts “to ensure that if there are any vulnerabilities that we remediate them immediately,” Locoh-Donou said. The company is also bolstering its bug-bounty program and setting up a center where customers and artificial intelligence tools can do penetration testing with F5’s code.
Locoh-Donou noted that F5 also partnered with CrowdStrike to bring endpoint detection and response capabilities to BIG-IP environments. This provides an extra layer of monitoring and observability to customer deployments that “hasn’t been done in the industry,” he said. “You haven’t seen perimeter devices really enabled with EDR.”
F5 expects costs related to the CrowdStrike Falcon EDR offer to be covered by its cyber insurance or one-time remediation costs.
The company expects its financial performance to take a short-term hit from the attack, including a disruption to sales cycles as customers focus on threat hunting and remediating security gaps in their environments, Chief Financial Officer Cooper Werner said during the earnings call.
F5 told investors its fiscal year 2026 revenue will grow 0% to 4%, and diminished demand from customers should be more acute in the first half of the year.
“We are disappointed that this happened and very aware as a team and as a company of the burden that this has placed on our customers who have had to work long hours to upgrade their BIG-IPs and secure their environment,” Locoh-Donou said.
“It is evident that advanced nation-state threat actors are targeting technology companies and most recently perimeter-security companies,” he said. “We are committed to learning from this incident, sharing our insights with customers and peers, and driving collaborative innovation to collectively strengthen the protection of critical infrastructure across the industry.”
