IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Industrial control room servers network cables warning signs vulnerability oil rigs power plants
#
Firewalls
#
Network Security
#
MFA

F5 BIG-IP hack exposes critical infrastructure to major risk

Wed, 5th Nov 2025
Author image
By Sean Mitchell, Publisher

A recently disclosed security breach of F5's BIG-IP product line has highlighted growing risks for industrial control systems globally.

F5 confirmed that a state-sponsored threat actor gained unauthorised, prolonged access to the company's internal engineering and product development environments. Attackers reportedly exploited sensitive source code, vulnerability details, and select customer implementation data, raising concerns for organisations worldwide relying on F5 BIG-IP appliances as a security gateway between their corporate IT and operational technology (OT) environments.

Critical infrastructure sectors including energy, manufacturing, transportation, and oil and gas deploy F5 BIG-IP devices to segment and protect industrial control systems (ICS) from wider IT networks. This breach exposes these environments to significant risks, including unauthorised access, data theft, and operational disruption.

Nature of the threat

The attack has been attributed to a group identified as UNC5221, also referenced in Dragos's tracking as TAT25-43. This group has a pattern of exploiting zero-day vulnerabilities in network appliances, which can allow adversaries to target administrative interfaces, manipulate access policies, bypass authentication, and persist in networks using stolen credentials or certificates.

Dragos, a firm specialising in ICS/OT cybersecurity, has issued a summary of the threat landscape following the F5 incident. The company highlights immediate concerns such as targeted abuse of virtual private network (VPN) and Application Policy Manager (APM) settings, unauthorised API interactions, and interference with configuration objects. Such activity could result in the interception of network traffic, manipulation of security policies, denial of legitimate service access, and even log suppression to cover attacker footprints.

F5 has reported no evidence of software tampering or supply-chain compromise. However, the worry is that the sensitive information obtained in the breach could be used for future attacks targeting customers and partners further downstream.

Security response and recommendations

In direct response to the breach, Dragos has enabled new detections, indicators of compromise (IOCs), and digital playbooks to help customers identify and defend against adversarial behaviours exploiting these vulnerabilities. Users of affected products are urged to implement a series of recommended actions.

Dragos's recommendations include deploying updated software patches as soon as possible, verifying visibility across all assets, monitoring network activity for compromise indicators, and reviewing critical controls across network and access management.

Specifically, the guidance aligns with the SANS Five Critical Controls, which emphasise strategic and practical measures:

  • Incident Response: Prepare response playbooks, monitor for suspicious activity, and act swiftly when detections occur.
  • Defensible Architecture: Implement restrictions on administrative access, enforce a least-privilege approach, and secure all system backups.
  • Network Visibility & Monitoring: Maintain up-to-date inventories of assets, actively monitor all access points, and retain network logs for ongoing review.
  • Secure Remote Access: Enforce multi-factor authentication, log all remote access, and audit user privileges regularly.
  • Risk-Based Vulnerability Management: Continually assess and patch vulnerabilities and apply compensating controls where patches are not feasible.

Alongside these controls, immediate patching of F5 BIG-IP appliances and related products is emphasised. These updates address the documented vulnerabilities and are available from F5 for deployment.

Expert perspective

"Given their critical role in network segmentation, authentication, and access control, asset owners and operators must treat these devices as high-value targets and implement strong defences to include timely patching, credential rotation, hardened access controls, and enhanced monitoring. A compromised asset at this position within an industrial organization's network poses a critical threat to their respective operational resilience."

This statement from Tim Vernick, Senior ICS/OT Cyber Threat Intelligence Analyst at Dragos, reflects ongoing industry concerns about the vital role F5 BIG-IP devices play in safeguarding industrial ecosystems and the severe impact if they are compromised.

Organisations are advised to strengthen visibility across their environments, scrutinise network activity for signs of potential compromise, and adjust their controls and response plans in light of evolving state-sponsored threats targeting operational infrastructure.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Synology unveils PAS7700 NVMe storage to meet AI data surge
Akaysha Energy adopts Gurobi tech to optimise global battery assets
Exclusive: Coevolve's Tim Sullivan warns firms on AI connectivity gap
TeamViewer unveils Agentless Access for secure industrial control
Falco integrates Stratoshark for faster forensic cloud security

Top stories

CNCF launches new certification for cloud native engineers
CNCF brings AI discipline to Kubernetes deployments
McKinsey report shows AI interest but slow scaling
Enterprises to focus AI spend on cost savings & data control
AI & phishing attacks highlight human risk in Australian fraud