The F5 hack, exposing over 269,000 devices in 85% of the companies in the Fortune 500, is just one part of the growing tensions between the US and China.
On October 25, 2025, F5, a technology and cybersecurity company with a focus on application security, disclosed a year-long intrusion. The news quickly made headlines, which can at least be partially attributed to the widespread use of F5. The company’s services are reportedly used by 85% of the companies in the Fortune 500, according to the company website. With 23,000 companies on their enrollment list, they also cover 96% of the Fortune 50.
In the statement, F5 explained that they had known of the infiltration for at least 2 months prior to the public notice: “In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms.” BIG-IP refers to a collection of application security, access and availability hardware and software developed by F5.
The stolen files included information on the BIG-IP source code and undisclosed vulnerabilities that were still being addressed by F5. F5 has “no knowledge of undisclosed critical or remote code execution vulnerabilities” being accessed, but they are still encouraging their user base to update their BIG-IP software due to the risk of vulnerabilities being exploited.
While this attack did not reach all of F5 software operations (their CRM, financial, support case management, or iHealth systems show no signs of being accessed or losing files, and other key pieces like the software supply chain and the NGINX source also appear unaffected), the possible impact of the threat actor attack is still profound. The Shadowserver Foundation, a nonprofit organization that highlights “vulnerabilities, malicious activity and emerging threats”, found that more than 269,000 devices were exposed as a result of the breach. Even federal networks were targeted in the hack. In light of the news, F5’s stock decreased by 12%.
The infiltration has been compared to other cyber campaigns with far-reaching, critical consequences. The chief technology officer at Palo Alto Networks’ threat intelligence-focused Unit 42, Micharl Sikorski, recalled the 2020 SolarWinds breach that also forced a company into the public eye after several federal agencies were exposed to a spy operation because of the widespread use of the software: “I'm not equating this to the SolarWinds attack, but I'm equating it to the fact that people never hear of it, but it's in everybody's network…When we're talking about 80 percent of the Fortune 500, we're talking about banks, law firms, tech companies, you name it.”
Even the threat actors accused of orchestrating the attack are similar to other recent intrusions. Two days after F5 released their statement, the nation sponsoring the “nation-state threat actors” was revealed to be China. If this is true, it would just be one more addition to the long list of incidents in China’s ongoing cyber espionage campaign. A key trait in several of these breaches attributed to China is the quiet, but sophisticated, sustained intrusion to critical infrastructure, where hackers maintain access to important systems. For example, the monumental Salt Typhoon hack collected the cellular metadata of nearly all Americans before being discovered.
Just as with other cyber incidents, China continues to deny any responsibility for the hack. A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, maintained that “China consistently opposes and combats hacking activities in accordance with the law, and we are even more opposed to the dissemination of false information for political purposes."
On the other side of the coin, China has also accused the US of a significant cyber attack. Their Ministry of State Security (MSS) shared they “had uncovered a major cyber attack case in the United States and obtained irrefutable evidence that the National Security Agency launched a cyber attack and invaded China's National Time Service Center.”
According to the MSS’s WeChat post, the National Time Service Center is critical for managing and generating “Beijing Time”, while providing “high-precision timing services to the nation's communications, finance, finance, power, transportation, surveying and mapping, defense, and other sectors, and provides critical data support for the calculation of international standard time.”
Coincidentally, China is also describing the discovered intrusion as a covert, persistent effort: “...the NSA’s cyberattacks against the National Time Service Center (NTSC) were long-planned and systematic.” The post recounts a series of infiltrations from 2022 to 2024, starting with the NSA allegedly exploiting a vulnerability in a mobile phone brand to steal private data, before stealing login credentials to spy on the NTSC system and activating “42 specialized cyberattack weapons to launch a high-intensity cyberattack against multiple internal network NSC systems.”
The US has not given a specific response to these allegations. An NSA spokesperson told the Register that the agency “does not confirm nor deny allegations in the media regarding its operations," but that their “core focus is countering foreign malign activities persistently targeting American interests, and we will continue to defend against adversaries wishing to threaten us."
Adding to these tensions, the US is seemingly considering barring “critical software” from the US being exported to China. The US also temporarily imposed restrictions on software for chip design from late May to early July. More recently, the Trump administration is now stopping US companies from exporting technology to companies that are majority owned by sanctioned firms in China. Already, tariffs on Chinese imports are set at 55% (but are inactive due to a truce between the US and China), but Trump has possibly signalled some openness to negotiations.
Even as conflict between the US and China seems to be at a stalemate, there are still protective steps that Americans can take, particularly in response to the F5 hack. The Cybersecurity and Infrastructure Security Agency (CISA) stressed the importance of updating related devices in their emergency directive immediately following the disclosure, but for even more security, the F5 advisory also offers threat intelligence from F5 support, hardening F5 systems with their best practices, and using the company’s SIEM integration and monitoring guidance.
It’s worth noting that the F5 intrusion is seen as a developing story. Chief security officer at the Tenable cybersecurity firm said the news leaves him “...waiting for the other shoe to drop”. For now, F5 does not see any more trouble on the horizon, saying they “have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”