Executive Summary

Between September and October 2025, the United States government experienced a significant surge in cyberattacks, with multiple sources referencing an 85% increase in incidents targeting federal agencies and critical infrastructure during the government shutdown. This escalation coincided with the expiration of the Cybersecurity Information Sharing Act of 2015 on September 30, 2025, and the onset of a government shutdown on October 1, 2025, which resulted in substantial layoffs and resource reductions at the Cybersecurity and Infrastructure Security Agency (CISA) and other federal entities. The shutdown severely limited federal cybersecurity support, diminished the speed and scope of threat intelligence sharing, and forced private sector organizations to increase their own vigilance. A notable catalyst was a breach at F5 Inc., a major provider of network products, which prompted CISA to issue an emergency directive on October 15, 2025. While the 85% increase figure is widely cited (Techrights, referencing Dark Reading), no official CISA advisory directly confirms this statistic. However, the convergence of reduced federal capacity, the expiration of key information-sharing legislation, and opportunistic targeting by nation-state actors created a heightened risk environment for both government and critical infrastructure sectors. All claims in this summary are directly supported by the referenced primary sources.

Technical Information

The technical landscape of the incident is defined by a convergence of opportunistic threat actor activity, exploitation of network infrastructure vulnerabilities, and a systemic reduction in federal cybersecurity capacity. The primary technical incident was the breach of F5 Inc. in October 2025, which served as a catalyst for increased threat activity and prompted CISA’s emergency directive (ED 26-01). The breach involved a nation-state affiliated threat actor compromising F5 systems, exfiltrating files including portions of the BIG-IP source code, and leveraging this access to identify logical flaws and zero-day vulnerabilities. The exploitation of these vulnerabilities enabled the attacker to access embedded credentials, API keys, and potentially move laterally within affected networks.

The attack vector was the exploitation of vulnerabilities in F5 BIG-IP products, particularly those with public-facing management interfaces or unpatched software. The technical risk was not associated with a specific malware family but rather with the exploitation of these vulnerabilities, which could facilitate custom exploit development and zero-day attacks. CISA’s emergency directive required immediate inventory, patching, and hardening of F5 devices, as well as the disconnection of unsupported devices. The technical indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) observed in this incident align with the MITRE ATT&CK framework, specifically:

Initial access was achieved through exploitation of public-facing applications (T1190). Credential access was facilitated by credential dumping (T1003) and the theft or forging of Kerberos tickets (T1558). Lateral movement was accomplished using valid accounts (T1078) and lateral tool transfer (T1570). Persistence was maintained through valid accounts (T1078) and the creation or modification of system processes (T1543). Exfiltration occurred over web services (T1567) and command-and-control channels (T1041). Defense evasion was achieved by exploiting public-facing applications (T1190) and impairing defenses (T1562).

No specific malware or tool names were disclosed in CISA’s directive or public advisories regarding the F5 breach. The technical risk remains high for exploitation-based attacks, particularly those leveraging newly discovered vulnerabilities in widely deployed network appliances.

The threat actor is described as "nation-state affiliated" in CISA’s language, but no specific group attribution is provided. The TTPs observed are consistent with historical advanced persistent threat (APT) operations, such as those conducted by APT29 (Cozy Bear, Russia) and APT41 (China), which have previously targeted network infrastructure and exploited zero-day vulnerabilities in products like SolarWinds and Microsoft Exchange. The timing of the attack—during a period of reduced federal cyber defense and after the expiration of the Cybersecurity Information Sharing Act—suggests opportunistic targeting by sophisticated actors.

Sector-specific targeting patterns indicate that government agencies and critical infrastructure sectors, including water, healthcare, and utilities, were at heightened risk due to the loss of federal support and diminished information sharing. The expiration of the Cybersecurity Information Sharing Act further reduced the speed and scope of threat intelligence dissemination, increasing vulnerability across sectors. Private sector organizations were compelled to increase internal vigilance, update incident response playbooks, and rely more heavily on industry sources for threat intelligence.

CISA continued to issue advisories and emergency directives throughout the shutdown, but with reduced staff and resources, the depth and speed of guidance were diminished. While no direct CISA advisory references the 85% increase in attacks, the agency acknowledged the strain on national defenses and the increased risk environment. The technical evidence for the surge in attacks is supported by multiple corroborating sources, including Techrights and Bloomberg Law, though the precise 85% figure is not independently verified by CISA.

In summary, the technical details of the incident are characterized by exploitation of F5 BIG-IP vulnerabilities, opportunistic targeting by nation-state actors, and a systemic reduction in federal cybersecurity capacity, resulting in increased risk for government and critical infrastructure sectors.

Affected Versions & Timeline

The affected products in this incident are F5 BIG-IP devices, particularly those with public-facing management interfaces or unpatched software versions. The specific versions impacted were not disclosed in CISA’s emergency directive, but the directive required immediate action for all supported and unsupported F5 devices deployed within federal networks.

The timeline of the incident is as follows: On September 30, 2025, the Cybersecurity Information Sharing Act of 2015 expired, removing liability protections for companies sharing threat intelligence. On October 1, 2025, the US government shutdown began, resulting in significant layoffs and resource reductions at CISA and other federal agencies. On October 15, 2025, CISA issued an emergency directive following a breach at F5 Inc.. Between October 22 and October 25, 2025, multiple sources reported a dramatic increase in cyberattacks targeting US government and critical infrastructure, with some citing an 85% increase.

The incident window is therefore defined as September 30, 2025, through at least October 25, 2025, with ongoing risk due to the continued exploitation of F5 vulnerabilities and reduced federal cybersecurity capacity.

Threat Activity

Threat activity during this period was characterized by a surge in exploitation attempts against US government agencies and critical infrastructure, with a particular focus on network appliances such as F5 BIG-IP devices. The primary threat actor is described as "nation-state affiliated," with TTPs consistent with advanced persistent threat (APT) operations. The exploitation of F5 vulnerabilities enabled initial access, credential theft, lateral movement, persistence, and data exfiltration.

The expiration of the Cybersecurity Information Sharing Act and the government shutdown created a permissive environment for threat actors, who exploited the reduction in federal cybersecurity capacity and the chilling effect on information sharing. The private sector, including critical infrastructure providers, was forced to compensate for the loss of federal support by increasing vigilance and cybersecurity hygiene.

CISA’s emergency directive and subsequent advisories provided technical guidance on mitigating the exploitation of F5 vulnerabilities, but the reduced workforce and resource constraints limited the depth and speed of response. No specific malware or tool names were disclosed, and attribution to a specific APT group was not possible with the available evidence.

The threat landscape during this period was defined by increased risk, opportunistic targeting, and the exploitation of systemic vulnerabilities in both technology and policy.

Mitigation & Workarounds

Mitigation efforts should be prioritized as follows:

Critical: Immediate inventory, patching, and hardening of all F5 BIG-IP devices, with particular attention to public-facing management interfaces and unsupported software versions. Organizations should disconnect unsupported devices from networks and apply all available security updates as recommended by F5 Inc. and CISA.

High: Review and update incident response playbooks to account for reduced federal support and diminished information sharing. Increase internal monitoring for indicators of compromise associated with exploitation of network appliances, including credential theft, lateral movement, and data exfiltration.

Medium: Enhance internal threat intelligence capabilities by leveraging industry sources, information sharing and analysis centers (ISACs), and commercial threat intelligence providers. Conduct tabletop exercises to simulate exploitation scenarios and validate response procedures.

Low: Review legal and compliance frameworks in light of the expiration of the Cybersecurity Information Sharing Act, and consult with legal counsel regarding information sharing practices.

All organizations, especially those in government and critical infrastructure sectors, should maintain heightened vigilance, ensure timely application of security patches, and monitor for anomalous activity associated with exploitation of network appliances.

References

Techrights, "Links 25/10/2025: Target Layoffs and 'Shutdown Sparks 85% Increase in US Government Cyberattacks'", October 25, 2025: https://techrights.org/n/2025/10/25/Links_25_10_2025_Target_Layoffs_and_Shutdown_Sparks_85_Increase.shtml

CISA, "Official Alerts & Statements - CISA", Accessed June 2025: https://www.cisa.gov/stopransomware/official-alerts-statements-cisa

Bloomberg Law, "Shutdown Exposes Companies to Heightened Cybersecurity Risks", October 22, 2025: https://news.bloomberglaw.com/privacy-and-data-security/shutdown-exposes-companies-to-heightened-cybersecurity-risks

CISA, "ED 26-01: Mitigate Vulnerabilities in F5 Devices", October 15, 2025: https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their extended supply chain. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support incident response and risk mitigation. For questions regarding this advisory or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.