Risky Business Podcast — Wide World of Cyber: A Deep Dive on the F5 Hack

Host: Patrick Gray
Guests: Alex Stamos (Chief Security Officer, Corridor Fantastic), Chris Krebs (Founding Director of CISA, Krebs Stamos Group)
Date: October 21, 2025

Overview

In this episode, Patrick Gray, Alex Stamos, and Chris Krebs provide an in-depth analysis of the recent F5 Networks compromise—a now-public cyber intrusion attributed to a suspected Chinese APT group that went undetected for up to two years. The conversation spans technical details of the attack, its implications for F5’s business and customer base, parallels to previous supply chain breaches (notably SolarWinds), as well as broader issues with legacy software, private equity ownership, and the risks and opportunities tied to AI-augmented codebase modernization.

Key Discussion Points

1. The F5 Compromise: Nature and Impact

[01:04–07:03]

Summary of the Incident:
- A suspected Chinese APT group infiltrated F5, maintaining access for one to two years.
- Attackers reportedly raided the internal bug tracker and searched for vulnerabilities.
- F5 responded by rotating keys (suggesting some were not stored in HSMs), and announcing patches for 44 bugs—many described as DoS, yet potentially serious.
Technical Risks:
- Devices like F5 load balancers are prime targets because they are identical, hard to instrument with security tools, and often lack robust anti-exploit defenses.
- "Undisclosed traffic" in advisories suggests exploitable conditions may be triggered remotely, increasing potential impact.
Notable Quote:

“These are exactly the kind of flaws that I would never bet my career on somebody not being able to turn to be exploitable… you cannot run EDR or other kind of security products on them.”
– Alex Stamos [02:26]

2. Threat Actor Behavior and Supply Chain Compromises

[05:27–09:40]

Despite access to F5’s update infrastructure, the attackers did not ship malicious patches, unlike in SolarWinds.
Possible reasons:
- Different capabilities, readiness, or deliberate restraint following detection/arrest in similar past incidents (e.g., Russians in SolarWinds).
- F5's internal logging and security posture might have deterred further action.
Notable Quote:

“If the rumors are true that they had the appropriate logging in place... maybe F5 had a better than we would have expected security posture.”
– Chris Krebs [07:10]

3. F5's Response: Internal Moves and Communications

[09:40–12:46]

F5 appointed board member and experienced security leader Mike Montoya as Chief Technology and Operations Officer—a signal of intent to control narrative and execute strong response.
F5 asserts no evidence of attacker access to their cloud services or customer data, though skepticism remains due to incident complexity and previous cases where this assurance changed over time.
Discussion of challenges in integrating acquisitions like NGINX, and the difficulties this can create for both attackers and defenders.
Notable Quote:

“It was a quick move... if these actors did have access to those services, that would be an ingredient, access into many, many... the back end of many companies.”
– Alex Stamos [11:07]

4. Lessons from SolarWinds: Handling Catastrophic Supply Chain Incidents

[13:20–22:55]

Stamos and Krebs share learnings from assisting SolarWinds post-breach:
- Emphasis on transparency, rapid communication, and honest engagement with customers.
- Created new application security functions, simplified product lines to reduce attack surface, and instigated wide code reviews and security assessments.
- Media attention on minor vulnerabilities during the aftermath can amplify perception risk—necessitating rigorous, proactive cleanup.
Notable Quotes:

"You can’t withhold information. You have to be as transparent as possible... How are they getting to good?"
– Chris Krebs [15:33]
“One of the problems SolarWinds had was they shipped too many products... They don’t realize that thing is actually not an asset, it is a liability on their books because it represents a significant amount of security risk.”
– Alex Stamos [17:58]
“We had to basically build a whole new application security function for them. We also massively simplified their product line.”
– Alex Stamos [17:58]

5. US Government and Vendor Response: Directive Amid Dysfunction

[24:44–32:24]

CISA's Emergency Directive:
- Prompted quick reaction from agencies to patch, even during government shutdown, but actual patching may be hampered as ops/IT teams (not security) typically execute these changes.
- Even with resource constraints and lack of confirmed leadership at agencies, institutional muscle memory and professional staff keep response rolling.
Wider Impact:
- Emergency directives set expectations and prompt action in private sector and non-federal organizations, not just government.
Notable Quotes:

“As soon as CISA pushes out an emergency directive, every other organization... looks at that and says… we need to do this too.”
– Chris Krebs [28:01]
“We can only go for so long when there’s nobody in charge.”
– Alex Stamos [30:19]

6. Broader Industry Issues: Legacy Software and Private Equity

[32:24–34:07]

Not all private equity (PE) ownership is bad—some firm up security and operations (e.g., Sophos, Proofpoint), others neglect, letting legacy products rot for short-term gains (e.g., Ivanti).
Aging codebases (>30 years old) are prevalent and are a persistent source of risk.

7. The AI Opportunity: Modernizing Codebases

[34:07–38:48]

AI Refactoring:
- Advanced code generation and refactoring tools now make long-shot efforts to modernize and secure old codebases far more feasible.
- Tasks that once required “hundreds of man years” can now be partly automated, making comprehensive remediation economically possible.
Limits and Incentives:
- Not all firms will act—the crucial factor is alignment of incentives and leadership’s willingness to invest.
- PE with a strong security background may adopt this AI-driven remediation, while others may not.
Notable Quotes:

“It is possible, instead of fixing security flaws, to just rewrite significant parts of the code base... That is going to become... a totally practical solution… I’m not like going from C to Rust yet, but… I think are actually possible.”
– Alex Stamos [35:51]
“The security program is always the afterthought, always the last thing considered in these sorts of deals... It’s who’s owning, who turns the screws, who has the influence over the company and do they effectively have a security mindset?”
– Chris Krebs [36:26]

Memorable Moments and Quotes

Alex critiques F5’s assurances:

“I would trust F5 as far as I can throw them metaphorically at this point.”
[02:26]
On US cyber agency staffing:

“Before the shutdown, there’s basically nobody working on cyber in the United States government...”
– Alex Stamos [29:00]
On the slow pace of policy evolution:

“We’re in... October 2025. The policy conversations around cybersecurity are virtually the exact same as they were in October of 2015… The only real appreciable difference... is that AI is finally here.”
– Chris Krebs [32:24]

Timestamps for Key Segments

[01:04] – F5 hack summary and technical/patching discussion
[05:27] – Parallels with SolarWinds; why no supply chain compromise this time?
[09:40] – F5’s internal response and leadership changes
[13:20] – SolarWinds lessons: transparency, incident recovery, risk from product sprawl
[24:44] – CISA directives, US gov’t function during shutdown
[32:24] – Broader implications of PE/legacy software neglect
[34:07] – AI as a tool for rapid codebase modernization
[38:48] – Wrap-up

Conclusion

This episode delivers an insightful, practical perspective on the evolving challenges of securing critical infrastructure and software supply chains. The hosts cover everything from the nuts and bolts of the F5 breach and incident response lessons from SolarWinds, to the hopeful future where AI might break decades-long cycles of technical debt and neglect. The episode is candid, occasionally irreverent, and full of sharp commentary—essential listening for anyone who wants a realistic take on the state of software supply chain security in 2025.

Risky Business Podcast — Wide World of Cyber: A Deep Dive on the F5 Hack

Host: Patrick Gray
Guests: Alex Stamos (Chief Security Officer, Corridor Fantastic), Chris Krebs (Founding Director of CISA, Krebs Stamos Group)
Date: October 21, 2025

Overview

Key Discussion Points

1. The F5 Compromise: Nature and Impact

[01:04–07:03]

Summary of the Incident:
- A suspected Chinese APT group infiltrated F5, maintaining access for one to two years.
- Attackers reportedly raided the internal bug tracker and searched for vulnerabilities.
- F5 responded by rotating keys (suggesting some were not stored in HSMs), and announcing patches for 44 bugs—many described as DoS, yet potentially serious.
Technical Risks:
- Devices like F5 load balancers are prime targets because they are identical, hard to instrument with security tools, and often lack robust anti-exploit defenses.
- "Undisclosed traffic" in advisories suggests exploitable conditions may be triggered remotely, increasing potential impact.
Notable Quote:

“These are exactly the kind of flaws that I would never bet my career on somebody not being able to turn to be exploitable… you cannot run EDR or other kind of security products on them.”
– Alex Stamos [02:26]

2. Threat Actor Behavior and Supply Chain Compromises

[05:27–09:40]

Despite access to F5’s update infrastructure, the attackers did not ship malicious patches, unlike in SolarWinds.
Possible reasons:
- Different capabilities, readiness, or deliberate restraint following detection/arrest in similar past incidents (e.g., Russians in SolarWinds).
- F5's internal logging and security posture might have deterred further action.
Notable Quote:

“If the rumors are true that they had the appropriate logging in place... maybe F5 had a better than we would have expected security posture.”
– Chris Krebs [07:10]

3. F5's Response: Internal Moves and Communications

[09:40–12:46]

F5 appointed board member and experienced security leader Mike Montoya as Chief Technology and Operations Officer—a signal of intent to control narrative and execute strong response.
F5 asserts no evidence of attacker access to their cloud services or customer data, though skepticism remains due to incident complexity and previous cases where this assurance changed over time.
Discussion of challenges in integrating acquisitions like NGINX, and the difficulties this can create for both attackers and defenders.
Notable Quote:

“It was a quick move... if these actors did have access to those services, that would be an ingredient, access into many, many... the back end of many companies.”
– Alex Stamos [11:07]

4. Lessons from SolarWinds: Handling Catastrophic Supply Chain Incidents

[13:20–22:55]

Stamos and Krebs share learnings from assisting SolarWinds post-breach:
- Emphasis on transparency, rapid communication, and honest engagement with customers.
- Created new application security functions, simplified product lines to reduce attack surface, and instigated wide code reviews and security assessments.
- Media attention on minor vulnerabilities during the aftermath can amplify perception risk—necessitating rigorous, proactive cleanup.
Notable Quotes:

"You can’t withhold information. You have to be as transparent as possible... How are they getting to good?"
– Chris Krebs [15:33]
“One of the problems SolarWinds had was they shipped too many products... They don’t realize that thing is actually not an asset, it is a liability on their books because it represents a significant amount of security risk.”
– Alex Stamos [17:58]
“We had to basically build a whole new application security function for them. We also massively simplified their product line.”
– Alex Stamos [17:58]

5. US Government and Vendor Response: Directive Amid Dysfunction

[24:44–32:24]

CISA's Emergency Directive:
- Prompted quick reaction from agencies to patch, even during government shutdown, but actual patching may be hampered as ops/IT teams (not security) typically execute these changes.
- Even with resource constraints and lack of confirmed leadership at agencies, institutional muscle memory and professional staff keep response rolling.
Wider Impact:
- Emergency directives set expectations and prompt action in private sector and non-federal organizations, not just government.
Notable Quotes:

“As soon as CISA pushes out an emergency directive, every other organization... looks at that and says… we need to do this too.”
– Chris Krebs [28:01]
“We can only go for so long when there’s nobody in charge.”
– Alex Stamos [30:19]

6. Broader Industry Issues: Legacy Software and Private Equity

[32:24–34:07]

Not all private equity (PE) ownership is bad—some firm up security and operations (e.g., Sophos, Proofpoint), others neglect, letting legacy products rot for short-term gains (e.g., Ivanti).
Aging codebases (>30 years old) are prevalent and are a persistent source of risk.

7. The AI Opportunity: Modernizing Codebases

[34:07–38:48]

AI Refactoring:
- Advanced code generation and refactoring tools now make long-shot efforts to modernize and secure old codebases far more feasible.
- Tasks that once required “hundreds of man years” can now be partly automated, making comprehensive remediation economically possible.
Limits and Incentives:
- Not all firms will act—the crucial factor is alignment of incentives and leadership’s willingness to invest.
- PE with a strong security background may adopt this AI-driven remediation, while others may not.
Notable Quotes:

“It is possible, instead of fixing security flaws, to just rewrite significant parts of the code base... That is going to become... a totally practical solution… I’m not like going from C to Rust yet, but… I think are actually possible.”
– Alex Stamos [35:51]
“The security program is always the afterthought, always the last thing considered in these sorts of deals... It’s who’s owning, who turns the screws, who has the influence over the company and do they effectively have a security mindset?”
– Chris Krebs [36:26]

Memorable Moments and Quotes

Alex critiques F5’s assurances:

“I would trust F5 as far as I can throw them metaphorically at this point.”
[02:26]
On US cyber agency staffing:

“Before the shutdown, there’s basically nobody working on cyber in the United States government...”
– Alex Stamos [29:00]
On the slow pace of policy evolution:

“We’re in... October 2025. The policy conversations around cybersecurity are virtually the exact same as they were in October of 2015… The only real appreciable difference... is that AI is finally here.”
– Chris Krebs [32:24]

Timestamps for Key Segments

[01:04] – F5 hack summary and technical/patching discussion
[05:27] – Parallels with SolarWinds; why no supply chain compromise this time?
[09:40] – F5’s internal response and leadership changes
[13:20] – SolarWinds lessons: transparency, incident recovery, risk from product sprawl
[24:44] – CISA directives, US gov’t function during shutdown
[32:24] – Broader implications of PE/legacy software neglect
[34:07] – AI as a tool for rapid codebase modernization
[38:48] – Wrap-up

wavePod

Wide World of Cyber: A deep dive on the f5 hack

Powered by Wave AI

Summary

Risky Business Podcast — Wide World of Cyber: A Deep Dive on the F5 Hack

Overview

Key Discussion Points

1. The F5 Compromise: Nature and Impact

2. Threat Actor Behavior and Supply Chain Compromises

3. F5's Response: Internal Moves and Communications

4. Lessons from SolarWinds: Handling Catastrophic Supply Chain Incidents

5. US Government and Vendor Response: Directive Amid Dysfunction

6. Broader Industry Issues: Legacy Software and Private Equity

7. The AI Opportunity: Modernizing Codebases

Memorable Moments and Quotes

Timestamps for Key Segments

Conclusion

Summary

Risky Business Podcast — Wide World of Cyber: A Deep Dive on the F5 Hack

Overview

Key Discussion Points

1. The F5 Compromise: Nature and Impact

2. Threat Actor Behavior and Supply Chain Compromises

3. F5's Response: Internal Moves and Communications

4. Lessons from SolarWinds: Handling Catastrophic Supply Chain Incidents

5. US Government and Vendor Response: Directive Amid Dysfunction

6. Broader Industry Issues: Legacy Software and Private Equity

7. The AI Opportunity: Modernizing Codebases

Memorable Moments and Quotes

Timestamps for Key Segments

Conclusion