Some experts and lawmakers warn U.S. cyberdefenses are becoming more vulnerable by the day, as nation-state threats escalate. That one-two punch could have serious implications for national security and both public- and private-sector cyber-risk.
This week’s featured articles cover a major nation-state attack that experts are comparing to the SolarWinds breach, a China-based threat group’s concerning use of a legitimate security tool for malicious purposes and further workforce reductions at CISA.
Nation-state hackers target F5, sending federal government scrambling
An unnamed nation-state threat actor breached F5’s systems, the vendor said this week, gaining long-term, persistent access to the company’s engineering platforms and stealing sensitive data. The attackers obtained BIG-IP source code, information about undisclosed vulnerabilities and customer configuration details that could enable future attacks.
F5 said it discovered the breach in August but didn’t disclose when it began. In response, CISA issued an emergency directive requiring federal agencies to immediately secure their F5 devices, patch most affected products by Oct. 22 and disconnect end-of-life systems.
The incident evokes the SolarWinds attack and raises concerns about supply chain security, though F5 said it has found no evidence of software tampering. Thousands of F5 products are deployed across federal agencies.
In the private sector, nearly every organization in the Fortune 50 reportedly uses F5 technology. Researchers at Palo Alto Networks said that as of Oct. 15 — the day after F5 announced the attack — they had identified more than 600,000 unpatched, internet-facing F5 network security devices.
Read the full story by Eric Geller on Cybersecurity Dive.
Chinese hackers weaponize security tool in ransomware attacks
The China-based threat group Storm-2603 has weaponized Velociraptor, an open source digital forensics and incident response tool, in ransomware attacks.
Cisco Talos researchers observed the group deploying multiple ransomware variants — including Warlock, LockBit and Babuk — on VMware ESXi servers during an August incident. Storm-2603 installed an outdated version of Velociraptor with a privilege escalation vulnerability to maintain persistent network access while concealing malicious activities.
This represents a concerning shift wherein attackers repurpose legitimate security tools for offensive operations to conduct what are called living-off-the-land attacks.
Read the full story by Rob Wright on Dark Reading.
CISA loses more employees to layoffs and reassignments
The Trump administration is further downsizing CISA, this time through both layoffs and forced relocations. Since October 1, the Department of Homeland Security has laid off 176 employees, the majority from CISA. The agency had already lost about a third of its workforce in 2025.
The downsizing has reportedly created a severe morale crisis within CISA, with employees feeling uncertain about their roles. Republicans said the cuts are necessary to get the agency back on track after it became involved in combating election misinformation in 2020. But cybersecurity experts and Democratic lawmakers warned the disruption could weaken America’s cyberdefense capabilities at a time when global threats are rapidly evolving and, in some cases, escalating.
Read the full story by Eric Geller on Cybersecurity Dive.
