| The Record from Recorded Future News
therecord.media
Alexander Martin
November 3rd, 2025
The U.K.'s water suppliers have reported five cyberattacks since January 2024, according to information reviewed by Recorded Future News. The incidents did not affect the safety of water supplies, but they highlight an increasing threat.
None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure.
The data shared by the Drinking Water Inspectorate (DWI) showed the watchdog received 15 reports from suppliers between January 1, 2024, and October 20, 2025. These were sent under the NIS Regulations, which is just one part of the extensive legal framework governing the security of drinking water systems in Britain.
Of these reports, five regarded cybersecurity incidents affecting what the DWI called “out-of-NIS-scope systems” with the others being non-cyber operational issues. Further details of the 15 reports were not shared with Recorded Future News..
Currently, the NIS Regulations limit formally reportable cyber incidents to those that actually result in disruption to an essential service. If British infrastructure suppliers were impacted by hacks such as the pre-positioning campaign tracked as Volt Typhoon, suppliers would not have a legal duty to disclose them.
DWI said the five incidents that were disclosed to the watchdog were shared for information purposes because they were considered to be “related to water supply resilience risks.”
British officials are expected to try to amend this high bar for reporting when the government updates those laws through the much-delayed Cyber Security and Resilience Bill, when it is finally introduced to Parliament later this year.
A government spokesperson said: “The Cyber threats we face are sophisticated, relentless and costly. Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences — protecting the services the public rely on so they can go about their normal lives.”
Five reports better than none
That the reports were made despite not being required by the NIS Regulations was a positive sign, said Don Smith, vice president threat research at Sophos.
“Critical infrastructure providers, like any modern connected enterprise, are subject to attacks from criminal actors daily. It is no surprise that security incidents do occur within these enterprises, despite the compliance regimes that they’re subjected to,” Smith told Recorded Future News when asked about the data.
“I think we should be encouraged that these reports were shared outside of the scope of the NIS Regulations. It is very useful for critical infrastructure operators to understand the nature of these attacks, both in the case of commodity threats and if there’s an advanced adversary operating, and a culture of information sharing helps widen everyone’s aperture.”
Although there have been ransomware attacks against the IT office systems used by water companies — including on South Staffs Water in the U.K. and Aigües de Mataró in Spain — it is extremely rare for cyberattacks on water suppliers to actually disrupt supplies.
In one rare case of a successful attack on an OT (operational technology) component, residents of a remote area on Ireland’s west coast were left without water for several days in December 2023 when a pro-Iran hacking group indiscriminately targeted facilities using a piece of equipment the hackers complained was made in Israel.
The U.S. federal government had issued a warning about the exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector. Attacks on PLCs, core technology components in a lot of industrial control systems, are one of the main concerns of critical infrastructure defenders.
Initiatives to improve the security of water systems in the United States faltered under the Biden administration when water industry groups partnered with Republican lawmakers to put a halt to the federal efforts, despite significant increases in the number of ransomware attacks and state-sponsored intrusions.
Last week, Canadian authorities warned of an incident in which hacktivists changed the water pressure at one local utility among a spate of attacks interfering with industrial control systems.
Britain's National Cyber Security Centre encourages critical infrastructure providers to ensure they have properly segmented their business IT systems and their OT systems to reduce the impact of any cyber intrusion. In August, the agency released a new Cyber Assessments Framework to help organizations improve their resilience.
“Commodity rather than targeted attacks remain the most likely threat to impact critical infrastructure providers. The messaging I pass to CISOs and the people managing risk in these organizations is to worry about defending from the everyday as opposed to defending from the exotic,” said Smith.
“They’re expected to do both, but the much bigger risk is that we end up with a major piece of our CNI knocked offline because of a ransomware attack. I worry about people thinking about investing huge amounts in monitoring esoteric systems when they’re actually not protecting themselves from the basics.”
bleepingcomputer.com
By Bill Toulas
October 15, 2025
U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.
The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.
F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products.
BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide.
No supply-chain risk
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.
"Through this access, certain files were exfiltrated, some of which contained certain portions of the Company's BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP," the company states.
Despite this critical exposure of undisclosed flaws, F5 says there's no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems' source code.
Response to the breach
After discovering the intrusion, F5 took remediation action by tightening access to its systems, and improving its overall threat monitoring, detection, and response capabilities:
Rotated credentials and strengthened access controls across our systems.
Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
Implemented enhancements to our network security architecture.
Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.
Additionally, the company also focuses on the security of its products through source code reviews and security assessements with support from NCC Group and IOActive.
NCC Group's assessment covered security reviews of critical software components in BIG-IP and portions of the development pipeline in an effort that involved 76 consultants.
IOActive's expertise was called in after the security breach and the engagement is still in progress. The results so far show no evidence of the threat actor introducing vulnerablities in critical F5 software source code or the software development build pipeline.
Customers should take action
F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance.
To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.
Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.
F5 confirmed that today's updates address the potential impact stemming from the stolen undisclosed vulnerabilities.
Furthermore, F5 support makes available a threat hunting guide for customers to improve detection and monitoring in their environment.
New best practices for hardening F5 systems now include automated checks to the F5 iHealth Diagnostic Tool, which can now flag security risks, vulnerabilities, prioritize actions, and provide remediation guidance.
Another recommendation is to enable BIG-IP event streaming to SIEM and configure the systems to log to a remote syslog server and monitor for login attempts.
"Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have" - F5
The company added that it has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms, including CrowdStrike and Mandiant.
On Monday, F5 announced that it rotated the cryptographic certcertificates and keys used for signing its digital products. The change affects installing BIG-IP and BIG-IQ TMOS software images while ISO image signature verification is enabled, and installing BIG-IP F5OS tenant images on host systems running F5OS.
Additional guidance for F5 customers comes from UK's National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Both agencies recommmend identifying all F5 products (hardware, software, and virtualized) and making sure that no management interface is exposed on the public web. If an exposed interface is discovered, companies should make compromise assessment.
F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems.
"On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner," explains F5.
F5 states that the incident has no material impact on its operations. All services remain available and are considered safe, based on the latest available evidence.
BleepingComputer has contacted F5 to request more details about the incident, and we will update this post when we receive a response.
Picus Blue Report 2025
bleepingcomputer.com -
npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package.
A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development.
But that isn't quite the case for Stylus: a legitimate "revolutionary" library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS.
Stylus 'accidentally banned by npmjs'
As of a few hours ago, npmjs has removed all versions of the Stylus package and published a "security holding package" page in its place.
"Stylus was accidentally banned by npmjs," earlier stated Stylus developer Lei Chen in a GitHub issue. The project maintainer is "currently waiting for npmjs to restore access to Stylus."
"I am the current maintainer of Stylus. The Stylus library has been flagged as malicious..., which has caused many [libraries] and frameworks that depend on Stylus to fail to install," also posted Chen on X (formerly Twitter). "Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue."
In this blog post, learn about the supply chain attack targeting Chrome browser extensions and the associated targeted phishing campaign.
Yesterday we discovered another client-side JavaScript attack targeting +500 websites, including governments and universities. The injected scripts create hidden links in the Document Object Model (DOM), pointing to external websites, a programming interface for web documents.
The JFrog Security Research team identified and quickly disclosed new npm malicious packages aimed at compromising leading industrial organizations
