Russian state-linked hackers have compromised the email accounts of UK government officials and overseas Foreign Office staff in an ongoing campaign that researchers have nicknamed FortiBleed, according to reporting from The Telegraph and multiple security researchers. The operation abused a vulnerability affecting more than 80,000 Fortinet firewalls, harvesting login credentials that grant unauthorised access to sensitive Whitehall systems. Breached accounts are now trading on dark web forums for as much as $60,000 (£44,000), with particular alarm over exposed credentials tied to the NHS and national critical infrastructure.
What Happened
The attackers exploited a flaw in Fortinet firewall systems to bypass the security perimeters protecting some of the UK's most critical national infrastructure. Rather than relying solely on a single zero-day, the operators fused a firewall vulnerability with previously stolen credential data, allowing them to slip past defences using valid logins from earlier leaks. The campaign remains active. Security researcher Volodymyr Diachenko, who first identified the intrusion, reported that hackers are converting compromised devices into collection hubs for continued data harvesting, and warned that the breach reaches into "core networks" within the Foreign Office. More than 80,000 Fortinet firewalls were implicated in the compromise, making this a broad, systemic exposure rather than an isolated incident.
What Was Taken
A list of breached accounts reviewed by The Telegraph shows that credentials for overseas Foreign Office staff and local government officials across the UK have been exposed. The stolen data pairs email addresses with their matching passwords, giving buyers a direct path into sensitive government systems. Confirmed exposures include IT staff at British embassies in Thailand and Mauritius, as well as officials in Derbyshire and Waltham Forest in east London. Beyond central and local government, the credentials up for sale cover institutions delivering critical services and national infrastructure, including the NHS, energy providers, and key suppliers of medicines across the country. The inclusion of IT staff logins is especially serious, as those accounts often carry elevated access to internal networks.
Why It Matters
This breach is not merely an embarrassment for Whitehall; it is a live foothold inside government and critical infrastructure networks. Because the logins are being openly traded, the threat extends beyond the original Russian operators to anyone willing to pay, dramatically widening the pool of potential attackers. The healthcare exposure is the sharpest concern. Dr Saif Abed, a former NHS doctor and cyber security expert, warned the breach could trigger a "catastrophic" incident affecting patient safety, noting that "NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed" and that this is "exactly the type of hack that's the first step for launching catastrophic ransomware attacks." The June 2024 attack on pathology firm Synnovis, believed to be Russian-backed, offers a grim precedent: it caused the cancellation of more than 1,000 operations and 2,000 appointments.
The Attack Technique
FortiBleed combines a Fortinet firewall vulnerability with credential replay. Attackers exploited the firewall flaw to breach the network perimeter, then used valid credentials harvested from previous leaks in what an alert confirmed as a brute force pattern of access. Once inside, compromised Fortinet devices were repurposed as collection hubs, quietly harvesting further data and credentials to enable lateral movement deeper into government networks. This approach is difficult to detect because it leans on legitimate logins rather than obvious malware, letting the operators blend in with normal authenticated activity while steadily expanding their reach across Whitehall departments and connected infrastructure.
What Organizations Should Do
- Patch immediately: Apply all available Fortinet security updates for the affected firewall models and confirm firmware versions across every device, prioritising internet-facing appliances.
- Force credential resets: Rotate passwords for all potentially affected accounts, especially IT and administrative staff, and invalidate active sessions and tokens.
- Enforce phishing-resistant MFA: Deploy multi-factor authentication everywhere, so that stolen username and password pairs alone cannot grant access to sensitive systems.
- Hunt for compromise: Review firewall and authentication logs for anomalous logins, unexpected outbound traffic, and signs that devices are being used as data collection hubs.
- Segment and isolate critical systems: Separate NHS, energy, and supply-chain networks from general corporate access to limit blast radius if credentials are abused.
- Monitor dark web exposure: Track forums and credential markets for organisational accounts and assume any leaked login is already in adversary hands.