UK Government Credentials Reportedly Stolen in FortiBleed Campaign Targeting Fortinet Devices

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Incident reported: UK government credentials were reportedly stolen in a campaign targeting Fortinet firewalls and VPN gateways.
  • Official response: The UK's NCSC has issued guidance on the wider FortiBleed campaign and recommended immediate defensive measures.
  • Dark Web Sale: Hackers are allegedly selling access to government accounts on breach forums.

Login credentials belonging to UK government employees, including staff connected to the Foreign, Commonwealth & Development Office (FCDO), may have been stolen as part of a campaign targeting Fortinet firewalls and VPN gateways. While media reports describe government accounts among the exposed credentials, official confirmation of the reported compromise has not been issued.

UK Government, Russian Hackers

According to The Telegraph, stolen credentials from overseas Foreign Office employees and local government staff have allegedly been offered for sale on cybercrime forums for up to $60,000. Yet, the number of affected government accounts has not been publicly disclosed.

SOCRadar's Threat Research Unit (STRU) linked the credential theft operation to Ransomware-as-a-Service (RaaS) groups INC Ransom and Lynx

Credential stuffing is visible on the surface, but the FortiBleed operation, and its confirmed link to INC and Lynx ransomware, runs deeper | Source: SOC Radar
Credential stuffing is visible on the surface, but the FortiBleed operation, and its confirmed link to INC and Lynx ransomware, runs deeper | Source: SOC Radar

The reported incident follows the emergence of FortiBleed, a campaign running since at least February 2026 that has targeted 80,000+ internet-facing Fortinet firewalls.

STRU said analysis pointed to Russian-speaking hackers and focused on NATO member countries, most affecting India, the U.S., Taiwan, and Mexico. Compromised companies allegedly include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.

NCSC Advisory Warns Organizations About FortiBleed Threats

The U.K. National Cyber Security Centre (NCSC) has acknowledged the broader FortiBleed campaign and published guidance warning organizations that Fortinet firewalls and VPN gateways have been targeted through brute-force, dictionary and credential-stuffing attacks. 

The agency said leaked credential databases may affect organizations that rely on vulnerable or improperly secured systems. The NCSC advises organizations to:

Why FortiBleed Matters for Fortinet Users

The reported theft of government credentials highlights the potential impact of attacks against perimeter security devices that protect enterprise and public-sector networks. “NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed,” former NHS doctor and cybersecurity expert Dr Saif Abed told The Telegraph. 

Even where individual reports remain under investigation, the NCSC's advisory confirms that organizations using Fortinet infrastructure should treat the campaign as an active threat and review their security posture.

Recent INC Ransom breach claims include the Wisconsin Denmark School District and the Florida Cocoa City. An April analysis concluded that the 2024 NHS ransomware attack still causes healthcare disruption. 


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: