UK Foreign Office logins stolen in Fortibleed cyberattack, sold on dark web
Compromised Fortinet credentials have now become a national security concern.

- UK Foreign Office credentials compromised, including privileged firewall and VPN logins from British embassies in Thailand and Mauritius.
- Logins actively being sold on dark web markets by "SantaAd" for up to $60,000, raising fears of follow-on ransomware attacks on government and critical infrastructure.
- NHS, energy firms and medicine suppliers also feature in the exposed dataset, broadening the national security concern beyond central government.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Hackers behind a global credential harvesting campaign known as Fortibleed have stolen login credentials belonging to the UK’s Foreign Office (FCDO) as well as several local councils, with the compromised accounts now being sold on dark web marketplaces.
Fortibleed is an ongoing criminal campaign targeting internet-facing Fortinet firewalls and VPN gateways.
The campaign has created an illicit database by harvesting more than 30,000 verified Fortinet user names and passwords from organizations across 194 countries by recycling credentials exposed in previous breaches and continually testing them against internet connected devices to see which ones still work.
Now the Telegraph is reporting that the compromised UK accounts include privileged Fortinet firewall and VPN credentials rather than ordinary email passwords, potentially giving attackers direct access to sensitive government networks.
Researchers identified specific UK government and FCDO credentials within the dataset, alongside accounts belonging to local authorities.
Logins offered on darkweb
Among the compromised organizations are IT staff at British embassies in Thailand and Mauritius, as well as employees at Derbyshire and Waltham Forest councils.
A threat actor using the alias “SantaAd” is reportedly advertising access to the stolen credentials for as much as $60,000, (£44,000) raising fears the logins could be used in follow-on ransomware attacks or other intrusions targeting government departments and UK critical infrastructure.
Credentials belonging to energy companies, NHS organizations, pharmacies, and medicine suppliers were also reported to feature in the exposed dataset.
"Brute force" attacks
According to Fortinet, the campaign does not rely on a newly discovered vulnerability in its products.
Instead, the attackers recycled credentials leaked in previous incidents and used automated password-guessing attacks (sometimes referred to as "brute force") to identify Fortinet devices where those credentials still work, particularly those without multi-factor authentication (MFA).
In advice issued last month, the UK’s National Cyber Security Centre urged organizations using Fortinet firewalls and VPNs to audit their systems, investigate for signs of compromise, and isolate affected devices where necessary.
National security concern
Security researcher Volodymyr “Bob” Diachenko, who first uncovered the campaign, told the Telegraph the stolen logins could provide access to “core networks” within the Foreign Office and warned that other government departments could have been affected.
"Stolen logins could provide access to core networks within the Foreign Office."Security researcher Volodymyr “Bob” Diachenko
Although Russian language code was reportedly found within the attackers tooling, there is no confirmed evidence linking the operation directly with the Russian state.
Other experts advise that these latest claims be treated with caution and suggest that criminals might be exaggerating the amount of damage they've caused.
Commenting on this Dray Agha, senior manager of security operations at Huntress, said: "It's worth us trying to separate fact from fiction. While the 'Fortibleed' credential dump is undeniably real and a notable security event, the cybercriminal's grandiose claims to have compromised UK government entities should be viewed with a healthy dose of skepticism."
"It's highly probable the attackers have secured peripheral access, but they are almost certainly sensationalizing the true depth of their infiltration to inflate their own notoriety and the value of their stolen data."Dray Agha, senior manager of security operationsm Huntress.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Previously, researcher Kevin Beaumont said in his blog that the operation appears more consistent with financially motivated cybercriminals than a state-backed campaign, despite some reused credentials originating from a known Russian ransomware group.
However, the NCSC has warned that politically motivated "hacktivists" and profit-driven cybercriminals are merging.