The Fortibleed cyberattack has reportedly exposed privileged login credentials belonging to the UK’s Foreign, Commonwealth and Development Office (FCDO). Researchers say the stolen accounts are now being offered for sale on dark web marketplaces. The leaked dataset also includes credentials linked to local councils, NHS organizations, and companies operating in critical sectors.
Security experts warn that the exposed logins could become valuable targets for ransomware groups and other cybercriminals.
Fortibleed Cyberattack Harvests Valid Fortinet Credentials
The Fortibleed cyberattack targets internet-facing Fortinet firewalls and VPN gateways.
Researchers say the attackers do not rely on a newly discovered software flaw. Instead, they recycle usernames and passwords exposed in earlier data breaches. They then use automated password-testing attacks to identify Fortinet systems where those credentials still work.
The campaign has reportedly collected more than 30,000 verified Fortinet usernames and passwords. The accounts belong to organizations across 194 countries.
UK Government Accounts Appear in the Dataset
According to The Telegraph, the leaked dataset contains privileged Fortinet firewall and VPN credentials linked to the UK’s Foreign Office.
These are not ordinary email passwords. If they remain active, they could provide direct access to protected government systems.
Researchers also identified accounts connected to British embassies in Thailand and Mauritius. Credentials belonging to Derbyshire and Waltham Forest councils were also found.
The discovery has raised concerns that additional UK government organizations could also be affected.
Threat Actor Offers Access for Up to $60,000
A threat actor using the alias SantaAd is reportedly advertising access to the stolen credentials on dark web marketplaces.
Some of the access packages are listed for as much as $60,000 (£44,000).
Security researchers warn that ransomware groups frequently buy this type of access. Existing credentials allow attackers to bypass many initial security barriers.
NHS and Critical Infrastructure Also Impacted
The exposed dataset extends beyond government organizations.
Researchers found credentials linked to NHS organizations, energy companies, pharmacies, and medicine suppliers.
That broad range of victims has increased concerns about the potential impact of the Fortibleed cyberattack. Compromised accounts in critical sectors could create opportunities for future attacks.
Fortinet Says No New Vulnerability Was Exploited
Fortinet says the campaign does not exploit a newly discovered vulnerability.
Instead, attackers reuse credentials leaked during previous incidents. Automated password-guessing tools then test those credentials against internet-connected Fortinet devices.
Systems that lack multi-factor authentication remain particularly vulnerable. A previously stolen password may still provide direct access if additional protections are missing.
UK Cyber Authorities Issue Security Advice
Last month, the UK’s National Cyber Security Centre issued guidance for organizations using Fortinet firewalls and VPN appliances.
The agency urged organizations to review authentication logs and investigate any signs of unauthorized access.
It also recommended isolating affected devices where necessary.
Security teams should reset exposed credentials and enable multi-factor authentication wherever possible.
Researchers Urge Caution Over Criminal Claims
Security researcher Volodymyr “Bob” Diachenko, who first uncovered the campaign, warned that the stolen credentials could provide access to core Foreign Office networks.
However, investigators have not linked the operation directly to the Russian government. Reports mention Russian-language code within the attackers’ tooling, but no confirmed attribution has been made.
Other researchers believe some of the criminals’ claims may be exaggerated.
Dray Agha, Senior Manager of Security Operations at Huntress, said the Fortibleed cyberattack is a genuine security concern. However, he believes the attackers may be overstating the depth of their access.
According to Agha, cybercriminals often exaggerate successful intrusions. Doing so increases both their reputation and the market value of the stolen credentials.


0 responses to “Fortibleed Attack Exposes UK Foreign Office Logins for Sale”