FortiBleed - The UK Government Email Breach
by Jon Budzynski - Tue 07 Jul 2026The world of cyber security is never quiet – but a new campaign, nicknamed FortiBleed, has raised the stakes for UK organisations yet again.
Russian‑linked attackers have stolen login credentials from UK government officials, Foreign Office staff and critical public‑sector networks, then put that access up for sale on the dark web – with some accounts reportedly advertised for up to £40,000–£44,000.
This isn’t just a government issue. It’s a wake‑up call for any organisation that relies on firewalls, VPNs and cloud services to protect sensitive data.
What Is FortiBleed?
FortiBleed is the name researchers have given to a large‑scale credential‑harvesting campaign targeting Fortinet FortiGate firewalls and VPN gateways exposed to the internet.
Instead of a single “magic” exploit, the attackers have used a mix of brute‑force attacks, credential stuffing (trying previously leaked passwords on new systems) and older Fortinet authentication‑bypass vulnerabilities to gain administrator access to thousands of devices worldwide.
Security firms tracking the campaign estimate that tens of thousands of Fortinet firewalls have been affected globally – one recent assessment put the number at over 80,000 devices across 194 countries.
Once the attackers control a firewall or VPN gateway, they deploy tools to capture authentication traffic and configuration files, effectively “bleeding” usernames and passwords for a wide range of internal systems.
Fortinet itself has stressed that this is not a fresh breach of its cloud services, but rather a campaign that abuses weak passwords, unmanaged internet‑facing devices and previously exposed credentials.
What Happened to UK Government Email Accounts?
According to multiple reports, FortiBleed has exposed email logins for:
- Overseas Foreign Office staff, including IT teams at British embassies in Thailand and Mauritius.
- Local government officials in councils such as Derbyshire and Waltham Forest.
- Accounts tied to NHS organisations, energy suppliers and key medicines distributors.
Attackers stole email addresses and matching passwords, giving them the ability, at least in theory, to log into sensitive systems and move laterally inside government networks.
Access to some of these accounts is now being offered for sale on dark‑web marketplaces, with prices reported at up to around £40,000–£44,000 per set of credentials.
The National Cyber Security Centre (NCSC) has confirmed that a global campaign is targeting Fortinet firewall and VPN equipment, and has urged organisations to urgently check whether their devices have been affected.
That includes looking for unauthorised administrator accounts, unusual sign‑in activity and signs that devices have been configured to log or forward credentials.
Who Is Behind FortiBleed?
Threat‑intelligence firms and media reports agree on three key points:
- The campaign is financially motivated, not clearly state‑sponsored.
- Technical evidence points to Russian‑speaking operators, including code written in Russian and operational links to Russian‑language ransomware‑as‑a‑service ecosystems.
- FortiBleed is increasingly being used as a pipeline into ransomware attacks, feeding stolen VPN and admin credentials into groups such as INC and Lynx.
In other words, this isn’t simply about spying on government emails – it’s about selling high‑value access to anyone willing to pay, which can then be exploited for data theft, extortion or disruptive ransomware.
For UK public‑sector bodies already stretched on cyber budgets, that combination of broad exposure and highly monetised access is particularly concerning.
Why UK Businesses and Charities Should Care
You might not be running Foreign Office networks from Yeovil or Taunton – but FortiBleed’s lessons apply directly to everyday UK organisations.
Three themes stand out:
Perimeter devices are prime targets. Firewalls, VPN gateways and remote‑access tools sit at the edge of your network and are often directly accessible from the internet. If they aren’t hardened and monitored, they can quietly leak credentials or provide attackers with a foothold.
Password‑only access is no longer enough. Fortinet has bluntly pointed out that reused, weak or unprotected credentials are a core part of this campaign. Even if your firewall itself is patched, an admin account secured only by a simple password is now a serious risk.
Supply‑chain and shared platforms amplify impact. Many UK organisations use similar firewall models, cloud platforms and VPN services. When attackers find a scalable method to harvest credentials from one vendor, the risk to “every organisation” increases quickly – as Arctic Wolf’s CISO put it, FortiBleed has driven risk up “exponentially”.
A call to local government, charities and SMEs: don’t assume that a breach affecting Whitehall is someone else’s problem. The same techniques are being used against councils, NHS bodies, energy firms and smaller organisations with limited in‑house security capacity.
Practical Steps Mark One Recommends
If your organisation uses Fortinet firewall or VPN equipment – or any internet‑facing remote‑access service – there are some immediate actions we’d recommend, in line with NCSC and vendor guidance:
- Audit your perimeter devices. Confirm exactly which firewalls, VPN gateways and remote‑access tools you run, and ensure they are fully patched to the latest firmware and security updates.
- Check for compromise indicators. Review logs for unusual admin sign‑ins, new accounts you don’t recognise, unexpected configuration changes or data being sent to unknown external destinations.
- Reset risky passwords. Change any default, generic or reused passwords for firewall, VPN and remote‑access accounts, and ensure that new credentials are strong, unique and stored in a password manager.
- Enable multi‑factor authentication (MFA). For all remote‑admin and VPN access, MFA should now be considered mandatory, not optional. Even if a password is stolen, MFA can significantly reduce the chance of an attacker logging in successfully.
- Lock down who can log in from where. Use IP allow‑lists, conditional access rules or dedicated admin VPNs to ensure that only authorised locations and users can reach your management interfaces.
- Register with NCSC’s Early Warning service. Public‑sector organisations and many UK businesses can benefit from Early Warning alerts about suspicious activity linked to their networks.
- Review your incident response and backup plans. FortiBleed is closely tied to ransomware, so making sure you can restore from backups and communicate during an email outage is vital.
- Train staff to spot suspicious sign‑ins and phishing. Credential‑harvesting rarely happens in isolation – phishing emails and fake login pages remain part of many campaigns.
At Mark One, we’re already helping organisations across the South West and beyond to review their firewall configurations, harden VPN access and put sensible incident‑response plans in place.
If you’re unsure whether your Fortinet devices – or other perimeter systems – might be exposed, we can run a targeted review and help you decide on the right remediation steps for your environment.
FortiBleed proves that attackers no longer need to “break in” to every network individually... once they find a scalable way to harvest credentials from common platforms, they can sell that access on to whoever wants it.
For UK organisations, especially in government, health, energy and the charity sector, this should be a prompt to revisit basic cyber hygiene: patching, password policies, MFA and clear incident‑response processes.
You don’t need to wait for a headline‑grabbing incident to tighten things up. If you’d like support reviewing your firewall and VPN exposure – or just want a straightforward conversation about where to start – the Mark One team is here to help.