Hackers behind the FortiBleed credential harvesting campaign have stolen login credentials belonging to employees of the UK’s Foreign, Commonwealth and Development Office (FCDO), with the compromised accounts now being advertised on dark web marketplaces alongside credentials from local councils and critical infrastructure organizations.
The campaign targets internet-facing Fortinet firewalls and VPN gateways by using credential stuffing and brute-force attacks against usernames and passwords leaked in previous data breaches. Rather than exploiting a new software vulnerability, the attackers continuously test recycled credentials until they find accounts that still use the same passwords.
According to researchers, the operation has harvested more than 30,000 verified Fortinet credentials from organizations across 194 countries. Security firm SOCRadar said the attackers have built a continuously updated database of working usernames and passwords, which are now being sold to other cybercriminals.
Among the UK victims are reportedly Foreign Office personnel stationed at British diplomatic missions in Thailand and Mauritius, as well as employees from Derbyshire County Council and Waltham Forest Council. Researchers warn that valid VPN credentials could allow attackers to remotely access internal corporate networks, create new administrator accounts, alter firewall configurations, and establish long-term persistence.
The breach extends beyond government agencies. Investigators say credentials linked to NHS organizations, energy providers, pharmaceutical suppliers, and other critical infrastructure operators have also appeared in the stolen dataset, raising concerns that ransomware groups could purchase the access and use it to launch follow-on attacks.
The UK’s National Cyber Security Centre (NCSC) has confirmed that organizations using Fortinet firewalls and VPN appliances are being targeted in an ongoing global campaign. The agency is urging administrators to immediately reset reused or default passwords, audit authentication logs for suspicious activity, enable multi-factor authentication where possible, and review systems for unauthorized accounts or configuration changes.
Although researchers say portions of the malware and infrastructure contain Russian-language elements, there is currently no public evidence directly linking the campaign to the Russian government. Security experts caution that Russian-speaking cybercriminal groups frequently operate independently, making attribution difficult without intelligence beyond the technical indicators.
