Russian hackers have infiltrated the email accounts of UK government officials and overseas Foreign Office staff in a major national security breach.
In the sophisticated and ongoing attack – nicknamed FortiBleed by researchers – hackers stole login credentials belonging to government staff, granting unauthorised access to sensitive systems and threatening further infiltration across Whitehall departments.
The breach compromised more than 80,000 firewalls provided by Fortinet, a cyber security company.
Exploiting a vulnerability in the systems, the attackers used previously stolen data to bypass security perimeters designed to protect some of the UK’s most critical national infrastructure.
A list of breached accounts seen by The Telegraph reveals that credentials for overseas Foreign Office staff and local government officials across the UK have been exposed.
The breach included emails and coinciding passwords, allowing hackers – and anyone willing to pay them – the potential ability to infiltrate sensitive Whitehall systems. Dark web forums are trading access to the logins for as much as $60,000 (£44,000).
Breached accounts include those belonging to IT staff at British embassies in Thailand and Mauritius, as well as staff in Derbyshire and Waltham Forest, east London.
Breach could trigger ‘catastrophic’ NHS incident
Among the credentials up for sale are login details for a range of institutions providing critical services and national infrastructure, including the NHS, energy providers and key suppliers of medicines across the country.
Dr Saif Abed, a former NHS doctor who is now a cyber security expert, warned that the breach could trigger a “catastrophic” incident affecting patient safety.
“NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed,” he said. “This is exactly the type of hack that’s the first step for launching catastrophic ransomware attacks that can threaten patient safety across the country.”
Healthcare suppliers are critical targets for hostile actors because attacks on their IT systems can quickly affect the daily functioning of hospitals.
In June 2024, cyber attackers, believed to be Russian-backed hacked IT systems run by pathology service company Synnovis, leading to the cancellation of more than 1,000 operations and 2,000 appointments.
Alert confirms ‘brute force’ attack
The latest attack, first identified by Volodymyr Diachenko, a cyber security researcher, remains active. Hackers are reportedly using valid credentials from previous leaks to turn compromised devices into collection hubs for further data harvesting.
Mr Diachenko said the breach provided access to “core networks” within the Foreign Office and could see other government departments becoming affected.
The underlying code for the hack, analysed by The Telegraph, is written in Russian.
An operator using the handle “SantaAd” is currently offering access to the stolen credentials on dark web forums. A suspected Telegram account for the hacker did not respond to requests for comment.
The National Cyber Security Centre (NCSC) has issued an urgent alert confirming a “brute force” attack on Fortinet systems. Organisations have been instructed to audit their networks and immediately isolate any breached devices.
No evidence of state involvement
There is no evidence of state involvement in the breach. However, hackers working from Russia are seen as a useful tool of global disruption to whom the Kremlin is happy to turn a blind eye.
In May 2024, the director of GCHQ, the UK’s communications intelligence agency, warned that Russia was increasingly looking to direct hackers towards attacks on British targets.
In her first major speech as the head of the intelligence agency, Anne Keast-Butler said that GCHQ was “increasingly concerned about growing links” between the Russian intelligence services and proxy hacker groups.
She said: “Before, Russia simply created the right environments for these groups to operate, but now they’re nurturing and inspiring these non-state cyber actors.”
Hackers benefit from a quid pro quo relationship with the Russian state whereby they can enjoy sanctuary in Russia, from where they carry out cyber attacks – so long as they do not cross Moscow’s red lines or cause too much diplomatic uproar.
An NCSC spokesman said: “We have provided support to organisations in the UK affected by malicious targeting of Fortinet edge devices globally.
“Organisations using Fortinet VPN and firewalls should change all default or reused passwords as set out by the advice available on the NCSC website.
“To stay alert to malicious activity on your networks, the NCSC recommends signing up for its Early Warning service to gain potentially invaluable time to help detect and stop attacks.”
The Foreign Office and the NHS were approached for comment.
-The Telegraph
In the sophisticated and ongoing attack – nicknamed FortiBleed by researchers – hackers stole login credentials belonging to government staff, granting unauthorised access to sensitive systems and threatening further infiltration across Whitehall departments.
The breach compromised more than 80,000 firewalls provided by Fortinet, a cyber security company.
Exploiting a vulnerability in the systems, the attackers used previously stolen data to bypass security perimeters designed to protect some of the UK’s most critical national infrastructure.
A list of breached accounts seen by The Telegraph reveals that credentials for overseas Foreign Office staff and local government officials across the UK have been exposed.
The breach included emails and coinciding passwords, allowing hackers – and anyone willing to pay them – the potential ability to infiltrate sensitive Whitehall systems. Dark web forums are trading access to the logins for as much as $60,000 (£44,000).
Breached accounts include those belonging to IT staff at British embassies in Thailand and Mauritius, as well as staff in Derbyshire and Waltham Forest, east London.
Breach could trigger ‘catastrophic’ NHS incident
Among the credentials up for sale are login details for a range of institutions providing critical services and national infrastructure, including the NHS, energy providers and key suppliers of medicines across the country.
Dr Saif Abed, a former NHS doctor who is now a cyber security expert, warned that the breach could trigger a “catastrophic” incident affecting patient safety.
“NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed,” he said. “This is exactly the type of hack that’s the first step for launching catastrophic ransomware attacks that can threaten patient safety across the country.”
Healthcare suppliers are critical targets for hostile actors because attacks on their IT systems can quickly affect the daily functioning of hospitals.
In June 2024, cyber attackers, believed to be Russian-backed hacked IT systems run by pathology service company Synnovis, leading to the cancellation of more than 1,000 operations and 2,000 appointments.
Alert confirms ‘brute force’ attack
The latest attack, first identified by Volodymyr Diachenko, a cyber security researcher, remains active. Hackers are reportedly using valid credentials from previous leaks to turn compromised devices into collection hubs for further data harvesting.
Mr Diachenko said the breach provided access to “core networks” within the Foreign Office and could see other government departments becoming affected.
The underlying code for the hack, analysed by The Telegraph, is written in Russian.
An operator using the handle “SantaAd” is currently offering access to the stolen credentials on dark web forums. A suspected Telegram account for the hacker did not respond to requests for comment.
The National Cyber Security Centre (NCSC) has issued an urgent alert confirming a “brute force” attack on Fortinet systems. Organisations have been instructed to audit their networks and immediately isolate any breached devices.
No evidence of state involvement
There is no evidence of state involvement in the breach. However, hackers working from Russia are seen as a useful tool of global disruption to whom the Kremlin is happy to turn a blind eye.
In May 2024, the director of GCHQ, the UK’s communications intelligence agency, warned that Russia was increasingly looking to direct hackers towards attacks on British targets.
In her first major speech as the head of the intelligence agency, Anne Keast-Butler said that GCHQ was “increasingly concerned about growing links” between the Russian intelligence services and proxy hacker groups.
She said: “Before, Russia simply created the right environments for these groups to operate, but now they’re nurturing and inspiring these non-state cyber actors.”
Hackers benefit from a quid pro quo relationship with the Russian state whereby they can enjoy sanctuary in Russia, from where they carry out cyber attacks – so long as they do not cross Moscow’s red lines or cause too much diplomatic uproar.
An NCSC spokesman said: “We have provided support to organisations in the UK affected by malicious targeting of Fortinet edge devices globally.
“Organisations using Fortinet VPN and firewalls should change all default or reused passwords as set out by the advice available on the NCSC website.
“To stay alert to malicious activity on your networks, the NCSC recommends signing up for its Early Warning service to gain potentially invaluable time to help detect and stop attacks.”
The Foreign Office and the NHS were approached for comment.
-The Telegraph
Latest News
Singapore, Indonesia sign carbon credits pact
Local
06 July 2026
Uefa slams 'unjustifiable' decision over Balogun's red-card ban
Local
06 July 2026
Mojtaba Khamenei has - so far - been missing from the funeral
Local
06 July 2026
Buckingham Palace says Prince Harry will not stay at palace
Local
06 July 2026
Stanley Lifestyles enters Lanka through partnership with Singer
Local
06 July 2026
Trump goads Italy's Meloni again on eve of NATO summit
Local
06 July 2026
From Colombo to Canary Wharf: ISSO Prawn Crazy breaks global hospitality barriers
Local
06 July 2026
Nation Lanka Finance PLC Administrator’s term extended
Local
06 July 2026
Thousands evacuated from homes in southwest France as wildfire burns
Local
06 July 2026
Infinity Rover pyramid scheme probed
Local
06 July 2026