International06 July 2026

Russian hackers steal UK government logins

Russian hackers have infiltrated the email accounts of UK government officials and overseas Foreign Office staff in a major national security breach.

In the sophisticated and ongoing attack – nicknamed FortiBleed by researchers – hackers stole login credentials belonging to government staff, granting unauthorised access to sensitive systems and threatening further infiltration across Whitehall departments.

The breach compromised more than 80,000 firewalls provided by Fortinet, a cyber security company.

Exploiting a vulnerability in the systems, the attackers used previously stolen data to bypass security perimeters designed to protect some of the UK’s most critical national infrastructure.

A list of breached accounts seen by The Telegraph reveals that credentials for overseas Foreign Office staff and local government officials across the UK have been exposed.

The breach included emails and coinciding passwords, allowing hackers – and anyone willing to pay them – the potential ability to infiltrate sensitive Whitehall systems. Dark web forums are trading access to the logins for as much as $60,000 (£44,000).

Breached accounts include those belonging to IT staff at British embassies in Thailand and Mauritius, as well as staff in Derbyshire and Waltham Forest, east London.

Breach could trigger ‘catastrophic’ NHS incident

Among the credentials up for sale are login details for a range of institutions providing critical services and national infrastructure, including the NHS, energy providers and key suppliers of medicines across the country.

Dr Saif Abed, a former NHS doctor who is now a cyber security expert, warned that the breach could trigger a “catastrophic” incident affecting patient safety.

“NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed,” he said. “This is exactly the type of hack that’s the first step for launching catastrophic ransomware attacks that can threaten patient safety across the country.”

Healthcare suppliers are critical targets for hostile actors because attacks on their IT systems can quickly affect the daily functioning of hospitals.

In June 2024, cyber attackers, believed to be Russian-backed hacked IT systems run by pathology service company Synnovis, leading to the cancellation of more than 1,000 operations and 2,000 appointments.

Alert confirms ‘brute force’ attack

The latest attack, first identified by Volodymyr Diachenko, a cyber security researcher, remains active. Hackers are reportedly using valid credentials from previous leaks to turn compromised devices into collection hubs for further data harvesting.

Mr Diachenko said the breach provided access to “core networks” within the Foreign Office and could see other government departments becoming affected.

The underlying code for the hack, analysed by The Telegraph, is written in Russian.

An operator using the handle “SantaAd” is currently offering access to the stolen credentials on dark web forums. A suspected Telegram account for the hacker did not respond to requests for comment.

The National Cyber Security Centre (NCSC) has issued an urgent alert confirming a “brute force” attack on Fortinet systems. Organisations have been instructed to audit their networks and immediately isolate any breached devices.

No evidence of state involvement

There is no evidence of state involvement in the breach. However, hackers working from Russia are seen as a useful tool of global disruption to whom the Kremlin is happy to turn a blind eye.

In May 2024, the director of GCHQ, the UK’s communications intelligence agency, warned that Russia was increasingly looking to direct hackers towards attacks on British targets.

In her first major speech as the head of the intelligence agency, Anne Keast-Butler said that GCHQ was “increasingly concerned about growing links” between the Russian intelligence services and proxy hacker groups.

She said: “Before, Russia simply created the right environments for these groups to operate, but now they’re nurturing and inspiring these non-state cyber actors.”

Hackers benefit from a quid pro quo relationship with the Russian state whereby they can enjoy sanctuary in Russia, from where they carry out cyber attacks – so long as they do not cross Moscow’s red lines or cause too much diplomatic uproar.

An NCSC spokesman said: “We have provided support to organisations in the UK affected by malicious targeting of Fortinet edge devices globally.

“Organisations using Fortinet VPN and firewalls should change all default or reused passwords as set out by the advice available on the NCSC website.

“To stay alert to malicious activity on your networks, the NCSC recommends signing up for its Early Warning service to gain potentially invaluable time to help detect and stop attacks.”

The Foreign Office and the NHS were approached for comment.

-The Telegraph
Related recommendation
Hiru TV News | Programmes