Full Report
Russian hackers are suspected of gaining access to Foreign Office and council systems using stolen logins. The cybercriminals breached security firewalls provided by Fortinet, a cyber security company, in an attack nicknamed FortiBleed by researchers. The hackers gained access by reusing old leaked passwords that had not been changed, which gave them access to compromised…
Analysis Summary
# Incident Report: Analysis of "FortiBleed" Breach Affecting UK Government
## Executive Summary
Russian actors suspected of state-sponsored activity gained unauthorized access to the UK Foreign, Commonwealth and Development Office (FCDO) and local council networks. The breach utilized a technique dubbed "FortiBleed," involving the mass reuse of leaked credentials to bypass Fortinet firewalls. The incident resulted in the compromise of approximately 80,000 accounts, impacting international embassy operations and local government administration.
## Incident Details
- **Discovery Date:** July 06, 2026 (Public reporting)
- **Incident Date:** Circa June/July 2026
- **Affected Organization:** Foreign, Commonwealth and Development Office (FCDO), Derbyshire Council, Waltham Forest Council
- **Sector:** Government / Public Sector
- **Geography:** UK, Mauritius, and Thailand
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to July 06, 2026)
- **Vector:** Credential Stuffing / Password Spraying
- **Details:** Attackers exploited "FortiBleed," a technique targeting Fortinet firewalls using old, leaked passwords that had not been updated by users or administrators.
### Lateral Movement
- **Details:** After bypassing the perimeter firewalls, attackers leveraged the compromised accounts to gain a foothold within the internal networks of the Foreign Office and specific UK councils.
### Data Exfiltration/Impact
- **Details:** Unauthorized access was gained to systems used by staff in international locations (Mauritius and Thailand). Potential exfiltration of sensitive diplomatic communications and local council administrative data is suspected.
### Detection & Response
- **How it was discovered:** Research identified the "FortiBleed" campaign targeting Fortinet devices.
- **Response actions taken:** Investigatory actions by the UK Foreign Office; public disclosure by cybersecurity researchers.
## Attack Methodology
- **Initial Access:** Credential Reuse (Old leaked passwords).
- **Persistence:** Maintaining access through approximately 80,000 breached firewall accounts.
- **Privilege Escalation:** Not explicitly detailed, but implied through the compromise of staff logins with network access.
- **Defense Evasion:** Bypassing security firewalls by using legitimate (though stolen) credentials.
- **Credential Access:** Reusing historically leaked data sets.
- **Lateral Movement:** Transitioning from perimeter firewall access to internal network environments.
- **Impact:** Compromise of government confidentiality and unauthorized network access.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response and potential system hardening.
- **Data Breach:** Compromise of 80,000 accounts; scope includes diplomatic and local government data.
- **Operational:** Disruption to Foreign Office staff in Thailand and Mauritius and local government services in Derbyshire and Waltham Forest.
- **Reputational:** High; highlights vulnerabilities in critical government infrastructure.
## Indicators of Compromise
- **Network indicators:** Logs showing successful logins from anomalous IP addresses to Fortinet VPN/Firewall interfaces.
- **Behavioral indicators:** Large-scale authentication attempts (password spraying) using legacy credentials; "FortiBleed" methodology.
## Response Actions
- **Containment:** Reporting indicates identification of the specific breached accounts.
- **Eradication:** Identification of firewalls using outdated credentials.
- **Recovery:** Restoration of secure access controls and notification of affected councils.
## Lessons Learned
- **Credential Hygiene:** Failure to rotate passwords after known data leaks remains a primary entry point for sophisticated actors.
- **Legacy Vulnerabilities:** Perimeter security (firewalls) is only as effective as the authentication policies governing them.
- **Third-Party Risk:** The rebranding of the attack as "FortiBleed" suggests a widespread vulnerability or methodology targeting specific vendor hardware.
## Recommendations
- **Multi-Factor Authentication (MFA):** Enforce MFA on all firewall and VPN access points to render stolen passwords useless.
- **Password Policies:** Implement mandatory password resets following any major industry data breach and enforce periodic rotation.
- **Zero Trust Architecture:** Limit the "blast radius" by ensuring firewall access does not automatically grant wide-ranging internal network permissions.
- **Audit:** Conduct a comprehensive audit of all Fortinet device logs for unauthorized logins using the "FortiBleed" technique.