Resources

FortiBleed Is Now Linked to INC and Lynx Ransomware and to UK Foreign Office Logins on the Dark Web: What UK Schools, Charities and SMBs Should Do in the Four Working Days Before the Cyber Security and Resilience Bill's Lords Second Reading on 14 July 2026

SOCRadar updated its FortiBleed research this week to name INC Ransom and Lynx as the ransomware brands sitting on the other end of the credential pipeline, with twelve confirmed deployments and 354 domain-admin compromises tied back to the same operator. On Sunday 5 July The Telegraph reported that Foreign Office and UK government logins are on sale on the dark web for up to forty thousand pounds each, alongside credentials at NHS trusts, energy companies and local councils. Arctic Wolf's CISO calls the operation a repeatable credential factory. Four working days from now, on Tuesday 14 July 2026, the Cyber Security and Resilience Bill has its Lords second reading. Three jobs fit the four days: the two-hour FortiBleed exposure check and credential rotation today, the four supplier questions to the top five vendors on Monday, and the DUAA Section 164A paragraph for the complaints page on Tuesday.

Key takeaways

  • SOCRadar's Threat Research Unit updated its FortiBleed whitepaper this week to attribute the campaign to INC Ransom and Lynx ransomware. Same operator, same tooling, both negotiation panels open in the same browser session. Twelve ransomware deployments have already been confirmed from this access, with 354 domain-admin compromises out of 409 admin-level foothold cases and 11,250 scanned FortiGate portals across more than 150 countries. The initial-access-broker layer is a roughly twenty-person operation with a tiered division of labour.
  • On Sunday 5 July The Telegraph reported that credentials belonging to UK Foreign Office staff and workers at other UK government departments are being sold on Russian-language dark-web forums for up to forty thousand pounds per privileged Fortinet login. Named UK entries in the dataset include IT staff at British embassies in Thailand and Mauritius, council workers in Derbyshire and Waltham Forest, and unspecified NHS trusts, energy companies and local authorities. Arctic Wolf's CISO calls the operation a highly sophisticated and repeatable credential factory.
  • Every UK school, charity or small business running a Fortinet firewall or SSL VPN gateway that has been reachable on the open internet at any point since 1 February 2026 should assume its credentials are in the dataset unless it has proved otherwise. Job one today, two hours: run SOCRadar's free FortiBleed checker against every external FortiGate hostname or IP, rotate every admin password, SSL VPN password, pre-shared key, SNMP community string and API token, and take the management interface off the open internet before the laptop closes.
  • Job two on Monday 13 July, three hours: email the top five suppliers the same four-question note. Do you use Fortinet firewalls or SSL VPN gateways anywhere in the infrastructure that hosts our data. If yes, have you rotated all FortiGate credentials since 20 June and re-checked exposure since the 1 July INC and Lynx attribution. Have you enrolled in the NCSC's Early Warning service and Check Your Cyber Security tool. If you detect a compromise of our data in your Fortinet estate, what is the maximum time from your detection to our notification, in hours.
  • Job three on Tuesday 14 July, one hour: write the paragraph for the DUAA Section 164A complaints page. Name the FortiBleed exposure. Name what has been done about it. Name the supplier questions in flight. Name the NCSC services enrolled. Name the human who is the point of contact if a complaint arrives. Under 250 words. This is the paragraph the Section 164A thirty-day acknowledgement clock will point at if a member of staff, a parent, a donor or a supplier writes in next week to ask whether their credentials are in the dataset.

SOCRadar's Threat Research Unit updated its FortiBleed whitepaper this week to name the ransomware groups sitting on the other end of the credential pipeline. INC Ransom and Lynx. Same operator, same tooling, one negotiation console open for each brand in the same browser session. The research team that first surfaced FortiBleed in June — as a global credential-harvesting campaign against Fortinet firewalls and SSL VPN gateways — has now traced the same infrastructure through to twelve confirmed ransomware deployments, 354 domain-admin compromises and roughly two hundred previously unseen operational servers. Alongside the whitepaper, a Telegraph investigation on Sunday 5 July reported that credentials belonging to UK Foreign Office staff and to workers at other UK government departments are being auctioned on Russian-language dark-web forums, with privileged Fortinet logins going for up to £40,000 each. The dataset that Volodymyr Diachenko walked The Telegraph through also names IT staff at British embassies in Thailand and Mauritius, council workers in Derbyshire and Waltham Forest, and unspecified NHS trusts, energy companies and local authorities. On Tuesday 7 July, Arctic Wolf's chief information security officer Adam Marrè told ITPro the campaign is now best understood as a "highly sophisticated and repeatable credential factory" — a phrase that would have sounded overheated a fortnight ago and reads, this morning, as a plain description of what SOCRadar found in the operator's own files.

Four working days from now, on Tuesday 14 July 2026, the Cyber Security and Resilience (Network and Information Systems) Bill has its second reading in the Lords. Nothing in the Lords chamber next Tuesday will help the school, charity or small business whose FortiGate credentials have already left the building through a passive packet sniffer running on an unmatched edge device. That work has to happen this weekend and next week. The two-and-a-half posts that have run on this blog since post twenty-four walked the audience through the NCSC's original 18 June Fortinet alertpost twenty-nine on Sysdig's JADEPUFFER autonomous ransomware campaign, post thirty on the NCSC's Cyber Shield agentic-AI defence blueprint and this one — form a set. The AI story is loud. The FortiBleed story is quiet. The one on the audience's threat model this weekend is the quiet one.

The audience translation is short. If a school, charity or small business runs a Fortinet firewall or SSL VPN gateway that has been reachable on the open internet at any point since February 2026, the assumption is that its credentials are in the dataset. Not because the organisation has been named — SOCRadar and Arctic Wolf are deliberately withholding the client list until affected parties have been notified — but because the campaign passively sniffed authentication traffic across every FortiOS protocol that has ever existed. The 74,000 verified working credentials that were the headline number three weeks ago came from a subset of a subset. The current scan-and-sniff perimeter, per SOCRadar, is 11,250 FortiGate portals across more than 150 countries, with confirmed admin access on 409 and full domain compromise on 354. The UK — via the Foreign Office logins, the NHS trust reference and the local authority names — is not a peripheral geography in this dataset. It is one of the priority ones. The Cyber Security Breaches Survey 2025-26 finding that 38 per cent of UK businesses reported a cyber breach or attack in the last twelve months is the ambient baseline. FortiBleed is a specific top-up on that baseline for every UK organisation with a Fortinet edge in play.

Three things in the SOCRadar attribution matter for the small-organisation reader beyond the headline. First, INC Ransom and Lynx are neither the loudest nor the most exotic ransomware brands operating today; they are the most industrialised. INC has been active since mid-2023 and Lynx emerged roughly a year later, with public-source consensus that Lynx is a rebrand or code fork of INC. Both operate the standard double-extortion play — encrypt the estate, publish selected files on a leak site if the victim does not pay, run the negotiation over a Tor-based console. The point is not that INC or Lynx are inherently more dangerous than the other twenty or so RaaS brands on the Met Police cyber chief's fragmenting-cartels chart. The point is that the initial access broker layer feeding them is now known to be the same shop that quietly built a global FortiGate credential factory. Second, the SOCRadar operator-tracking document names roughly twenty people running the operation, in a tiered structure with a small core of primary operators, dedicated specialists and a back-office layer of junior operators and technical support. This is not a lone genius. It is a small business with a division of labour. Third, the compromise chain is boring in the useful sense. VPN login. Domain controller. Domain admin. Encryption. Nothing on that list is a novel technique, and nothing on it requires anything more exotic than a working FortiGate credential and time.

That last observation is the one that ties this post to the two directly ahead of it. The Cyber Shield blueprint the NCSC published on Tuesday — Peter Haigh and Harry G's plan to hardwire agentic AI into national cyber defence — will, in the two-to-five-year horizon it commits to, help build the automated red-blue-team pipelines and the federated-agent trust infrastructure that would spot a passive sniffer on 400,000-plus firewalls before it had run for four months. Sysdig's JADEPUFFER campaign — the first documented end-to-end autonomous ransomware operation — is what the same pipeline looks like on the attacker's side of the wire. Both are important. Neither of them will help a UK primary school in July 2026 whose FortiGate VPN gateway has been on the open internet with a shared admin password since 2023. FortiBleed is what happens when the fundamentals are missed. The NCSC's own Cyber Shield blueprint says as much in its "act now to strengthen the fundamentals" section — rapid patching, legacy-system reduction, secure-by-design procurement. That checklist is the closing argument for the three jobs below.

The Cyber Resilience Pledge, formally launched at Downing Street on the same Tuesday as Cyber Shield with sixty-plus signatories, asks its signatories to sign up to the NCSC Early Warning service. Early Warning is one of the two free NCSC services that will surface the FortiBleed-linked credential exposure the fastest — the other is Check Your Cyber Security, which will spot the FortiGate management interface on the open internet without the audience needing to know what to look for. Neither is more than half an hour to enrol. Both are named in Job Two.

The DUAA Section 164A complaints duty is now on Day 22. The ICO's first thirty-day commentary is expected in the week of 20 July. If a member of staff, a parent, a donor or a supplier writes in this week to ask whether their credentials are in the FortiBleed dataset, that is a Section 164A complaint the moment it lands. The DUAA-owner paragraph in Job Three below is the piece of paper the named board owner needs on their desk by close of business Tuesday 14 July. It is not a legal defence. It is a plain-English acknowledgement of the position, written before the question is asked rather than after.

Three jobs, pinned to three dates, sized to fit around a normal working week.

Job one, Friday 10 July, two hours: confirm your Fortinet exposure and rotate. This is today. Open a browser tab on SOCRadar's free FortiBleed checker at socradar.io/free-tools/fortibleed and put in the external hostname or IP of every FortiGate device the organisation owns — including the ones you inherited from a previous IT provider that "still work" and no-one has logged into since. If a device comes back matched, treat the FortiBleed credential rotation like a Priority One incident from that moment. If none come back matched, treat the rotation as prudent hygiene and complete it anyway. The rotation list matches the one post twenty-four walked through three weeks ago: every admin password, every SSL VPN user password, every pre-shared key, every SNMP community string, every API token. In parallel, pull FortiGate authentication logs back to 1 February 2026 — that is the earliest date SOCRadar has tied to the credential-sniffing campaign — and search for unfamiliar admin or VPN logins, new accounts you did not create, unexpected configuration changes, impossible-travel sessions from countries you do not do business in, and any log gaps where the ring-buffer looks trimmed. Anything in those categories is an incident. If you have no capability to do this pull yourselves and no service in place to do it for you, that is itself a finding for the board pack. Take the management interface off the open internet before you close the laptop. Restrict admin to a named allow-list. If SSL VPN is not in use, disable it. If it is in use, put a phishing-resistant MFA factor on it today and start planning the move to passkey-based ZTNA over the next quarter.

Job two, Monday 13 July, three hours: the four supplier questions on your top five vendors. The FortiBleed dataset is not just about the FortiGate at the boundary of your own network. It is about every FortiGate at the boundary of every network that holds your data. That is the supplier-chain point post twenty-eight made after the Qantas confirmation — the help-desk inside your suppliers' organisations is on your threat model whether the contract says so or not. Take the top five suppliers who hold personal data on your behalf. For a school: MIS host, safeguarding platform, parent-communications provider, cashless catering system, IT managed service provider. For a charity: donor CRM, payment processor, safeguarding case-management platform, HR/payroll bureau, IT MSP. For a small business: accounting platform, CRM, payroll bureau, ISP or VPN provider, IT MSP. Email each supplier's account manager the same short four-question note today. First, do you use Fortinet firewalls or Fortinet SSL VPN gateways anywhere in the infrastructure that hosts our data. Second, if yes, have you rotated all FortiGate credentials — admin, SSL VPN, PSK, SNMP, API — since 20 June 2026, when the NCSC alert landed, and have you re-checked your exposure against SOCRadar's updated FortiBleed dataset since 1 July, when the INC/Lynx attribution was published. Third, have you enrolled in the NCSC's Early Warning service and Check Your Cyber Security tool. Fourth, if you were to detect a compromise of our data in your Fortinet estate, what is the maximum time from your detection to our notification, in hours. Log the responses in the supplier register the DUAA Section 164A owner already keeps. A supplier that cannot answer question one is a finding. A supplier that answers "yes" to question one and cannot commit to question four inside 24 hours is a finding. This is the same four-question shape we used after the Qantas / Salesforce third-party breach a fortnight ago; it works for any perimeter-plus-SaaS exposure, and the same version can be reused in October for the autumn 2026 procurement questionnaire cycle post twenty and post twenty-five have already flagged.

Job three, Tuesday 14 July, one hour: the DUAA Section 164A paragraph. The DUAA data protection complaints duty has been on the record since 19 June, and by Tuesday afternoon the Bill will have had its Lords second reading. On the same day, sit down with the named board owner of the Section 164A complaints page — for a school, the DPO or the SBM; for a charity, the ops director or the DPO; for a small business, whoever owns customer trust — and write one paragraph, in plain English, that names the FortiBleed exposure, states what the organisation has done about it, names the supplier questions in flight from Monday and lists the free NCSC services that have been enrolled. The paragraph does not need to name INC or Lynx. It does need to name the date of the credential rotation, the fact that the top five suppliers have been asked the four questions, and the named human who is the point of contact if a complaint arrives. Keep the paragraph under 250 words. Add it to the public-facing complaints page and drop a copy in the risk register. If a complaint lands the following week, this paragraph is what the Section 164A thirty-day acknowledgement clock points at.

Two things worth saying about what is not in this post. First, this post does not predict which UK organisation will be named as the first confirmed FortiBleed-linked ransomware casualty. SOCRadar has confirmed twelve deployments have already occurred and Arctic Wolf's phrasing about the domino effect suggests more are in flight; naming victims in advance is neither responsible nor useful. Second, this post does not predict how the Bill's Lords second-reading debate on Tuesday will go. The House of Lords Library research briefing lays out the amendments in flight — the widening of relevant-managed-service-provider scope, the incident-reporting duty timings, the Secretary of State's power to add sectors by regulation — and the debate will crystallise the Government's position on some of them. The next post on this blog, after the debate, will pick up on what actually landed.

The takeaway for the audience this weekend and next week is unglamorous. The two shiny AI stories of the last fortnight — Cyber Shield on the defensive side, JADEPUFFER on the offensive side — are important, and the next few years will belong to them. The story that is on the audience's threat model right now is a passive credential sniffer running on an unpatched Fortinet edge device with an SSL VPN gateway facing the open internet. It has been running since February. Its output is being sold by the tier for up to £40,000 a login. Twelve organisations have been encrypted with credentials it produced. The mitigation is boring: check the exposure, rotate the credentials, take the management interface off the internet, put phishing-resistant MFA on the VPN, ask your suppliers to do the same, write the paragraph for the complaints page. Four working days is enough for all of it if a named owner takes the first ninety minutes today.

If you would like a second pair of eyes on the FortiGate check, the credential rotation, the supplier list and the DUAA paragraph, that is exactly the shape of small, time-bounded job our cybersecurity and resilience work is built for. A thirty-minute discovery call this afternoon will get you a one-page plan that covers this weekend, the four days to the Lords sitting and the first month after Royal Assent. Whichever route you take, please make sure the FortiGate management interface is off the open internet by close of business today.

Written by Boris Didov