Colt Technology Services, a UK-based telecom giant connecting 900 data centers across Europe, Asia, and North America, has been hit by a cyberattack that began on August 12.
Initially labelled a “technical issue” by the company, the disruption evolved into a confirmed cyberattack as Colt took down internal support systems, including its online portal and Voice API platform, in a bid to protect its core customer infrastructure.
“We’re really sorry that some of our support systems, including Colt Online and our Voice API platform, continue to be unavailable,” the company said in a statement. “As a precaution following a cyber incident affecting our internal systems earlier this week, we’ve temporarily taken these services offline.” According to Colt, none of its customer or employee data appears to have been improperly accessed.
Meanwhile, a threat actor who claims to be affiliated with the WarLock ransomware gang and uses the alias “cnkjasdfgd” has publicly claimed responsibility for the breach. The group is putting up one million documents for sale, allegedly containing sensitive details such as financial records, internal emails, employee and executive data, and system architecture.
Colt says core network untouched
In their public updates on the incident, Colt insisted that its core network infrastructure remains untouched, and that only support-facing systems were taken offline as a precaution. The company emphasized it still retains “the ability to monitor customer networks and manage incidents efficiently”, albeit this has had to be done manually due to automated monitoring systems being out of commission.
Security experts speculate that the attack may have been facilitated via a recently patched vulnerability in Microsoft SharePoint, CVE-2025-53770. Researchers like Kevin Beaumont suggested the attackers may have bypassed existing SharePoint security patches, potentially using an exploit chain known as ToolShell to gain remote code execution and install web shells for deeper access.
“Colt are being extorted by Warlock ransomware group, they have been for over a week, Colt are trying to cover it up,” Beaumont wrote on Mastodon on Friday, Aug 15. “Entry likely via sharehelp.colt.net via CVE-2025-53770 as they were interacting with it.” Beaumont added that the group has stolen a few hundred gigabytes of customer data and documentation, posting a list of files with samples on a Russian Tor site.
“We’ve seen already this year that telecom is particularly vulnerable to attacks, and I think this WarLock attack highlights some recurring issues that telecom and large-scale network service providers are starting to see,” said Gabrielle Hempel, Security Operations Strategist at Exabeam. “There’s this operational ripple effect when you’re a service provider and support-layer services go down. Even though Colt claims its “core network infrastructure” is still intact, the outage of hosting, porting, and API services still disrupts customer trust and downstream operations.”
Data allegedly put up for sale
The WarLock group has reportedly put the alleged documents up for sale on the forum. Along with the ransom demand of $200,000, they’ve provided sample documents as proof, raising alarm over what might be exposed if Colt doesn’t pay up.
The trove reportedly includes financial records, salary data, customer contact details, internal communications, and software development blueprints.
In the weeks following its discovery, the SharePoint ToolShell exploit has been weaponized in a rapidly escalating wave of attacks. High-profile victims have included the US National Nuclear Security Administration, National Institutes of Health (NIH), and Department of Homeland Security (DHS), all suffering attacks by China-linked Storm-2603 deploying Warlock ransomware.
Hempel said the incident drags the focus back on patch timelines. “A SharePoint RCE or something of similar severity needs to be measured in hours, not weeks, for externally accessible systems. For critical infrastructure providers, RCE patch pipelines need to be prioritized and automated wherever possible for internet-facing services.” Notably, Microsoft had provided an incomplete patch to CVE-2025-53770 before completely sealing the flaw in July, paving the way for mass exploits in between.
No Responses