{"id":4408,"date":"2025-08-18T12:11:57","date_gmt":"2025-08-18T12:11:57","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4408"},"modified":"2025-08-18T12:11:57","modified_gmt":"2025-08-18T12:11:57","slug":"uks-colt-hit-by-cyberattack-support-systems-offline-amid-ransom-threat","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4408","title":{"rendered":"UK\u2019s Colt hit by cyberattack, support systems offline amid ransom threat"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Colt Technology Services, a UK-based telecom giant connecting 900 data centers across Europe, Asia, and North America, has been hit by a cyberattack that began on August 12.<\/p>\n

Initially labelled a \u201ctechnical issue\u201d by the company, the disruption evolved into a confirmed cyberattack as Colt took down internal support systems, including its online portal and Voice API platform, in a bid to protect its core customer infrastructure. <\/p>\n

\u201cWe\u2019re really sorry that some of our support systems, including Colt Online and our Voice API platform, continue to be unavailable,\u201d the company said in a statement<\/a>. \u201cAs a precaution following a cyber incident affecting our internal systems earlier this week, we\u2019ve temporarily taken these services offline.\u201d According to Colt, none of its customer or employee data appears to have been improperly accessed.<\/p>\n

Meanwhile, a threat actor who claims to be affiliated with the WarLock ransomware gang and uses the alias \u201ccnkjasdfgd\u201d has publicly<\/a> claimed responsibility for the breach. The group is putting up one million documents for sale, allegedly containing sensitive details such as financial records, internal emails, employee and executive data, and system architecture.<\/p>\n

Colt says core network untouched<\/h2>\n

In their public updates on the incident, Colt insisted that its core network infrastructure remains untouched, and that only support-facing systems were taken offline as a precaution. The company emphasized it still retains \u201cthe ability to monitor customer networks and manage incidents efficiently\u201d, albeit this has had to be done manually due to automated monitoring systems being out of commission.<\/p>\n

Security experts speculate that the attack may have been facilitated via a recently patched vulnerability in Microsoft SharePoint, CVE-2025-53770<\/a>. Researchers like Kevin Beaumont suggested the attackers may have bypassed existing SharePoint security patches, potentially using an exploit chain known as ToolShell to gain remote code execution and install web shells for deeper access.<\/p>\n

\u201cColt are being extorted by Warlock ransomware group, they have been for over a week, Colt are trying to cover it up,\u201d Beaumont wrote<\/a> on Mastodon on Friday, Aug 15. \u201cEntry likely via sharehelp.colt.net via CVE-2025-53770 as they were interacting with it.\u201d Beaumont added that the group has stolen a few hundred gigabytes of customer data and documentation, posting a list of files<\/a> <\/em>with samples on a Russian Tor site.<\/p>\n

\u201cWe\u2019ve seen already this year that telecom is particularly vulnerable to attacks, and I think this WarLock attack highlights some recurring issues that telecom and large-scale network service providers are starting to see,\u201d said Gabrielle Hempel, Security Operations Strategist at Exabeam. \u201cThere\u2019s this operational ripple effect when you\u2019re a service provider and support-layer services go down. Even though Colt claims its \u201ccore network infrastructure\u201d is still intact, the outage of hosting, porting, and API services still disrupts customer trust and downstream operations.\u201d<\/p>\n

<\/a>Data allegedly put up for sale<\/h2>\n

The WarLock group has reportedly put the alleged documents up for sale on the forum. Along with the ransom demand of $200,000, they\u2019ve provided sample documents as proof, raising alarm over what might be exposed if Colt doesn\u2019t pay up.<\/p>\n

The trove reportedly includes financial records, salary data, customer contact details, internal communications, and software development blueprints.<\/p>\n

In the weeks following its discovery, the SharePoint ToolShell exploit has been weaponized in a rapidly escalating wave of attacks. High-profile victims have included the US National Nuclear Security Administration, National Institutes of Health (NIH), and Department of Homeland Security (DHS), all suffering attacks by China-linked Storm-2603<\/a> deploying Warlock ransomware.<\/p>\n

Hempel said the incident drags the focus back on patch timelines. \u201cA SharePoint RCE or something of similar severity needs to be measured in hours, not weeks, for externally accessible systems. For critical infrastructure providers, RCE patch pipelines need to be prioritized and automated wherever possible for internet-facing services.\u201d Notably, Microsoft had provided an incomplete patch<\/a> to CVE-2025-53770 before completely sealing the flaw in July, paving the way for mass exploits in between.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Colt Technology Services, a UK-based telecom giant connecting 900 data centers across Europe, Asia, and North America, has been hit by a cyberattack that began on August 12. Initially labelled a \u201ctechnical issue\u201d by the company, the disruption evolved into a confirmed cyberattack as Colt took down internal support systems, including its online portal and […]<\/p>\n","protected":false},"author":0,"featured_media":4409,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4408","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4408"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4408"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4408\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4409"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}