UK telecom firm Colt suffers massive ransomware attack

UK telecoms and network services company Colt suffered a cyberattack, claimed by the Warlock ransomware gang.

The attack appears to have started on Tuesday, 12th August, at around 11 am BST and was first reported to be a technical issue. Already on Thursday, 14th August, Cold said that it was dealing with a cyber incident at Colt Technology Services, including hosting and porting services, Colt Online, and Voice API platforms.

“We detected the cyber incident on an internal system. This system is separate from our customers’ infrastructure. We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities,” Colt status updates say.

As a result of the attack, Colt took some of its systems offline, which affected Colt Online and the Voice API platform.

“One of our protective measures involved us proactively taking some systems offline, which has led to the disruption of some of the support services we provide to our customers. Our technical team is focused on restoring the affected systems and is working closely with third-party cyber experts.”

As of now, the company is still mitigating the attack, trying to restore its systems, and acknowledges that some of its support services remain unavailable due to Colt’s response to the incident.

“We have the capability of monitoring our customers’ networks and we continue to manage network incidents efficiently but we’re working in a more manual way than normal. We’re working hard to get our automated monitoring capability fully restored.”

A hacker under the nickname ‘cnkjasdfgd’ said he is a member of the WarLock ransomware gang and offered to sell over a million individual documents for $200,000, including financial, employee, customer, and executive data, internal emails, and software development information, according to Bleeping Computer.

The cause of the incident currently remains unclear, although security researcher Kevin Beaumont suggested that Colt was likely breached via a remote code execution vulnerability in Microsoft SharePoint, known as CVE-2025-53770.

Evan Powell, CEO at DeepTempo, commented that service providers face an "immense challenge" — being attractive targets for cybercriminals as they can be used for surveillance and to penetrate user environments, while being "responsible for keeping a network safe that has systems on it that they do not control."

"That said, the announcements from Colt Telecom that they have taken 'proactive measures' to respond to the attackers are a bit cringy. It appears from reports that Colt was unaware of the severity of the attack as it unfolded — and as it continues to unfold. The attackers are moving faster than they are. Being truly proactive would have entailed using advanced threat detection for the ever more advanced threats that are disrupting countless organizations around the world," Powell added.

"Unfortunately this is a common pattern in high stakes cybersecurity environments. Legacy vendors are extracting ever higher license fees for aging rules and traditional ML based detection systems — even while attackers are increasingly deploying methods that avoid such detections. We can expect to see many more successful attacks on especially service providers until they and their vendors deploy truly 'proactive' defenses, based upon the ability to actually see when they are being attacked."