UK telecoms firm takes systems offline after cyber attack

Laptop with warning symbol in red denoting a cyber attack or compromised device.

(Image credit: Getty Images)

UK telecoms firm Colt Technology Services has been hit by a cyber attack that's been claimed by the Warlock ransomware gang.

The incident first unfolded on Tuesday 12th August, when the company detected issues on an internal system. In a blog post confirming the cyber attack, the company said the affected system is separate from customer infrastructure.

"We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities," said the firm.

The company also took some systems offline, disrupting support services including the Colt Online customer portal and the company's Voice API platform, which allows customers to automate and manage their voice services.

Colt Technology Services asking customers to get in touch via email or phone.

It's not known just how the attack happened, but according to security researcher Kevin Beaumont, the entry point was probably sharehelp.colt.net, via the SharePoint vulnerability CVE-2025-53770.

This allows attackers to steal cryptographic keys from unpatched servers, enabling remote code execution (RCE) through malicious requests.

Beaumont said the attack appears to have been carried out by the Warlock ransomware group - a recent arrival on the scene, but a group that's already been linked to around a dozen confirmed cyber attacks, mainly in the government, finance, manufacturing, and technology sectors.

In this latest attack, said Beaumont, Warlock stole 'a few hundred gig' of customer data and documentation and posted a file list on a Russian Tor forum offering the data for sale.

The group said it was selling a million documents, including employee salary data, financial data, customer contract data, personal information on company executives and employees, network architecture, and software development data.

Beaumont said he has established that the file names are real, including, for example, customer documentation and performance reviews of Colt staff.

Colt is the latest telecoms firm hit by hackers

The incident is the latest in a string of attacks on telecoms companies across Europe, with French providers Orange and Bouygues Telecom both hit during the last month alone.

French cybersecurity agency ANSSI issued a warning about state-sponsored threats targeting the country’s telecommunications sector for espionage, saying there had been multiple compromises in recent years.

Similar attacks on US phone providers have been attributed to the China-linked Salt Typhoon hacking group.

"We’ve seen already this year that telecom is particularly vulnerable to attacks, and I think this WarLock attack highlights some recurring issues that telecom and large-scale network service providers are starting to see," commented Gabrielle Hempel, security operations strategist at Exabeam.

"There’s this operational ripple effect when you’re a service provider and support-layer services go down. Even though Colt claims its core network infrastructure is still intact, the outage of hosting, porting, and API services still disrupts customer trust and downstream operations."

Patch timelines need to improve, Hempel added, so that SharePoint RCE or similarly severe vulnerabilities for externally accessible systems dealt with within hours, not weeks.

"For critical infrastructure providers, RCE patch pipelines need to be prioritized and automated wherever possible for internet-facing services," she said.

"Essentially, in high-value and high-availability industries like telecom, security SLAs need to be as strict, if not stricter, than availability SLAs."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.