UK telecoms firm Colt Technology Services has been hit by a cyber attack that's been claimed by the Warlock ransomware gang.
The incident first unfolded on Tuesday 12th August, when the company detected issues on an internal system. In a blog post confirming the cyber attack, the company said the affected system is separate from customer infrastructure.
"We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities," said the firm.
The company also took some systems offline, disrupting support services including the Colt Online customer portal and the company's Voice API platform, which allows customers to automate and manage their voice services.
Colt Technology Services asking customers to get in touch via email or phone.
It's not known just how the attack happened, but according to security researcher Kevin Beaumont, the entry point was probably sharehelp.colt.net, via the SharePoint vulnerability CVE-2025-53770.
This allows attackers to steal cryptographic keys from unpatched servers, enabling remote code execution (RCE) through malicious requests.
Beaumont said the attack appears to have been carried out by the Warlock ransomware group - a recent arrival on the scene, but a group that's already been linked to around a dozen confirmed cyber attacks, mainly in the government, finance, manufacturing, and technology sectors.
In this latest attack, said Beaumont, Warlock stole 'a few hundred gig' of customer data and documentation and posted a file list on a Russian Tor forum offering the data for sale.
The group said it was selling a million documents, including employee salary data, financial data, customer contract data, personal information on company executives and employees, network architecture, and software development data.
Beaumont said he has established that the file names are real, including, for example, customer documentation and performance reviews of Colt staff.
Colt is the latest telecoms firm hit by hackers
The incident is the latest in a string of attacks on telecoms companies across Europe, with French providers Orange and Bouygues Telecom both hit during the last month alone.
French cybersecurity agency ANSSI issued a warning about state-sponsored threats targeting the country’s telecommunications sector for espionage, saying there had been multiple compromises in recent years.
Similar attacks on US phone providers have been attributed to the China-linked Salt Typhoon hacking group.
"We’ve seen already this year that telecom is particularly vulnerable to attacks, and I think this WarLock attack highlights some recurring issues that telecom and large-scale network service providers are starting to see," commented Gabrielle Hempel, security operations strategist at Exabeam.
"There’s this operational ripple effect when you’re a service provider and support-layer services go down. Even though Colt claims its core network infrastructure is still intact, the outage of hosting, porting, and API services still disrupts customer trust and downstream operations."
Patch timelines need to improve, Hempel added, so that SharePoint RCE or similarly severe vulnerabilities for externally accessible systems dealt with within hours, not weeks.
"For critical infrastructure providers, RCE patch pipelines need to be prioritized and automated wherever possible for internet-facing services," she said.
"Essentially, in high-value and high-availability industries like telecom, security SLAs need to be as strict, if not stricter, than availability SLAs."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What is 'quiet cracking' and how can leaders stop it?In-depth The latest workplace phenomenon is being fueled by fears of AI taking jobs and a lack of communication from leaders
-
Majority of English data centers use less water than a 'typical leisure center'News England’s data centers are surprisingly efficient when it comes to water consumption
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
LevelBlue and Akamai are teaming up to launch a managed web application and API protection serviceNews The new Managed WAAP offering aims to help organizations secure their rapidly expanding web app and API ecosystems
-
Everything we know so far about the Canadian House of Commons data breachNews Speculation is mounting over the source of the breach
-
Identity security is more important than ever – here’s whyNews 78% of enterprises told Okta that controlling access and permissions for non-human identities is now their main identity security concern.
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
