UK-based telecom giant Colt Technology Services confirmed that a “cyber incident” is behind the prolonged outage of its customer portal and support platforms. The company said the issue first appeared during the week of Aug. 12, when it detected problems within one of its internal systems. Services such as Colt Online and its Voice API platform remain inaccessible. Colt emphasized that the compromised system “is separate from our customers’ infrastructure.”
The WarLock ransomware group has claimed responsibility, alleging it stole “1 million documents.” On its dark web leak site, the group claimed the trove includes employee salary data, customer contact details, “internal executive personal information” and emails. The attackers are reportedly offering the files for $200,000. A hacker under the alias “cnkjasdfgd” posted the same statement on a cybercrime forum, according to Bleeping Computer.
Colt confirmed it had proactively disabled some services to contain the breach. “Our technical team is focused on restoring the affected systems and is working closely with third-party cyber experts,” the company said in its Aug. 14 update.
While services remain disrupted, Colt noted it can still monitor customer networks and respond to incidents, though it currently relies on manual processes until automated monitoring tools are back online. The company operates more than 50 metro networks across 30 countries in Europe, Asia and North America.
Cybersecurity researcher Kevin Beaumont reviewed a leaked list of 400,000 files linked to the breach. “I've authenticated the filenames are real, e.g., they include customer documentation and performance reviews of Colt staff,” Beaumont wrote. He added that he suspects the attackers may have exploited flaws in on-premises Microsoft SharePoint instances, specifically a tool known as ToolShell. Microsoft had previously warned that a threat actor identified as Storm-2603 was leveraging the vulnerability to spread WarLock ransomware.
Beaumont pointed out that Colt had exposed sharehelp.colt.net to the internet, which could have been exploited.
In response to questions about WarLock and ToolShell, Colt provided a prepared statement: “Our dedicated incident response team, including external investigators and forensic experts, is working to investigate this incident. This investigation has continued, and will continue, 24/7. We continue to work closely with law enforcement agencies as part of our investigation.”
