Executive Summary

In a stark reminder of the evolving threat landscape, multinational telecommunications provider Colt Technology Services (colt.net) was recently hit by a cyberattack attributed to the emerging WarLock ransomware group.

The incident, which began on or around August 12, 2025, resulted in a multi-day outage of key internal services, including customer portals and support systems.

While Colt’s core network infrastructure was reportedly unaffected, the attackers claim to have stolen a significant cache of sensitive data, which is now being offered for sale on the dark web, underscoring the severe and multifaceted impact of modern ransomware operations.

Background

The victim, Colt Technology Services, is a major player in the telecommunications sector, operating extensive fibre networks across Europe, Asia, and North America. As a critical infrastructure provider, a disruption to its services can have cascading effects on businesses and consumers who rely on its connectivity and IT services.

The perpetrator of this attack is the WarLock ransomware group, a relatively new but increasingly active threat actor. Their methods appear to be a blend of data exfiltration and extortion, a tactic known as “double extortion“, where they not only encrypt a victim’s data but also steal it and threaten to leak it publicly if the ransom is not paid. Despite the Threat Actors fairly recent appearance, their tactics and procedures point to them having ties to Black Basta Ransomware Group who stopped being active a few months before the emergence of Warlock ransomware operators.

Their first activity can be traced back to June 2025, when they made their entrance into the cybercrime scene by claiming 16 successful attacks targeting various industries and geolocations.

Technical Analysis

The attack targeted Colt’s internal systems, not its customer-facing network infrastructure. This led to the proactive shutdown of several services, including the Colt Online Customer Portal and Voice API platform, as a protective measure to contain the spread of the ransomware.

The WarLock group has since claimed to have exfiltrated up to one million documents, including financial information, employee salary data, internal executive communications, and customer contact details. This claim directly contradicts Colt’s initial public statements, highlighting the tension between corporate communications during a crisis and the reality of a breach.

The initial entry point for the attackers is believed to be an unpatched remote code execution (RCE) vulnerability in Microsoft SharePoint (on-premise), identified as CVE-2025-53770.

CVE-2025-53770, also publicly reported as “ToolShell”; is a remote code execution (RCE) vulnerability targeting on-premise SharePoint servers which works as follows –

  1. Threat actor sends a POST request to a vulnerable host which deploys the webshell
  2. Threat actor performs a GET request to the webshell to retrieve the SharePoint’ cryptographic keys
  3. Threat actor can use the stolen keys to forge access tokens and execute arbitrary commands

Once this exploitation chain is complete, a threat actor has full access to the compromised on-premise SharePoint server, including all content, files and configurations.

According to analysis by security researcher Kevin Beaumont, the threat actors likely exploited this flaw to gain a foothold on the network. Once inside, they deployed a webshell, a malicious script that allows for remote command execution and sustained access.

Impact and Implications

The attack on Colt Technology Services serves as a powerful case study on the far-reaching consequences of a successful ransomware operation.

  • Broader Threat Landscape: This event reinforces that no company, regardless of size or industry, is immune to ransomware. The use of a known, albeit recent, SharePoint vulnerability suggests that threat actors are quick to weaponise publicly disclosed exploits, placing a critical emphasis on rapid patching and proactive defence.
  • Service Disruption: The most immediate impact was a multi-day service outage that affected Colt’s customer support and management platforms. This not only caused frustration for customers but also forced the company to revert to manual processes for incident management and network monitoring.
  • Data Breach: The alleged data theft is the most serious long-term implication. The potential exposure of sensitive employee and customer data raises significant privacy concerns and could lead to legal and regulatory challenges, including fines under GDPR in Europe. It also increases the risk of subsequent attacks on individuals or partner companies through social engineering.
  • Reputational Damage: The incident damages the trust that customers place in a company responsible for managing their critical digital infrastructure. The public discrepancy between the company’s initial claims and the threat actors’ assertions also erodes confidence in corporate transparency during a crisis.

Recommendations

  • Patch Management: Prioritise the immediate patching of all systems, particularly for high-severity vulnerabilities like CVE-2025-53770. Automate patching processes wherever possible.
  • Network Segmentation: Implement a robust network segmentation strategy to isolate critical assets and services. This can limit the lateral movement of attackers, preventing a single point of entry from compromising the entire network.
  • Endpoint Detection and Response (EDR): Deploy and configure EDR solutions to monitor for and automatically respond to suspicious activities, such as file encryption or the deployment of webshells.
  • Threat Hunting : To discover potential exploitation attempts, ensure to run Threat Hunting Queries published by Microsoft.
  • Data Backups: Maintain regular, offline, and immutable backups of all critical data. This is the single most effective defense against ransomware and enables rapid recovery without paying a ransom.
  • Multi-Factor Authentication (MFA): Enforce MFA across all systems and services, especially for privileged accounts and remote access, to prevent credential compromise.
  • Stay Informed: Be aware of security incidents affecting your service providers, especially those handling your data or business-critical services.
  • Practice Cyber Hygiene: Use strong, unique passwords for all your online accounts and enable multi-factor authentication whenever available.
  • Be Vigilant: Be cautious of unexpected emails, text messages, or phone calls, especially those that ask you to click on links, download files, or provide personal information. Phishing and social engineering are often the initial step in these attacks.
  • Understand Your Risk: Recognise that data breaches and service disruptions are a part of the modern digital landscape. Prepare for potential outages and have alternative methods of communication or operation ready.

Adam Schweizer - XDR Analyst

Adam Schweizer, XDR Analyst

Adam Schweizer is a dedicated and highly skilled cybersecurity professional with over five years of experience in threat intelligence and security operations. As an XDR Analyst at Reliance Cyber, he specialises in leveraging his deep expertise to protect organisations from evolving cyber threats.

Sources:

https://www.trendmicro.com/ru_ru/research/25/h/warlock-ransomware.html
https://cyberplace.social/@GossiTheDog/115056221173600517
https://www.darkreading.com/cyberattacks-data-breaches/colt-telecommunications-cyber-incident
https://hackread.com/warlock-ransomware-group-breach-colt-telecom-hitachi/
https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/
https://securityaffairs.com/181247/data-breach/colt-technology-faces-multi-day-outage-after-warlock-ransomware-attack.html
https://www.theregister.com/2025/08/15/london_telco_colts_services_disrupted/
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/