Colt Technology Services, a British telecom provider, suffered a **Warlock ransomware attack** starting **August 12**, with recovery expected to extend until **late November**—a disruption lasting over **three and a half months**. The attack crippled critical systems, including **customer portals, network-as-a-service platforms, hosting APIs, and billing functions**, causing delays in invoicing, direct debit collections, and service management. While core network infrastructure remained operational, key customer-facing platforms stayed offline, severely limiting clients' ability to manage voice and network services.The **Warlock group** claimed responsibility, **exfiltrating and auctioning Colt’s data** on the dark web, though the exact sensitivity of the leaked data remains undisclosed. Colt engaged external cybersecurity experts to investigate, confirming the **compromise of its Business Support System (BSS)** while ruling out risks to its Operational Support System (OSS). The attack prompted **regulatory filings in 27 countries**, with over **75 reports** submitted to authorities. Initial suspicions point to **exploited SharePoint vulnerabilities** as the entry vector, aligning with broader trends of ransomware groups leveraging such flaws during the period. The financial and reputational fallout persists, with ongoing service disruptions and potential long-term trust erosion among enterprise clients.
Source: https://www.theregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/
TPRM report: https://www.rankiteo.com/company/colt-technology-services
"id": "col2732027091725",
"linkid": "colt-technology-services",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': True,
'industry': 'Telecom/IT Services',
'location': 'United Kingdom (global operations)',
'name': 'Colt Technology Services',
'type': 'telecommunications provider'}],
'attack_vector': ['suspected SharePoint exploit (unconfirmed)',
'data exfiltration'],
'customer_advisories': ['acknowledgment of platform unavailability (customer '
'portal, NaaS portal, APIs)',
'billing delays and payment term clarifications',
'offer to verify leaked data with Warlock upon '
'customer request'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'type_of_data_compromised': ['undisclosed (auctioned on dark '
'web)']},
'date_detected': '2024-08-12',
'date_publicly_disclosed': '2024-08-12',
'date_resolved': '2024-11-30',
'description': 'Brit telco Colt Technology Services experienced a ransomware '
'attack by the Warlock group starting on August 12, 2024. The '
'attack disrupted core processes, customer platforms, billing '
'systems, and network management portals. Recovery efforts are '
'estimated to take until late November (8-10 weeks), with '
'phased restoration prioritizing critical customer services. '
'The Warlock group claims to have exfiltrated data, which '
'remains up for auction on their dark web page. Colt has '
'engaged external cybersecurity experts and notified '
'authorities in 27 countries, filing over 75 reports. The '
'initial access vector is suspected to be a SharePoint '
'exploit, though unconfirmed.',
'impact': {'brand_reputation_impact': True,
'customer_complaints': True,
'data_compromised': True,
'downtime': {'duration': '~16 weeks (3.5+ months)',
'end': '2024-11-30 (estimated)',
'start': '2024-08-12'},
'operational_impact': ['limited network/voice service management '
'for customers',
'delayed invoice issuance and late payment '
'processing',
'disrupted direct debit collections',
'unavailable customer portals/APIs'],
'systems_affected': ['Business Support System (BSS)',
'customer platforms (e.g., customer portal, '
'network-as-a-service portal)',
'hosting APIs',
'billing systems (invoice generation delays, '
'direct debit disruptions)']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'suspected SharePoint exploit '
'(unconfirmed)',
'high_value_targets': ['Business Support System '
'(BSS)',
'customer data']},
'investigation_status': 'ongoing (external cybersecurity experts engaged; '
'SharePoint pentest conducted)',
'motivation': ['financial gain (ransom demand)',
'data theft for extortion/auction'],
'post_incident_analysis': {'root_causes': ['potential SharePoint '
'vulnerabilities (unconfirmed)']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Warlock'},
'references': [{'source': 'The Register',
'url': 'https://www.theregister.com'},
{'source': 'Trend Micro Report on Warlock'},
{'source': 'Kevin Beaumont (Infosec Watcher)'},
{'source': 'LeakIX (Internet Scanning Service)'}],
'regulatory_compliance': {'regulatory_notifications': ['75+ reports filed to '
'regulators, law '
'enforcement, '
'cybersecurity '
'agencies, and '
'emergency services '
'across 27 countries']},
'response': {'communication_strategy': ['public statements with estimated '
'recovery timelines',
'weekly updates to customers',
'offer to verify leaked data with '
'Warlock on behalf of customers'],
'containment_measures': ['SharePoint server taken offline '
'(reported by Kevin Beaumont)',
'phased restoration of core systems'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['prioritized restoration of critical '
'customer services',
'weekly updates on recovery progress',
'foundational recovery work completed (as '
'of recent update)'],
'third_party_assistance': ['external cybersecurity experts (for '
'BSS/OSS investigation)']},
'stakeholder_advisories': ['weekly recovery updates',
'service delivery/assurance updates (forthcoming)'],
'threat_actor': 'Warlock ransomware group',
'title': 'Colt Technology Services Ransomware Attack by Warlock Group',
'type': ['ransomware', 'data breach', 'operational disruption'],
'vulnerability_exploited': ['potential SharePoint vulnerabilities (CVE '
'details unspecified)']}