London-based wholesale telecoms provider ICUK faced a multi-day DDoS attack starting on Monday evening, initially targeting its core network and later its Control Panel app and infrastructure. The attack disrupted VoIP and web services, causing service delivery outages and preventing customers from accessing their control panels. While Cloudflare’s DDoS protection mitigated most attacks within hours, residual effects persisted, requiring an emergency restart of the VoIP platform the following evening. The company confirmed no data breaches, ransomware, or other compromises—only service disruptions due to DDoS traffic, including DNS amplification techniques. Business operations were partially affected, with some customers unable to use the Control Panel until after business hours on Tuesday. ICUK emphasized transparency in customer communications and implemented additional Cloudflare protections at the network layer. No financial losses, reputational damage beyond temporary service interruptions, or long-term consequences were reported. The attack was isolated to DDoS, with no evidence of data theft, system infiltration, or broader cyber compromise.
Source: https://www.theregister.com/2025/10/08/telecoms_wholesaler_icuk_restores_services/
TPRM report: https://www.rankiteo.com/company/icuk
"id": "icu0032200100825",
"linkid": "icuk",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Resellers and end-users (exact '
'number not specified)',
'industry': 'Telecommunications',
'location': 'London, UK',
'name': 'ICUK',
'type': 'Wholesale Telecoms Provider'}],
'attack_vector': ['Network-layer DDoS',
'Application-layer DDoS (Control Panel)',
'DNS Amplification'],
'customer_advisories': ['Service status page updates',
'Direct communication from ICUK directors'],
'data_breach': {'number_of_records_exposed': '0',
'sensitivity_of_data': 'None',
'type_of_data_compromised': 'None'},
'date_detected': '2023-MM-DD (exact date not specified, Monday evening around '
'2000 local time/1900 UTC)',
'date_publicly_disclosed': '2023-MM-DD (disclosed to The Register on Tuesday)',
'date_resolved': '2023-MM-DD (by Tuesday evening, all systems fully '
'operational)',
'description': 'London-based wholesale telecoms provider ICUK experienced a '
'multi-day DDoS attack targeting its core network, VoIP '
'platform, and Control Panel app. The attack began on Monday '
'evening (2000 local time) and involved DNS amplification '
"techniques in the second wave. Cloudflare's DDoS protection "
'mitigated most of the attacks, but residual disruptions '
'affected VoIP services and Control Panel access until Tuesday '
'evening. No data breaches or other compromises were detected. '
"ICUK plans to extend Cloudflare's protection to the network "
'layer to prevent future incidents.',
'impact': {'brand_reputation_impact': 'Minimal (transparent communication '
'praised by customers)',
'customer_complaints': 'Reported by customers to The Register '
'(specific number not disclosed)',
'data_compromised': 'None',
'downtime': {'control_panel': 'Until Tuesday after business hours',
'core_network': '~2 hours (mitigated by Cloudflare by '
'2200 local time Monday)',
'voip_platform': 'Until Tuesday 18:03 (emergency '
'restart required)'},
'identity_theft_risk': 'None',
'operational_impact': ['Service delivery disruption',
'VoIP platform issues (knock-on effect)',
'Control Panel inaccessibility'],
'payment_information_risk': 'None',
'systems_affected': ['Core Network',
'VoIP Platform',
'Control Panel App']},
'investigation_status': 'Ongoing (gathering data, no attribution yet)',
'lessons_learned': ['Importance of multi-layered DDoS protection',
'Need for network-layer Cloudflare integration',
'Effective communication mitigates customer frustration'],
'post_incident_analysis': {'corrective_actions': ['Extending Cloudflare to '
'network layer',
'Reviewing VoIP platform '
'resilience'],
'root_causes': ['Insufficient network-layer DDoS '
'protection',
'Residual VoIP platform '
'vulnerabilities post-attack']},
'recommendations': ['Extend Cloudflare DDoS protection to network layer',
'Conduct post-incident review to identify gaps',
'Enhance redundancy for VoIP and Control Panel systems'],
'references': [{'source': 'The Register',
'url': 'https://www.theregister.com/ (exact URL not provided '
'in text)'}],
'response': {'communication_strategy': ['Open, frequent, and transparent '
'updates to customers',
'Service status page updates'],
'containment_measures': ['Cloudflare DDoS mitigation',
'Emergency restart of VoIP platform'],
'incident_response_plan_activated': True,
'network_segmentation': 'Control Panel operates on separate '
'infrastructure (pre-existing)',
'recovery_measures': ['VoIP platform restart',
'Control Panel infrastructure '
'stabilization'],
'remediation_measures': ['Extending Cloudflare protection to '
'network layer'],
'third_party_assistance': ['Cloudflare (DDoS protection)',
'Upstream Providers']},
'stakeholder_advisories': ['Transparent updates via status page and direct '
'communication'],
'title': "Multi-Day DDoS Attack on ICUK's Network and Systems",
'type': ['DDoS (Denial of Service)', 'DNS Amplification']}